rohangoli opened a new pull request, #2816: URL: https://github.com/apache/polaris/pull/2816
### What changes were proposed in this pull request? - Breakdown of Issue - https://github.com/apache/polaris/issues/2743 - Code changes are dependent on https://github.com/apache/polaris/pull/2805 & https://github.com/apache/polaris/pull/2815 - Fix code to parse Non-Standard STS XML Response which breaks upon receiving Non-AWS STS XML Response with **UnprocessableEntityException** exception ```mermaid sequenceDiagram participant Polaris as Polaris (caller) participant SDK as AWS SDK (StsClient) participant Interceptor as StsResponseCaptureInterceptor participant Holder as StsResponseCapture (ThreadLocal) participant Parser as StsXmlParser participant Integration as AwsCredentialsStorageIntegration Polaris->>SDK: assumeRole(...) SDK->>Interceptor: afterTransmission(context) Interceptor->>Holder: setLastBody(rawHttpBody) SDK->>SDK: unmarshal to AssumeRoleResponse SDK-->>Polaris: AssumeRoleResponse (credentials==null) Polaris->>Integration: handle response Integration->>Holder: getLastBody() alt raw body present Integration->>Parser: parseToAccessConfig(rawBody) Parser-->>Integration: AccessConfig (keys + expiresAt) Integration->>Integration: merge into AccessConfig.Builder else no raw body Integration->>Integration: failover (error path) end Integration->>Holder: clear() %% recommended ``` ### Why are the changes needed? - On Create Table Rest API request with Non-Standard STS XML Response, we receive UnprocessableEntityException as response Request ``` POST https://192.168.0.0:4443/sts?Action=AssumeRole&RoleSessionName=temp&RoleArn=urn:ecs:iam::s3:role/s3assumeRole&DurationSeconds=7200 Accept: */* X-SDS-AUTH-TOKEN: <AUTH_TOKEN> ``` Response ``` HTTP/1.1 200 OK Content-Type: application/xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ns2:AssumeRoleResponse xmlns:ns2="none"> <ResponseMetadata> <RequestId>0af7b369:171a31ad5b8:12e3a:b</RequestId> </ResponseMetadata> <AssumeRoleResult> <AssumedRoleUser> <Arn>urn:ecs:sts::s3:assumed-role/s3assumeRole/temp</Arn> <AssumedRoleId>AROA48AEC87ADCFF133F:temp</AssumedRoleId> </AssumedRoleUser> <Credentials> <AccessKeyId>ASIA48DB3A69C19CFE56</AccessKeyId> <Expiration>2020-04-23T19:45:46Z</Expiration> <SecretAccessKey>wDvqneW8lyJbu0VRAMU8xQHPKH1hIsYfTyozlVg5znM</SecretAccessKey> <SessionToken>CgJzMxIFdXNlcjEaFE0EyQ . . . mi5SBHRlbXBo2sSH9QU</SessionToken> </Credentials> </AssumeRoleResult> </ns2:AssumeRoleResponse> ``` ``` curl --location 'http://localhost:8181/api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables' -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -H 'Polaris-Realm: POLARIS' --data '{ "name": "minio_polaris_ns_table01", "schema": { "type": "struct", "fields": [ { "id": 0, "name": "id", "type": "string", "required": true, "doc": "car model" }, { "id": 1, "name": "first_name", "type": "string", "required": true, "doc": "first name" } ] } }' | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 691 100 310 100 381 275 338 0:00:01 0:00:01 --:--:-- 614 { "error": { "message": "Failed to get subscoped credentials: Cannot invoke \"software.amazon.awssdk.services.sts.model.Credentials.accessKeyId()\" because the return value of \"software.amazon.awssdk.services.sts.model.AssumeRoleResponse.credentials()\" is null", "type": "UnprocessableEntityException", "code": 422 } } ``` Polaris debug logs: ``` polaris-1 | 2025-10-14 22:13:14,756 DEBUG [org.apa.pol.cor.sto.cac.StorageCredentialCache] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) key=StorageCredentialCacheKey{realmId=POLARIS, catalogId=0, storageConfigSerializedStr={"@type":"AwsStorageConfigurationInfo","allowedLocations":["s3://polaris"],"roleARN":"urn:ecs:iam::otf_dev:role/assumeSameAccountOTF","region":"us-east-1","endpoint":"https://ecmh2.td.teradata.com","pathStyleAccess":true,"stsEndpoint":"https://ecs1.td.teradata.com:4443/sts","ignoreSSLVerification":true,"storageType":"S3","fileIoImplClassName":"org.apache.iceberg.aws.s3.S3FileIO"}, allowedListAction=true, allowedReadLocations=[s3://polaris/minio_polaris_ns/minio_polaris_ns_table01], allowedWriteLocations=[s3://polaris/minio_polaris_ns/minio_polaris_ns_table01]} subscopedCredsCache polaris-1 | 2025-10-14 22:13:14,760 DEBUG [org.apa.pol.cor.sto.cac.StorageCredentialCache] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) StorageCredentialCache::load polaris-1 | 2025-10-14 22:13:14,762 DEBUG [org.apa.pol.ser.con.DefaultConfigurationStore] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Get configuration value for STORAGE_CREDENTIAL_DURATION_SECONDS with realm POLARIS polaris-1 | 2025-10-14 22:13:14,818 WARN [org.apa.pol.ser.con.ServiceProducers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Creating HTTP client with SSL certificate verification disabled. Use only in development! polaris-1 | 2025-10-14 22:13:15,229 DEBUG [org.apa.htt.cli.pro.RequestAddCookies] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) CookieSpec selected: default polaris-1 | 2025-10-14 22:13:15,233 DEBUG [org.apa.htt.cli.pro.RequestAuthCache] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Auth cache not set in the context polaris-1 | 2025-10-14 22:13:15,234 DEBUG [org.apa.htt.imp.con.PoolingHttpClientConnectionManager] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection request: [route: {s}->https://ecs1.td.teradata.com:4443][total available: 0; route allocated: 0 of 50; total allocated: 0 of 50] polaris-1 | 2025-10-14 22:13:15,241 DEBUG [org.apa.htt.imp.con.PoolingHttpClientConnectionManager] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection leased: [id: 0][route: {s}->https://ecs1.td.teradata.com:4443][total available: 0; route allocated: 1 of 50; total allocated: 1 of 50] polaris-1 | 2025-10-14 22:13:15,243 DEBUG [org.apa.htt.imp.exe.MainClientExec] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Opening connection {s}->https://ecs1.td.teradata.com:4443 polaris-1 | 2025-10-14 22:13:15,247 DEBUG [org.apa.htt.imp.con.DefaultHttpClientConnectionOperator] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connecting to ecs1.td.teradata.com/10.25.122.141:4443 polaris-1 | 2025-10-14 22:13:15,247 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connecting socket to ecs1.td.teradata.com/10.25.122.141:4443 with timeout 2000 polaris-1 | 2025-10-14 22:13:15,285 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Enabled protocols: [TLSv1.3, TLSv1.2] polaris-1 | 2025-10-14 22:13:15,285 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_1 28_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] polaris-1 | 2025-10-14 22:13:15,285 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Starting handshake polaris-1 | 2025-10-14 22:13:15,387 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Secure session established polaris-1 | 2025-10-14 22:13:15,388 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) negotiated protocol: TLSv1.3 polaris-1 | 2025-10-14 22:13:15,389 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) negotiated cipher suite: TLS_AES_256_GCM_SHA384 polaris-1 | 2025-10-14 22:13:15,392 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) peer principal: [email protected], OU=PIE, O=Teradata, STREET=17905 Via Del Campo, ST=California, L=SanDiego, C=US, CN=ecmh2.onpremlab.teradata.com polaris-1 | 2025-10-14 22:13:15,392 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) peer alternative names: [ecmh2.td.teradata.com, ecs500.td.teradata.com, ecs1.td.teradata.com, ecs2.td.teradata.com, ecs3.td.teradata.com, ecs4.td.teradata.com, ecs5.td.teradata.com, ecs6.td.teradata.com, ecs7.td.teradata.com, ecs8.td.teradata.com, ecs9.td.teradata.com, ecs10.td.teradata.com, 10.25.122.141, 10.25.122.142, 10.25.122.143, 10.25.122.144, 10.25.122.145, 10.25.122.146, 10.25.122.147, 10.25.122.148, 10.25.122.149, 10.25.122.150] polaris-1 | 2025-10-14 22:13:15,392 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) issuer principal: [email protected], OU=PIE, O=Teradata, STREET=17905 Via Del Campo, ST=California, L=SanDiego, C=US, CN=ecmh2.onpremlab.teradata.com polaris-1 | 2025-10-14 22:13:15,393 DEBUG [org.apa.htt.imp.con.DefaultHttpClientConnectionOperator] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection established 172.18.0.4:44384<->10.25.122.141:4443 polaris-1 | 2025-10-14 22:13:15,394 DEBUG [org.apa.htt.imp.con.DefaultManagedHttpClientConnection] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0: set socket timeout to 30000 polaris-1 | 2025-10-14 22:13:15,394 DEBUG [org.apa.htt.imp.exe.MainClientExec] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Executing request POST /sts HTTP/1.1 polaris-1 | 2025-10-14 22:13:15,394 DEBUG [org.apa.htt.imp.exe.MainClientExec] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Proxy auth state: UNCHALLENGED polaris-1 | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> POST /sts HTTP/1.1 polaris-1 | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Host: ecs1.td.teradata.com:4443 polaris-1 | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> amz-sdk-invocation-id: 07cbfcd4-ecb9-b6fe-cd84-1cdf6baf0a54 polaris-1 | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> amz-sdk-request: attempt=1; max=4 polaris-1 | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Authorization: AWS4-HMAC-SHA256 Credential=AKIA914B58000A66FBBE/20251014/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=7b9ea31d6faace691231843b6b83d8c4d39f585af65b24f44ae491d5be34ff2d polaris-1 | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Content-Type: application/x-www-form-urlencoded; charset=utf-8 polaris-1 | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> User-Agent: aws-sdk-java/2.35.5 md/io#sync md/http#Apache ua/2.1 api/STS#2.35.x os/Linux#5.15.0-141-generic lang/java#21.0.8 md/OpenJDK_64-Bit_Server_VM#21.0.8+9-LTS md/vendor#Red_Hat__Inc. m/D,g polaris-1 | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> x-amz-content-sha256: b3215ee719d45cafa29092fd81651900acf29f5ac998e8b4228c7dcecc58d2e0 polaris-1 | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> X-Amz-Date: 20251014T221315Z polaris-1 | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Content-Length: 976 polaris-1 | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Connection: Keep-Alive polaris-1 | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "POST /sts HTTP/1.1[\r][\n]" polaris-1 | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Host: ecs1.td.teradata.com:4443[\r][\n]" polaris-1 | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "amz-sdk-invocation-id: 07cbfcd4-ecb9-b6fe-cd84-1cdf6baf0a54[\r][\n]" polaris-1 | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "amz-sdk-request: attempt=1; max=4[\r][\n]" polaris-1 | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Authorization: AWS4-HMAC-SHA256 Credential=AKIA914B58000A66FBBE/20251014/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=7b9ea31d6faace691231843b6b83d8c4d39f585af65b24f44ae491d5be34ff2d[\r][\n]" polaris-1 | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Content-Type: application/x-www-form-urlencoded; charset=utf-8[\r][\n]" polaris-1 | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "User-Agent: aws-sdk-java/2.35.5 md/io#sync md/http#Apache ua/2.1 api/STS#2.35.x os/Linux#5.15.0-141-generic lang/java#21.0.8 md/OpenJDK_64-Bit_Server_VM#21.0.8+9-LTS md/vendor#Red_Hat__Inc. m/D,g[\r][\n]" polaris-1 | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "x-amz-content-sha256: b3215ee719d45cafa29092fd81651900acf29f5ac998e8b4228c7dcecc58d2e0[\r][\n]" polaris-1 | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "X-Amz-Date: 20251014T221315Z[\r][\n]" polaris-1 | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Content-Length: 976[\r][\n]" polaris-1 | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]" polaris-1 | 2025-10-14 22:13:15,400 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "[\r][\n]" polaris-1 | 2025-10-14 22:13:15,400 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Action=AssumeRole&Version=2011-06-15&RoleArn=urn%3Aecs%3Aiam%3A%3Aotf_dev%3Arole%2FassumeSameAccountOTF&RoleSessionName=PolarisAwsCredentialsStorageIntegration&Policy=%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22s3%3APutObject%22%2C%22s3%3ADeleteObject%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Apolaris%2F*%22%7D%2C%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%22s3%3AListBucket%22%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Apolaris%22%2C%22Condition%22%3A%7B%22StringLike%22%3A%7B%22s3%3Aprefix%22%3A%22minio_polaris_ns%2Fminio_polaris_ns_table01%2F*%22%7D%7D%7D%2C%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%22s3%3AGetBucketLocation%22%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Apolaris%22%7D%2C%7B%22Effect%22%3A%22Allow%22%2 C%22Action%22%3A%5B%22s3%3AGetObject%22%2C%22s3%3AGetObjectVersion%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Apolaris%2F*%22%7D%5D%7D&DurationSeconds=3600" polaris-1 | 2025-10-14 22:13:15,424 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "HTTP/1.1 200 OK[\r][\n]" polaris-1 | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "Date: Tue, 14 Oct 2025 22:15:06 GMT[\r][\n]" polaris-1 | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "Content-Type: application/xml[\r][\n]" polaris-1 | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "Content-Length: 1751[\r][\n]" polaris-1 | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "Connection: keep-alive[\r][\n]" polaris-1 | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "[\r][\n]" polaris-1 | 2025-10-14 22:13:15,426 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:AssumeRoleResponse xmlns:ns2="none"><ResponseMetadata><RequestId>0a00078d:196f956a4f3:4bdae:0-none</RequestId></ResponseMetadata><AssumeRoleResult><AssumedRoleUser><Arn>urn:ecs:sts::otf_dev:assumed-role/assumeSameAccountOTF/PolarisAwsCredentialsStorageIntegration</Arn><AssumedRoleId>AROAE95F8953C905D8A1:PolarisAwsCredentialsStorageIntegration</AssumedRoleId></AssumedRoleUser><Credentials><AccessKeyId>ASIA97044C20D38F7E26</AccessKeyId><Expiration>2025-10-14T23:15:06Z</Expiration><SecretAccessKey>dQAWYId_iRNZzenu0jRQ-jM1uVgIHNzOZYK8aLACmDs</SecretAccessKey><SessionToken>CgdvdGZfZGV2EghvdGZfdXNlchoUQVJPQTVCRkFCMUFBMzdGRUQwREUiLnVybjplY3M6aWFtOjpvdGZfZGV2OnJvbGUvYXNzdW1lU2FtZUFjY291bnRPVEYqFEFTSUE5NzA0NEMyMEQzOEY3RTI2MlBNYXN0ZXJLZXlSZWNvcmQtM2RhNGU yZTZjMjBjYjM4NjQ1ZWUyZWI5ZDVlMWM1MTgyYmEwYWI0NzViMTA4OGFhOTQwZjMyMmUwMjVhM2NkNTiGjIaonjNC6gN7IlZlcnNpb24iOiIyMDEyLTEwLTE3IiwiU3RhdGVtZW50IjpbeyJFZmZlY3QiOiJBbGxvdyIsIkFjdGlvbiI6WyJzMzpQdXRPYmplY3QiLCJzMzpEZWxldGVPYmplY3QiXSwiUmVzb3VyY2UiOiJhcm46YXdzOnMzOjo6cG9sYXJpcy8qIn0seyJFZmZlY3QiOiJBbGxvdyIsIkFjdGlvbiI6InMzOkxpc3RCdWNrZXQiLCJSZXNvdXJjZSI6ImFybjphd3M6czM6Ojpwb2xhcmlzIiwiQ29uZGl0aW9uIjp7IlN0cmluZ0xpa2UiOnsiczM6cHJlZml4IjoibWluaW9fcG9sYXJpc19ucy9taW5pb19wb2xhcmlzX25zX3RhYmxlMDEvKiJ9fX0seyJFZmZlY3QiOiJBbGxvdyIsIkFjdGlvbiI6InMzOkdldEJ1Y2tldExvY2F0aW9uIiwiUmVzb3VyY2UiOiJhcm46YXdzOnMzOjo6cG9sYXJpcyJ9LHsiRWZmZWN0IjoiQWxsb3ciLCJBY3Rpb24iOlsiczM6R2V0T2JqZWN0IiwiczM6R2V0T2JqZWN0VmVyc2lvbiJdLCJSZXNvdXJjZSI6ImFybjphd3M6czM6Ojpwb2xhcmlzLyoifV19UidQb2xhcmlzQXdzQ3JlZGVudGlhbHNTdG9yYWdlSW50ZWdyYXRpb25o6pa7xwaKAQhJQU1fVVNFUg</SessionToken></Credentials><PackedPolicySize>1243</PackedPolicySize></AssumeRoleResult></ns2:AssumeRoleResponse>" polaris-1 | 2025-10-14 22:13:15,427 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << HTTP/1.1 200 OK polaris-1 | 2025-10-14 22:13:15,428 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << Date: Tue, 14 Oct 2025 22:15:06 GMT polaris-1 | 2025-10-14 22:13:15,428 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << Content-Type: application/xml polaris-1 | 2025-10-14 22:13:15,428 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << Content-Length: 1751 polaris-1 | 2025-10-14 22:13:15,428 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << Connection: keep-alive polaris-1 | 2025-10-14 22:13:15,431 DEBUG [org.apa.htt.imp.exe.MainClientExec] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection can be kept alive for 60000 MILLISECONDS polaris-1 | 2025-10-14 22:13:15,494 DEBUG [org.apa.htt.imp.con.PoolingHttpClientConnectionManager] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection [id: 0][route: {s}->https://ecs1.td.teradata.com:4443] can be kept alive for 60.0 seconds polaris-1 | 2025-10-14 22:13:15,494 DEBUG [org.apa.htt.imp.con.DefaultManagedHttpClientConnection] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0: set socket timeout to 0 polaris-1 | 2025-10-14 22:13:15,494 DEBUG [org.apa.htt.imp.con.PoolingHttpClientConnectionManager] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection released: [id: 0][route: {s}->https://ecs1.td.teradata.com:4443][total available: 1; route allocated: 1 of 50; total allocated: 1 of 50] polaris-1 | 2025-10-14 22:13:15,500 DEBUG [org.apa.pol.cor.sto.cac.StorageCredentialCache] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) errorMessage=Cannot invoke "software.amazon.awssdk.services.sts.model.Credentials.accessKeyId()" because the return value of "software.amazon.awssdk.services.sts.model.AssumeRoleResponse.credentials()" is null Failed to get subscoped credentials polaris-1 | 2025-10-14 22:13:15,500 DEBUG [org.apa.pol.ser.cat.ice.IcebergCatalogAdapter] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) RuntimeException while operating on catalog. Propagating to caller.: org.apache.iceberg.exceptions.UnprocessableEntityException: Failed to get subscoped credentials: Cannot invoke "software.amazon.awssdk.services.sts.model.Credentials.accessKeyId()" because the return value of "software.amazon.awssdk.services.sts.model.AssumeRoleResponse.credentials()" is null polaris-1 | at org.apache.polaris.core.storage.cache.StorageCredentialCache.lambda$getOrGenerateSubScopeCreds$2(StorageCredentialCache.java:151) polaris-1 | at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$0(BoundedLocalCache.java:2690) polaris-1 | at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1916) polaris-1 | at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2688) polaris-1 | at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2670) polaris-1 | at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:112) polaris-1 | at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:63) polaris-1 | at org.apache.polaris.core.storage.cache.StorageCredentialCache.getOrGenerateSubScopeCreds(StorageCredentialCache.java:153) polaris-1 | at org.apache.polaris.core.storage.cache.ServiceProducers_ProducerMethod_storageCredentialCache_hzAWPa00ffa2II6zBfUMmDXk9AQ_ClientProxy.getOrGenerateSubScopeCreds(Unknown Source) polaris-1 | at org.apache.polaris.service.catalog.io.FileIOUtil.refreshAccessConfig(FileIOUtil.java:109) polaris-1 | at org.apache.polaris.service.catalog.io.DefaultFileIOFactory.lambda$loadFileIO$0(DefaultFileIOFactory.java:102) polaris-1 | at java.base/java.util.Optional.map(Optional.java:260) polaris-1 | at org.apache.polaris.service.catalog.io.DefaultFileIOFactory.loadFileIO(DefaultFileIOFactory.java:100) polaris-1 | at org.apache.polaris.service.catalog.io.DefaultFileIOFactory_ClientProxy.loadFileIO(Unknown Source) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalog.loadFileIOForTableLike(IcebergCatalog.java:2040) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.doCommit(IcebergCatalog.java:1431) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.commit(IcebergCatalog.java:1324) polaris-1 | at org.apache.iceberg.BaseMetastoreCatalog$BaseMetastoreCatalogTableBuilder.create(BaseMetastoreCatalog.java:201) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogHandler.createTableDirect(IcebergCatalogHandler.java:463) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.lambda$createTable$6(IcebergCatalogAdapter.java:394) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.withCatalog(IcebergCatalogAdapter.java:209) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.createTable(IcebergCatalogAdapter.java:378) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_Subclass.createTable$$superforward(Unknown Source) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergRestCatalogEventServiceDelegator_Gj_WCptqTcdHu-fbZfgVkAwPXCI_Delegate_Subclass.createTable(Unknown Source) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergRestCatalogEventServiceDelegator.createTable(IcebergRestCatalogEventServiceDelegator.java:217) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_Subclass.createTable(Unknown Source) polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_ClientProxy.createTable(Unknown Source) polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi.createTable(IcebergRestCatalogApi.java:193) polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass.createTable$$superforward(Unknown Source) polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass$$function$$3.apply(Unknown Source) polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:73) polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97) polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor.lambda$syncFlow$8(FaultToleranceInterceptor.java:364) polaris-1 | at io.smallrye.faulttolerance.core.Future.from(Future.java:85) polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor.lambda$syncFlow$9(FaultToleranceInterceptor.java:364) polaris-1 | at io.smallrye.faulttolerance.core.FaultToleranceContext.call(FaultToleranceContext.java:20) polaris-1 | at io.smallrye.faulttolerance.core.Invocation.apply(Invocation.java:29) polaris-1 | at io.smallrye.faulttolerance.core.metrics.MetricsCollector.apply(MetricsCollector.java:98) polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor.syncFlow(FaultToleranceInterceptor.java:367) polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor.intercept(FaultToleranceInterceptor.java:205) polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor_Bean.intercept(Unknown Source) polaris-1 | at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42) polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70) polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97) polaris-1 | at io.quarkus.micrometer.runtime.MicrometerTimedInterceptor.timedMethod(MicrometerTimedInterceptor.java:79) polaris-1 | at io.quarkus.micrometer.runtime.MicrometerTimedInterceptor_Bean.intercept(Unknown Source) polaris-1 | at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42) polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70) polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97) polaris-1 | at io.quarkus.security.runtime.interceptor.SecurityHandler.handle(SecurityHandler.java:27) polaris-1 | at io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor.intercept(RolesAllowedInterceptor.java:29) polaris-1 | at io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor_Bean.intercept(Unknown Source) polaris-1 | at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42) polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70) polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:62) polaris-1 | at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor.intercept(StandardSecurityCheckInterceptor.java:44) polaris-1 | at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor_RolesAllowedInterceptor_Bean.intercept(Unknown Source) polaris-1 | at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42) polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:30) polaris-1 | at io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:27) polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass.createTable(Unknown Source) polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi$quarkusrestinvoker$createTable_01f5a1bd6d7815fd3314a553161c943c8cd03101.invoke(Unknown Source) polaris-1 | at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) polaris-1 | at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183) polaris-1 | at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) polaris-1 | at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645) polaris-1 | at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651) polaris-1 | at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630) polaris-1 | at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622) polaris-1 | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589) polaris-1 | at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11) polaris-1 | at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11) polaris-1 | at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) polaris-1 | at java.base/java.lang.Thread.run(Thread.java:1583) polaris-1 | polaris-1 | 2025-10-14 22:13:15,529 INFO [org.apa.pol.ser.exc.IcebergExceptionMapper] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Handling runtimeException Failed to get subscoped credentials: Cannot invoke "software.amazon.awssdk.services.sts.model.Credentials.accessKeyId()" because the return value of "software.amazon.awssdk.services.sts.model.AssumeRoleResponse.credentials()" is null polaris-1 | 2025-10-14 22:13:15,540 DEBUG [org.apa.pol.ser.exc.IcebergExceptionMapper] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Full RuntimeException polaris-1 | 2025-10-14 22:13:15,542 DEBUG [org.apa.pol.ser.exc.IcebergExceptionMapper] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Mapped exception to errorResp: org.jboss.resteasy.reactive.common.jaxrs.ResponseImpl@6e6feecc polaris-1 | 2025-10-14 22:13:15,544 INFO [io.qua.htt.access-log] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [14/Oct/2025:22:13:15 +0000] "POST /api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables HTTP/1.1" 422 310 ``` ### Does this PR introduce _any_ user-facing change? - NO ### How was this patch tested? - Ran full gradle build and test - Tests added/updated: - StsResponseCaptureTest.java - Unit test for the thread-local set/get/clear behavior. - StsXmlParserTest.java - Tests parsing of a sample non‑standard namespaced STS XML (happy path) and a negative case (missing AccessKeyId). - StsResponseCaptureInterceptorTest.java - Verifies the interceptor reads httpResponse().content() via a dynamic proxy (simulates SDK context/response) and stores the raw body into the thread-local holder. Also tests the interceptor silently ignores null contexts. ### CHANGELOG.md <!-- If the changes need to be included in CHANGELOG.md, please add a line here and in CHANGELOG.md. --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
