Fix: Preserve federated field when creating PrincipalRole (#2966)

[AryanPatel226]

Summary

Fixes the bug where the federated field was being ignored when creating a PrincipalRole via the API, causing all principal roles to be created as non-federated regardless of the input value.

Changes

• Bug Fix: Added .setFederated(request.getPrincipalRole().getFederated()) to PolarisServiceImpl.createPrincipalRole() to properly preserve the federated flag from the request
• Test Enhancement: Updated testCreateFederatedPrincipalRoleSucceeds to actually verify the federated field value in the response, not just the HTTP 201 status code

Testing

Manual Testing

Verified the fix by running a Polaris server and executing API calls:

1. Created a principal role with federated: true → correctly returned federated: true ✅
2. Created a principal role with federated: false → correctly returned federated: false ✅
3. Verified federated roles cannot be assigned to principals (correct validation behavior) ✅

Checklist

• 🛡️ Don't disclose security issues! (contact security@apache.org)
• 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes [BUG] federated property is ignore for PrincipalRole object in CreatePrincipalRoleRequest #2966
• 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
• 💡 Added comments for complex logic
• 🧾 Updated CHANGELOG.md (if needed)
• 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[dimas-b]

The fix looks pretty solid to me given the current codebase.

I'm going to merge tomorrow, unless there are objections.

Thanks for the contribution, @AryanPatel226 !

[flyrain]

I think this PR aligns with the intention in #1353.

Adds a FEDERATED_ENTITY property, which can be defined in Principals and PrincipalRoles. FEDERATED Principals cannot be created via the API, but FEDERATED roles can be. This allows for creating roles which can be assigned privileges, while actual principal creation is delegated to the JIT creation mechanism (not in this PR).

However, there is a gap that Federated principal roles currently cannot be used, see here, https://github-personal/polaris-catalog/polaris/blob/main/.worktrees/pr-4064/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java#L1459-L1459.

I think we should either complete the feature by finishing the JIT activation mechanism that allows federated roles to be activated based on external token claims, bypassing the grant check. Or documenting the limitations that

• Federated roles are infrastructure for future external auth support
• They cannot currently be used without additional implementation
• When/how they're intended to be activated

another option is to block federated role creation until the feature is complete.

This PR is good to go though.