Re: [PR] HIVE-28998: Support Iceberg REST Catalog without authentication [hive]

Fri, 20 Jun 2025 05:37:46 -0700 


okumin commented on code in PR #5870:
URL: https://github.com/apache/hive/pull/5870#discussion_r2158831458


##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java:
##########
@@ -1867,7 +1867,7 @@ public enum ConfVars {
             " positive value will be used as-is."
     ),
     ICEBERG_CATALOG_SERVLET_AUTH("metastore.iceberg.catalog.servlet.auth",
-        "hive.metastore.iceberg.catalog.servlet.auth", "jwt", new 
StringSetValidator("simple", "jwt"),
+        "hive.metastore.iceberg.catalog.servlet.auth", "jwt", new 
StringSetValidator("none", "simple", "jwt"),

Review Comment:
   @deniskuzZ @zhangbutao Thanks. I also think we should discuss the excellent 
vision on the mailing list. I want to support it. However, one point remains 
unclear to me.
   Unity Catalog provides two types of endpoints: One is Unity REST 
API(`/api/2.1/unity-catalog`) and the other is Iceberg REST 
API(`/api/2.1/unity-catalog/iceberg-rest`). [Unity REST API is likely to 
authenticate a user with Personal Access 
Token](https://docs.databricks.com/aws/en/external-access/unity-rest). [Iceberg 
REST API is likely to authenticate a user with OAuth or 
PAT](https://docs.databricks.com/aws/en/external-access/iceberg). I understand 
we want the equivalent of the Unity REST; Let's call it HMS v2 REST.
   I don't understand why we can use the consistent auth across the endpoints. 
HMS v2 REST clients will be able to use SIMPLE(i.e., a client sends a user name 
via `x-actor-username` header) if we implement the client so. However, as a 
reality, [most Iceberg REST clients probably do not support 
it](https://github.com/apache/iceberg/blob/main/core/src/main/java/org/apache/iceberg/rest/auth/AuthManagers.java).
 I think Trino has no method to use SIMPLE and JWT.
   If I were saying something strange, I would follow the recommendation now.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org

Reply via email to