kevinjqliu commented on code in PR #2175:
URL: https://github.com/apache/iceberg-python/pull/2175#discussion_r2188685421
##########
mkdocs/docs/configuration.md:
##########
@@ -372,7 +372,73 @@ Specific headers defined by the RESTCatalog spec include:
| Key | Options
| Default | Description
|
| ------------------------------------ | -------------------------------------
| -------------------- |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
-| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms |
+| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms. When
using `vended-credentials`, the server provides temporary credentials to the
client. When using `remote-signing`, the server signs requests on behalf of the
client. |
+
+#### Authentication Options
+- **SigV4**: For AWS services that require SigV4 signing.
+- **Token**: Use the `token` property to pass a bearer token for services that
accept token-based authentication.
+- **Credential**: Use the `credential` property with format
`client_id:client_secret` for authentication.
+- **OAuth2**: Use the `oauth2-server-uri` property to specify a custom OAuth2
endpoint for client credentials authentication.
+
+#### Common Integrations & Examples
+
+##### Glue (AWS)
Review Comment:
```suggestion
##### AWS Glue
```
##########
mkdocs/docs/configuration.md:
##########
@@ -372,7 +372,73 @@ Specific headers defined by the RESTCatalog spec include:
| Key | Options
| Default | Description
|
| ------------------------------------ | -------------------------------------
| -------------------- |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
-| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms |
+| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms. When
using `vended-credentials`, the server provides temporary credentials to the
client. When using `remote-signing`, the server signs requests on behalf of the
client. |
+
+#### Authentication Options
+- **SigV4**: For AWS services that require SigV4 signing.
+- **Token**: Use the `token` property to pass a bearer token for services that
accept token-based authentication.
+- **Credential**: Use the `credential` property with format
`client_id:client_secret` for authentication.
+- **OAuth2**: Use the `oauth2-server-uri` property to specify a custom OAuth2
endpoint for client credentials authentication.
+
+#### Common Integrations & Examples
+
+##### Glue (AWS)
+```yaml
+catalog:
+ s3_tables_catalog:
+ type: rest
+ uri: https://glue.<region>.amazonaws.com/iceberg
+ warehouse: <account-id>:s3tablescatalog/<table-bucket-name>
+ rest.sigv4-enabled: true
+ rest.signing-name: glue
+ rest.signing-region: <region>
+```
+
+##### Unity Catalog (Databricks)
Review Comment:
i think this should work for both databricks UC and oss UC
https://github.com/unitycatalog/unitycatalog
```suggestion
##### Unity Catalog
```
##########
mkdocs/docs/configuration.md:
##########
@@ -372,7 +372,73 @@ Specific headers defined by the RESTCatalog spec include:
| Key | Options
| Default | Description
|
| ------------------------------------ | -------------------------------------
| -------------------- |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
-| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms |
+| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms. When
using `vended-credentials`, the server provides temporary credentials to the
client. When using `remote-signing`, the server signs requests on behalf of the
client. |
+
+#### Authentication Options
+- **SigV4**: For AWS services that require SigV4 signing.
+- **Token**: Use the `token` property to pass a bearer token for services that
accept token-based authentication.
+- **Credential**: Use the `credential` property with format
`client_id:client_secret` for authentication.
+- **OAuth2**: Use the `oauth2-server-uri` property to specify a custom OAuth2
endpoint for client credentials authentication.
+
+#### Common Integrations & Examples
+
+##### Glue (AWS)
+```yaml
+catalog:
+ s3_tables_catalog:
+ type: rest
+ uri: https://glue.<region>.amazonaws.com/iceberg
+ warehouse: <account-id>:s3tablescatalog/<table-bucket-name>
+ rest.sigv4-enabled: true
+ rest.signing-name: glue
+ rest.signing-region: <region>
+```
+
+##### Unity Catalog (Databricks)
+```yaml
+catalog:
+ unity_catalog:
+ type: rest
+ uri: https://<workspace-url>/api/2.1/unity-catalog/iceberg-rest
+ warehouse: <uc-catalog-name>
+ token: <databricks-pat-token>
+```
+
+##### R2 Data Catalog (Cloudflare)
+```yaml
+catalog:
+ r2_catalog:
+ type: rest
+ uri: <r2-catalog-uri>
+ warehouse: <r2-warehouse-name>
+ token: <r2-token>
+```
+
+##### Lakekeeper
+```yaml
+catalog:
+ lakekeeper_catalog:
+ type: rest
+ uri: <lakekeeper-catalog-uri>
+ warehouse: <lakekeeper-warehouse-name>
+ credential: <client-id>:<client-secret>
+ oauth2-server-uri:
http://localhost:30080/realms/<keycloak-realm-name>/protocol/openid-connect/token
+ scope: lakekeeper
+```
+
+##### Polaris (Snowflake)
Review Comment:
lets make a distinction between Apache Polaris and Snowflake Open Catalog
(Managed Polaris)
https://other-docs.snowflake.com/en/opencatalog/overview
```suggestion
##### Apache Polaris
```
##########
mkdocs/docs/configuration.md:
##########
@@ -372,7 +372,73 @@ Specific headers defined by the RESTCatalog spec include:
| Key | Options
| Default | Description
|
| ------------------------------------ | -------------------------------------
| -------------------- |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
-| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms |
+| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms. When
using `vended-credentials`, the server provides temporary credentials to the
client. When using `remote-signing`, the server signs requests on behalf of the
client. |
+
+#### Authentication Options
+- **SigV4**: For AWS services that require SigV4 signing.
+- **Token**: Use the `token` property to pass a bearer token for services that
accept token-based authentication.
+- **Credential**: Use the `credential` property with format
`client_id:client_secret` for authentication.
+- **OAuth2**: Use the `oauth2-server-uri` property to specify a custom OAuth2
endpoint for client credentials authentication.
Review Comment:
I think right now we only support 2 type of auth, OAuth and Sigv4. Lets make
a distinction here
And i think token and credential are both part of the OAuth implementation
##########
mkdocs/docs/configuration.md:
##########
@@ -372,7 +372,73 @@ Specific headers defined by the RESTCatalog spec include:
| Key | Options
| Default | Description
|
| ------------------------------------ | -------------------------------------
| -------------------- |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
-| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms |
+| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms. When
using `vended-credentials`, the server provides temporary credentials to the
client. When using `remote-signing`, the server signs requests on behalf of the
client. |
+
+#### Authentication Options
+- **SigV4**: For AWS services that require SigV4 signing.
+- **Token**: Use the `token` property to pass a bearer token for services that
accept token-based authentication.
+- **Credential**: Use the `credential` property with format
`client_id:client_secret` for authentication.
+- **OAuth2**: Use the `oauth2-server-uri` property to specify a custom OAuth2
endpoint for client credentials authentication.
+
+#### Common Integrations & Examples
+
+##### Glue (AWS)
+```yaml
+catalog:
+ s3_tables_catalog:
+ type: rest
+ uri: https://glue.<region>.amazonaws.com/iceberg
+ warehouse: <account-id>:s3tablescatalog/<table-bucket-name>
+ rest.sigv4-enabled: true
+ rest.signing-name: glue
+ rest.signing-region: <region>
+```
+
+##### Unity Catalog (Databricks)
+```yaml
+catalog:
+ unity_catalog:
+ type: rest
+ uri: https://<workspace-url>/api/2.1/unity-catalog/iceberg-rest
+ warehouse: <uc-catalog-name>
+ token: <databricks-pat-token>
+```
+
+##### R2 Data Catalog (Cloudflare)
Review Comment:
nit:
```suggestion
##### R2 Data Catalog
```
##########
mkdocs/docs/configuration.md:
##########
@@ -372,7 +372,73 @@ Specific headers defined by the RESTCatalog spec include:
| Key | Options
| Default | Description
|
| ------------------------------------ | -------------------------------------
| -------------------- |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
-| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms |
+| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms. When
using `vended-credentials`, the server provides temporary credentials to the
client. When using `remote-signing`, the server signs requests on behalf of the
client. |
+
+#### Authentication Options
Review Comment:
i like this section a lot. I think we should move this above the headers
section.
i would like to break up the table above and move the auth related
key/values here
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
