[I] [Improvement] planTableScan endpoint should support X-Iceberg-Access-Delegation and return storage credentials [gravitino]

Sun, 05 Apr 2026 11:04:40 -0700 


laserninja opened a new issue, #10685:
URL: https://github.com/apache/gravitino/issues/10685

   ### What would you like to be improved?
   
   The `planTableScan` endpoint (`POST 
/v1/{prefix}/namespaces/{namespace}/tables/{table}/scan`) does not accept the 
`X-Iceberg-Access-Delegation` header and does not return storage credentials in 
its response. The Iceberg REST spec defines the `data-access` header as a 
parameter on the `planTableScan` endpoint, and the `CompletedPlanningResult` 
schema includes a `storage-credentials` field for clients to access the data 
files returned in the scan result.
   
   In the current `planTableScan` method 
([IcebergTableOperations.java#L513-L545](https://github.com/apache/gravitino/blob/main/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/rest/IcebergTableOperations.java#L513-L545)):
   - No `@HeaderParam(X_ICEBERG_ACCESS_DELEGATION)` parameter
   - `IcebergRequestContext` is constructed without `isCredentialVending`
   - The `CompletedPlanningResult` response does not include 
`storage-credentials`
   
   In contrast, `createTable` and `loadTable` accept this header and inject 
credentials into the response. Without this, clients performing server-side 
scan planning must make a separate `GET .../credentials` call to obtain storage 
access credentials before reading the data files returned in the scan plan.
   
   ### How should we improve?
   
   - Add `@HeaderParam(X_ICEBERG_ACCESS_DELEGATION) String accessDelegation` to 
`planTableScan`
   - Pass `isCredentialVending` to `IcebergRequestContext` so credential 
injection can be triggered
   - When credential vending is enabled, include `storage-credentials` in the 
`CompletedPlanningResult` response so clients can immediately access the 
returned data files without a separate credentials call


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to