Thanks everyone for your Feedback in the Catalog Sync and afterwards! I tried to address most of the Feedback and updated the Document.
* The updated Document can be found here [1]: https://docs.google.com/document/d/1buW9PCNoHPeP7Br5_vZRTU-_3TExwLx6bs075gi94xc/edit?usp=sharing * It is linked now to an improvement (#11286 [2]) which also contains much of the Motivation which does not need to be part of the docs itself. I would ask all interested parties to leave comments in the google doc. If further clarification is needed, we can also discuss it again in the catalog sync. [1] https://docs.google.com/document/d/1buW9PCNoHPeP7Br5_vZRTU-_3TExwLx6bs075gi94xc/edit?usp=sharing [2] https://github.com/apache/iceberg/issues/11286 From: Yufei Gu <flyrain...@gmail.com> Date: Saturday, 12. October 2024 at 12:30 To: dev@iceberg.apache.org <dev@iceberg.apache.org> Subject: Re: [DISCUSS] REST: OAuth2 Authentication Guide Thanks Christian. Nice write-up! Authentication is essential to a production env. It's great to document it well given a lot of people don't necessarily have enough OAthen2 knowledge. Looking forward to the doc PRs and other client side changes. Yufei On Wed, Sep 18, 2024 at 8:31 AM Dmitri Bourlatchkov <dmitri.bourlatch...@dremio.com.invalid> wrote: Hi Christian, Very nice proposal. Thanks for putting it together! I added some comments to the doc. I think it is related to PR #10753 [4], which proposes some foundational refactoring to the java REST client to enable further enhancements in OAuth2 flows. Cheers, Dmitri. [4] https://github.com/apache/iceberg/pull/10753 On Wed, Sep 18, 2024 at 4:12 AM Christian Thiel <christ...@hansetag.com.invalid> wrote: Dear everyone, the Iceberg REST specification allows for different ways of Authentication, OAuth2 is one of them. Until recently the OAuth2 /token endpoint was part of the REST-spec together with datatypes required for the client-credential flow. Both have since been removed from the spec for security reasons [2]. Probably because it was a part of the spec before, clients today typically only implement the client-credential flow. This stays behind OAuth2 capabilities and is unsuitable for human users. Common IdPs do not implement the client-credential flow for principals of human users for good reasons. To mitigate this problem, we propose an extension of the Iceberg documentation in 3 steps. This proposal is neither an extension of the Iceberg REST Catalog specification nor OAuth2 itself. The Iceberg REST specification already specifies OAuth2 Authentication [3], which includes all the flows mentioned in the document of this proposal [1]. My proposal to go forward is as follows: 1. Use this proposals Google Doc for alignment in the community: [1] https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing Discuss in a catalog sync in 1-2 weeks. 2. Condense consensus found in Google Doc to .md and add it to docs 3. Implement additional flows in the iceberg-(java, python, rust ..) packages. For Java there is already a PR that goes in this direction which could use some more attention: https://github.com/apache/iceberg/pull/10753 For other languages I am not aware of any initiatives. 4. Encourage clients to allow configuration of new flows for users Any feedback welcome! Thanks - Christian [1]: https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing [2]: https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ [3]: https://github.com/apache/iceberg/blob/ed73ec43dd25c9023069ea1d3381a6d9229be53a/open-api/rest-catalog-open-api.yaml#L61
