Skip to content

bootstrap command always creates a principal with name "root" | external IDP configuration with dynamic principals results in a chicken and egg problem #2238

New issue
New issue
Open
Open
bootstrap command always creates a principal with name "root" | external IDP configuration with dynamic principals results in a chicken and egg problem#2238
Labels
bugSomething isn't working
@creepysta

Description

@creepysta
creepysta
opened on Aug 1, 2025

Describe the bug

I'm trying to configure polaris 1.0.0 to work with external Identity Provider following - #1397

Looks like when bootstrapping with java -jar runtime/admin/build/quarkus-app/quarkus-run.jar bootstrap -r POLARIS -c POLARIS,<some-id>,blah the is ignored and a hardcoded "root" principal is created in the polaris_schema.entity.
Which when decoding a JWT, the <some-id> in the "sub" doesn't match since its a unique id and not "root"

So, it feels like, there's no way to configure a dynamic principal id as root in polaris with External IDP.

To Reproduce

config/application.properties -

polaris.bootstrap.credentials=POLARIS,1234,blah

# persistence
polaris.persistence.type=relational-jdbc
quarkus.datasource.db-kind=postgresql
quarkus.datasource.username=postgres
quarkus.datasource.password=
quarkus.datasource.jdbc.url=jdbc:postgresql://127.0.0.1:5432/postgres

# authn, authz
quarkus.oidc.tenant-enabled=true
quarkus.oidc.discovery-enabled=true
quarkus.oidc.auth-server-url=<https://external-idp.com>
polaris.authentication.type=external
polaris.oidc.principal-mapper.name-claim-path=sub

polaris.oidc.principal-roles-mapper.filter=^(admin-grp).*
polaris.oidc.principal-roles-mapper.mappings[0].regex=\\badmin-grp\\b
polaris.oidc.principal-roles-mapper.mappings[0].replacement=PRINCIPAL_ROLE:ALL

jwt -

{
  "iss": "<https://external-idp.com>",
  "aud": "polaris",
  "exp": 1754045079,
  "iat": 1754016279,
  "sub": "1234",
  "groups": [
    "admin-grp",
  ],
  "email": "[email protected]"
}

Actual Behavior

error -

Failed to resolve principal from credentials=OidcPrincipalAuthInfo[getPrincipalId=null, getPrincipalName=1234, getPrincipalRoles=[PRINCIPAL_ROLE:ALL]]

Expected Behavior

Ideally it should be able to resolve with name lookup, if bootstrap created a principal with name <some-id> instead of "root"

Additional context

No response

System information

polaris tag - apache-polaris-1.0.0-incubating

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions