Copilot commented on code in PR #15545: URL: https://github.com/apache/iceberg/pull/15545#discussion_r2902629474
########## site/docs/rest-catalog-spec.md: ########## @@ -40,3 +40,12 @@ The REST protocol is important for several reasons: - **Security**: The protocol supports secure table sharing using credential vending or remote signing. You can use the REST catalog protocol with any built-in catalog using translation in the `CatalogHandlers` class, or using the community maintained [`iceberg-rest-fixture`](https://hub.docker.com/r/apache/iceberg-rest-fixture) docker image. + +### Trusted Iceberg Client + +A **Trusted Iceberg Client** is a client implementation that a catalog operator trusts to correctly enforce +restrictions and instructions returned by the REST Catalog server. + +In this model, the trusted client is entrusted to interpret server responses correctly and apply +the required client-side behavior when reading or presenting data, so it does not expose data +the user is not authorized to access. Review Comment: This definition can be read as a blanket security guarantee (“so it does not expose data…”) without stating the corresponding trust boundary (what happens with untrusted/buggy clients, and that these restrictions are only meaningful when the operator explicitly trusts the client and has storage/network isolation). Consider adding an explicit note that such server-returned restrictions are advisory unless enforced by a trusted client, and operators should not treat them as the sole authorization boundary. ```suggestion the user is not authorized to access. These restrictions are advisory and only effective when enforced by a correctly implemented, trusted client operating with appropriate storage and network isolation. They do not replace server-side authorization, and catalog operators must not rely on client behavior as the sole authorization or security boundary, especially in the presence of untrusted or potentially buggy clients. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
