This is an automated email from the ASF dual-hosted git repository.
emaynard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git
The following commit(s) were added to refs/heads/main by this push:
new 1daf74950 populate credentials field for loadTableResponse (#1225)
1daf74950 is described below
commit 1daf749502498f3572dafa4c8f5792bb14b9bdee
Author: Juichang Lu <[email protected]>
AuthorDate: Fri Apr 11 14:06:11 2025 -0400
populate credentials field for loadTableResponse (#1225)
* populate credentials field for loadTableResponse
* spotless
* spotless
* remove unused hashset
* fix merge
* fix empty credential case
* spotlessApply
---------
Co-authored-by: David Lu <[email protected]>
---
.../catalog/iceberg/IcebergCatalogHandler.java | 95 +++++++++++-----------
1 file changed, 49 insertions(+), 46 deletions(-)
diff --git
a/service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java
b/service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java
index b5e1a0edb..ace46a3a3 100644
---
a/service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java
+++
b/service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java
@@ -52,6 +52,7 @@ import org.apache.iceberg.exceptions.CommitFailedException;
import org.apache.iceberg.exceptions.ForbiddenException;
import org.apache.iceberg.exceptions.NoSuchTableException;
import org.apache.iceberg.rest.CatalogHandlers;
+import org.apache.iceberg.rest.credentials.ImmutableCredential;
import org.apache.iceberg.rest.requests.CommitTransactionRequest;
import org.apache.iceberg.rest.requests.CreateNamespaceRequest;
import org.apache.iceberg.rest.requests.CreateTableRequest;
@@ -321,24 +322,14 @@ public class IcebergCatalogHandler extends CatalogHandler
implements AutoCloseab
if (table instanceof BaseTable baseTable) {
TableMetadata tableMetadata = baseTable.operations().current();
- LoadTableResponse.Builder responseBuilder =
- LoadTableResponse.builder().withTableMetadata(tableMetadata);
- if (baseCatalog instanceof SupportsCredentialDelegation
credentialDelegation) {
- LOGGER
- .atDebug()
- .addKeyValue("tableIdentifier", tableIdentifier)
- .addKeyValue("tableLocation", tableMetadata.location())
- .log("Fetching client credentials for table");
- responseBuilder.addAllConfig(
- credentialDelegation.getCredentialConfig(
- tableIdentifier,
- tableMetadata,
- Set.of(
- PolarisStorageActions.READ,
- PolarisStorageActions.WRITE,
- PolarisStorageActions.LIST)));
- }
- return responseBuilder.build();
+ return buildLoadTableResponseWithDelegationCredentials(
+ tableIdentifier,
+ tableMetadata,
+ Set.of(
+ PolarisStorageActions.READ,
+ PolarisStorageActions.WRITE,
+ PolarisStorageActions.LIST))
+ .build();
} else if (table instanceof BaseMetadataTable) {
// metadata tables are loaded on the client side, return
NoSuchTableException for now
throw new NoSuchTableException("Table does not exist: %s",
tableIdentifier.toString());
@@ -427,20 +418,9 @@ public class IcebergCatalogHandler extends CatalogHandler
implements AutoCloseab
TableIdentifier ident = TableIdentifier.of(namespace, request.name());
TableMetadata metadata = stageTableCreateHelper(namespace, request);
- LoadTableResponse.Builder responseBuilder =
- LoadTableResponse.builder().withTableMetadata(metadata);
-
- if (baseCatalog instanceof SupportsCredentialDelegation
credentialDelegation) {
- LOGGER
- .atDebug()
- .addKeyValue("tableIdentifier", ident)
- .addKeyValue("tableLocation", metadata.location())
- .log("Fetching client credentials for table");
- responseBuilder.addAllConfig(
- credentialDelegation.getCredentialConfig(
- ident, metadata, Set.of(PolarisStorageActions.ALL)));
- }
- return responseBuilder.build();
+ return buildLoadTableResponseWithDelegationCredentials(
+ ident, metadata, Set.of(PolarisStorageActions.ALL))
+ .build();
}
/**
@@ -599,6 +579,13 @@ public class IcebergCatalogHandler extends CatalogHandler
implements AutoCloseab
CatalogEntity catalogEntity =
CatalogEntity.of(catalogPath.getRawLeafEntity());
PolarisConfigurationStore configurationStore =
callContext.getPolarisCallContext().getConfigurationStore();
+ LOGGER.info("Catalog type: {}", catalogEntity.getCatalogType());
+ LOGGER.info(
+ "allow external catalog credential vending: {}",
+ configurationStore.getConfiguration(
+ callContext.getPolarisCallContext(),
+ catalogEntity,
+ FeatureConfiguration.ALLOW_EXTERNAL_CATALOG_CREDENTIAL_VENDING));
if (catalogEntity
.getCatalogType()
.equals(org.apache.polaris.core.admin.model.Catalog.TypeEnum.EXTERNAL)
@@ -638,20 +625,10 @@ public class IcebergCatalogHandler extends CatalogHandler
implements AutoCloseab
if (table instanceof BaseTable baseTable) {
TableMetadata tableMetadata = baseTable.operations().current();
- LoadTableResponse.Builder responseBuilder =
- LoadTableResponse.builder().withTableMetadata(tableMetadata);
- if (baseCatalog instanceof SupportsCredentialDelegation
credentialDelegation) {
- LOGGER
- .atDebug()
- .addKeyValue("tableIdentifier", tableIdentifier)
- .addKeyValue("tableLocation", tableMetadata.location())
- .log("Fetching client credentials for table");
- responseBuilder.addAllConfig(
- credentialDelegation.getCredentialConfig(
- tableIdentifier, tableMetadata, actionsRequested));
- }
-
- return Optional.of(responseBuilder.build());
+ return Optional.of(
+ buildLoadTableResponseWithDelegationCredentials(
+ tableIdentifier, tableMetadata, actionsRequested)
+ .build());
} else if (table instanceof BaseMetadataTable) {
// metadata tables are loaded on the client side, return
NoSuchTableException for now
throw new NoSuchTableException("Table does not exist: %s",
tableIdentifier.toString());
@@ -660,6 +637,32 @@ public class IcebergCatalogHandler extends CatalogHandler
implements AutoCloseab
throw new IllegalStateException("Cannot wrap catalog that does not produce
BaseTable");
}
+ private LoadTableResponse.Builder
buildLoadTableResponseWithDelegationCredentials(
+ TableIdentifier tableIdentifier,
+ TableMetadata tableMetadata,
+ Set<PolarisStorageActions> actions) {
+ LoadTableResponse.Builder responseBuilder =
+ LoadTableResponse.builder().withTableMetadata(tableMetadata);
+ if (baseCatalog instanceof SupportsCredentialDelegation
credentialDelegation) {
+ LOGGER
+ .atDebug()
+ .addKeyValue("tableIdentifier", tableIdentifier)
+ .addKeyValue("tableLocation", tableMetadata.location())
+ .log("Fetching client credentials for table");
+ Map<String, String> credentialConfig =
+ credentialDelegation.getCredentialConfig(tableIdentifier,
tableMetadata, actions);
+ responseBuilder.addAllConfig(credentialConfig);
+ if (!credentialConfig.isEmpty()) {
+ responseBuilder.addCredential(
+ ImmutableCredential.builder()
+ .prefix(tableMetadata.location())
+ .config(credentialConfig)
+ .build());
+ }
+ }
+ return responseBuilder;
+ }
+
private UpdateTableRequest applyUpdateFilters(UpdateTableRequest request) {
// Certain MetadataUpdates need to be explicitly transformed to achieve
the same behavior
// as using a local Catalog client via TableBuilder.
