sachinnn99 opened a new pull request, #10699: URL: https://github.com/apache/gravitino/pull/10699
Resubmitting per @laserninja's comment on #10684. This revision aligns the implementation with the established `createTable`/`loadTable` credential-vending pattern: `CatalogWrapperForREST.registerTable(3-arg)` calls `super.registerTable(2-arg)` (matching createTable), and `CatalogWrapperForTest` now overrides at the **3-arg** level (matching how it overrides createTable). Both production and test paths route through a new `protected maybeInjectCredentials` helper on `CatalogWrapperForREST`. ### What changes were proposed in this pull request? Add `X-Iceberg-Access-Delegation` header support to the `registerTable` endpoint, enabling credential vending in the response. Mirrors the existing pattern from `createTable` and `loadTable`. Changes: - `IcebergNamespaceOperations.registerTable`: add `@HeaderParam(X_ICEBERG_ACCESS_DELEGATION)`, compute `isCredentialVending`, build the 3-arg `IcebergRequestContext` - `CatalogWrapperForREST`: add 3-arg `registerTable` that calls `super.registerTable(2-arg)` and routes through a new `protected maybeInjectCredentials` helper - `IcebergNamespaceOperationExecutor.registerTable`: pass `context.requestCredentialVending()` through to the 3-arg wrapper form - `IcebergTableOperations.isCredentialVending`: widen `private` → package-private `static` so `IcebergNamespaceOperations` can reuse it - `CatalogWrapperForTest`: override the **3-arg** `registerTable` (matching the 3-arg `createTable` override level), build the mock response, route through `maybeInjectCredentials`, and honor cloud URIs in `metadataLocation` so vending tests can verify the vended path ### Why are the changes needed? The Iceberg REST spec defines `X-Iceberg-Access-Delegation` as a valid header on `registerTable`, but the current implementation does not accept it or vend credentials. Clients that register a table and immediately attempt to read its data must make a separate `loadTable` call to obtain credentials. Fix: #10684 ### Does this PR introduce _any_ user-facing change? Yes. The `registerTable` REST endpoint now accepts the `X-Iceberg-Access-Delegation` header and returns vended credentials in the response config when requested. Backward compatible — clients that do not send the header get existing behavior. ### How was this patch tested? Added unit tests in `TestIcebergNamespaceOperations`: - `testRegisterTableWithCredentialVending` — verifies no vending without header, no vending for local URI, vending for `s3://` URI - `testRegisterTableRemoteSigningNotSupported` — verifies 406 response for `remote-signing` - `testRegisterTableInvalidAccessDelegation` — verifies 400 response for invalid header values All existing `TestIcebergNamespaceOperations` tests still pass with no regressions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
