Drop client_id/client_secret pattern validation on /reset endpoint

rmannibucau · rmannibucau · commit 8dfbac6d6837 · 2025-12-16T23:00:07.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -60,6 +60,7 @@ request adding CHANGELOG notes for breaking (!) changes and possibly other secti
 - Enhanced catalog federation with SigV4 authentication support, additional authentication types for credential vending, and location-based access restrictions to block credential vending for remote tables outside allowed location lists.
 - Added `topologySpreadConstraints` support in Helm chart.
 - Added support for including principal name in subscoped credentials. `INCLUDE_PRINCIPAL_NAME_IN_SUBSCOPED_CREDENTIAL` (default: false) can be used to toggle this feature. If enabled, cached credentials issued to one principal will no longer be available for others.
+- Relaxed `client_id`, `client_secret` regex/pattern validation on reset endpoint call
 
 ### Changes
 
diff --git a/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisServiceImpl.java b/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisServiceImpl.java
@@ -136,18 +136,6 @@ public Response createCatalog(
     return Response.status(Response.Status.CREATED).entity(newCatalog).build();
   }
 
-  private void validateClientId(String clientId) {
-    if (!clientId.matches("^[0-9a-f]{16}$")) {
-      throw new IllegalArgumentException("Invalid clientId format");
-    }
-  }
-
-  private void validateClientSecret(String clientSecret) {
-    if (!clientSecret.matches("^[0-9a-f]{32}$")) {
-      throw new IllegalArgumentException("Invalid clientSecret format");
-    }
-  }
-
   private void validateStorageConfig(StorageConfigInfo storageConfigInfo) {
     List<String> allowedStorageTypes =
         realmConfig.getConfig(FeatureConfiguration.SUPPORTED_CATALOG_STORAGE_TYPES);
@@ -304,12 +292,6 @@ public Response resetCredentials(
             ? resetPrincipalRequest
             : new ResetPrincipalRequest(null, null);
 
-    if (safeResetPrincipalRequest.getClientId() != null) {
-      validateClientId(safeResetPrincipalRequest.getClientId());
-    }
-    if (safeResetPrincipalRequest.getClientSecret() != null) {
-      validateClientSecret(safeResetPrincipalRequest.getClientSecret());
-    }
     return Response.ok(adminService.resetCredentials(principalName, safeResetPrincipalRequest))
         .build();
   }
