okumin commented on code in PR #6086:
URL: https://github.com/apache/hive/pull/6086#discussion_r2381125342
##########
standalone-metastore/metastore-rest-catalog/src/main/java/org/apache/iceberg/rest/HMSCatalogFactory.java:
##########
@@ -100,7 +102,9 @@ private Catalog createCatalog() {
*/
private HttpServlet createServlet(Catalog catalog) {
String authType = MetastoreConf.getVar(configuration,
ConfVars.CATALOG_SERVLET_AUTH);
- ServletSecurity security = new
ServletSecurity(AuthType.fromString(authType), configuration);
+ // Iceberg REST client uses "catalog" by default
Review Comment:
It is an excellent question. It would be helpful. For example, it would
allow you to give the read-only permission to a BI tool. I've not found the
best practice for HMS and Iceberg users. I found some samples:
- [Apache
Polaris](https://polaris.apache.org/in-dev/unreleased/configuring-polaris-for-production/)'s
document often refers to `PRINCIPAL_ROLE:ALL` as a scope
- [Databricks Unity
Catalog](https://docs.databricks.com/aws/en/external-access/iceberg) mentions
`all-apis`
- Most likely, [all-apis, sql, offline_access, openid, profile, email
are
allowed](https://docs.databricks.com/api/account/customappintegration/create)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
