danhuawang opened a new issue, #11604:
URL: https://github.com/apache/gravitino/issues/11604
### Version
main branch
### Describe what's wrong
When creating an Iceberg catalog with `catalog-backend=hive` and S3 static
credentials (`s3-access-key-id` + `s3-secret-access-key`), any table/view
operation fails with `No credential provider found for: s3-secret-key`.
`BaseCatalog.addStorageCredentialProviders()` automatically registers the
`s3-secret-key` credential provider when it detects S3 static credentials.
However, the `S3SecretKeyProvider` class (in `bundles/aws` module) is not
included in `catalogs/lakehouse-iceberg/libs/`, so the `IsolatedClassLoader`
cannot find it via ServiceLoader.
The `iceberg-rest-server` works fine because its `build.gradle.kts`
explicitly depends on `project(":bundles:aws")`, but
`catalog-lakehouse-iceberg` does not.
### Error message and/or stacktrace
```
java.lang.IllegalArgumentException: Failed to get credentials under object
[], reason [No credential provider found for: s3-secret-key]
java.lang.IllegalArgumentException: No credential provider found for:
s3-secret-key
at
org.apache.gravitino.credential.CredentialProviderFactory.lookupCredentialProvider(CredentialProviderFactory.java:61)
at
org.apache.gravitino.credential.CredentialProviderFactory.create(CredentialProviderFactory.java:36)
at
org.apache.gravitino.credential.CredentialUtils.lambda$loadCredentialProviders$0(CredentialUtils.java:42)
...
at
org.apache.gravitino.credential.CatalogCredentialManager.<init>(CatalogCredentialManager.java:47)
at
org.apache.gravitino.connector.BaseCatalog.catalogCredentialManager(BaseCatalog.java:360)
at
org.apache.gravitino.credential.CredentialOperationDispatcher.getCredentials(CredentialOperationDispatcher.java:68)
```
### How to reproduce
1. Deploy Gravitino server (main branch, container image)
2. Create an Iceberg catalog with Hive backend and S3 static credentials:
```java
Map<String, String> icebergProps = new HashMap<>();
icebergProps.put("catalog-backend", "hive");
icebergProps.put("uri", "thrift://hive-metastore:9083");
icebergProps.put("warehouse", "s3a://bucket/iceberg/warehouse");
icebergProps.put("io-impl", "org.apache.iceberg.aws.s3.S3FileIO");
icebergProps.put("s3-access-key-id", "<access-key>");
icebergProps.put("s3-secret-access-key", "<secret-key>");
icebergProps.put("s3-region", "us-east-1");
metalake.createCatalog("iceberg_hive", Catalog.Type.RELATIONAL,
"lakehouse-iceberg", "...", icebergProps);
```
3. Use Flink connector (or any client) to create a table — fails immediately
when the connector opens the catalog and calls `getCredentials()`.
### Additional context
Container classpath comparison:
```
# catalogs/lakehouse-iceberg/libs/ — MISSING gravitino-aws
gravitino-iceberg-aws-bundle-1.3.1-SNAPSHOT.jar
iceberg-aws-1.11.0.jar
# iceberg-rest-server/libs/ — HAS gravitino-aws (works fine)
gravitino-aws-1.3.1-SNAPSHOT.jar
gravitino-iceberg-aws-bundle-1.3.1-SNAPSHOT.jar
iceberg-aws-1.11.0.jar
```
Root cause: `catalogs/catalog-lakehouse-iceberg/build.gradle.kts` does not
depend on `project(":bundles:aws")`, so `S3SecretKeyProvider` (registered via
SPI in `bundles/aws`) is never packaged into the catalog's lib directory.
Suggested fix: Add `runtimeOnly(project(":bundles:aws"))` to
`catalogs/catalog-lakehouse-iceberg/build.gradle.kts`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
