Since the authenticator is default now, do we still need this token default value, principal:root;realm:POLARIS. Seems we will need to run the added script in run.sh to get a token using root credential first before running run_spark_sql.sh.

Additionally, is run_spark_sql.sh expected to work without first running run.sh? If so, may be we should consider adding code to get a token within this script to make it work out-of-box.

do we still need this token default value

Indeed I thought about removing the default values everywhere, but I wasn't sure whether all these scripts are always executed from the run.sh entrypoint. Do you think we should remove the default values?

may be we should consider adding code to get a token within this script to make it work out-of-box.

Good catch! The script is definitely meant to be executed individually. I will add support for default auth in that script as well.

I will add support for default auth in that script as well.

Done, let me know what you think!

Done, let me know what you think!

Thanks for adding that! Look great!

but I wasn't sure whether all these scripts are always executed from the run.sh entrypoint. Do you think we should remove the default values?

My understanding is that the default values will always fail since default authenticator reject principal:root:realm:* token anyway. We will need to either execute run.sh to store a real token in env or adding the default auth like run_spark_sql.sh to make scripts able to be executed without run.sh.

Keeping default values there will have no affect on tests but I feel it will cause additional work if we want to change realm name for regression test in the future. WDYT?

I think I agree. Should I remove the default values in this PR or as a follow-up?

I am ok with either way. As you pointed out in #865 (comment), we will need some follow-up PRs to clean-up/fix things so I think that could also be a good place to remove these values

Okay, I took note to open a follow-up PR for that 👍

This can also help simplify the docker-compose.yml in getting-started examples: e.g. #868

I am happy to update that PR if this one goes in first : )

Do we need to keep -principal:root;realm:POLARIS as token will be fetched by run.sh? Given the direction that we want to to is to use the default authenticator always for reggresstion test, I think we should remove them to avoid confusion, as principal:root;realm:POLARIS doesn't work for default athenticator.

With @HonahX we decided to postpone that, but I think you are right: leaving this default value will create confusion. So I went ahead and removed them.

I'm not familiar with Quarkus conventions, but "with profile prod" seems a bit odd to me, it is no way close to a prod deployment. Is "with the default profile" more accurate? Or we don't even have to mention it in that case.

You are right. Rephrased.