okumin commented on code in PR #6086:
URL: https://github.com/apache/hive/pull/6086#discussion_r2377519942
##########
standalone-metastore/metastore-rest-catalog/src/main/java/org/apache/iceberg/rest/HMSCatalogFactory.java:
##########
@@ -100,7 +102,9 @@ private Catalog createCatalog() {
*/
private HttpServlet createServlet(Catalog catalog) {
String authType = MetastoreConf.getVar(configuration,
ConfVars.CATALOG_SERVLET_AUTH);
- ServletSecurity security = new
ServletSecurity(AuthType.fromString(authType), configuration);
+ // Iceberg REST client uses "catalog" by default
Review Comment:
The scope of OAuth 2 refers to the range of access from a client to
protected resources. For example, let's say a web service (Client) wants to
access the name, icon, and email (Protected Resources) of your (Resource Owner)
Google account. The web service does not need to access your items in Google
Photos, nor does it need to update Google's profiles. In this case, you can
allow the web service to access only a limited set of resources.
<img width="1060" height="588" alt="image"
src="https://github.com/user-attachments/assets/a4f3989d-a3c0-44b5-b2f9-e873407d9948";
/>
The Iceberg client uses only "catalog" to give access to [all
Iceberg-related
endpoints](https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml).
We may protect HMS Thrift over HTTP with OAuth 2 and grant the "metastore"
scope in the future. In that case, a user can create an access token that can
use the HMS API but can not use Iceberg REST, or vice versa.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
