adutra commented on code in PR #2280: URL: https://github.com/apache/polaris/pull/2280#discussion_r2541982321
########## CHANGELOG.md: ########## @@ -36,6 +36,14 @@ request adding CHANGELOG notes for breaking (!) changes and possibly other secti [Iceberg Metrics Reporting]: https://iceberg.apache.org/docs/latest/metrics-reporting/ +- **S3 remote request signing** has been added, allowing Polaris to work with S3-compatible object storage systems. + *Remote signing is currently experimental and not enabled by default*. In particular, RBAC checks are currently not + production-ready. One new table privilege was introduced: `TABLE_REMOTE_SIGN`. To enable remote signing: + 1. Set the system-wide property `REMOTE_SIGNING_ENABLED` or the catalog-level `polaris.request-signing.enabled` + property to `true`. + 2. Grant the `TABLE_REMOTE_SIGN` privilege to a catalog role. The role must also be granted the `TABLE_READ_DATA` + and `TABLE_WRITE_DATA` privileges. Review Comment: This is done by Polaris RBAC enforcement. The two `PoalrisAuthorizableOperation` instances used in remote signing are declared as follows: ```java SIGN_S3_READ_REQUEST(EnumSet.of(TABLE_REMOTE_SIGN, TABLE_READ_DATA)), SIGN_S3_WRITE_REQUEST(EnumSet.of(TABLE_REMOTE_SIGN, TABLE_WRITE_DATA)), ``` Thus as you can see to authorize these operations, the role must have been granted 2 privileges: `TABLE_REMOTE_SIGN` and either `TABLE_READ_DATA` (for reads) or `TABLE_WRITE_DATA` (for writes). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
