dimas-b commented on code in PR #3997:
URL: https://github.com/apache/polaris/pull/3997#discussion_r3024771246
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java:
##########
@@ -740,6 +739,76 @@ public Optional<LoadTableResponse>
loadTableWithAccessDelegationIfStale(
refreshCredentialsEndpoint);
}
+ /**
+ * Vend credentials for a table using location data from entity internal
properties, avoiding a
+ * full table metadata read from object storage. Falls back to the standard
+ * loadTableWithAccessDelegation path if the entity lacks the required
location properties.
+ */
+ public ImmutableLoadCredentialsResponse loadCredentials(
+ TableIdentifier tableIdentifier, Optional<String>
refreshCredentialsEndpoint) {
+
+ Set<PolarisStorageActions> actionsRequested =
+ authorizeLoadTable(tableIdentifier, EnumSet.of(VENDED_CREDENTIALS));
+
+ // Optimized credential vending is only supported for native Polaris
catalogs.
+ // Federated/external catalogs are passthrough — writes happen directly on
the
+ // remote catalog independently of Polaris, so there is no guarantee that
entity
+ // internal properties (e.g. location) in the Polaris metastore are in
sync with
+ // the remote catalog's actual table metadata.
+ // Note: this check must come after authorizeLoadTable because baseCatalog
is
+ // initialized lazily during authorization.
+ if (!(baseCatalog instanceof IcebergCatalog)) {
+ return fallbackToFullLoadTable(tableIdentifier,
refreshCredentialsEndpoint);
+ }
+
+ IcebergTableLikeEntity entity = getTableEntity(tableIdentifier);
+ if (entity == null) {
+ throw new NoSuchTableException("Table does not exist: %s",
tableIdentifier);
+ }
+
+ Map<String, String> internalProperties =
entity.getInternalPropertiesAsMap();
+ String baseLocation =
internalProperties.get(IcebergTableLikeEntity.LOCATION);
+
+ if (baseLocation == null) {
+ LOGGER
+ .atDebug()
+ .addKeyValue("tableIdentifier", tableIdentifier)
+ .log(
+ "Entity missing location in internal properties, requires
backfill "
+ + "as it was likely not updated with stored property
changes. "
+ + "Falling back to full loadTable path");
+ return fallbackToFullLoadTable(tableIdentifier,
refreshCredentialsEndpoint);
+ }
+
+ Set<String> tableLocations =
+ StorageUtil.getLocationsUsedByTable(baseLocation, internalProperties);
+
+ StorageAccessConfig storageAccessConfig =
+ vendCredentials(
+ tableIdentifier, tableLocations, actionsRequested,
refreshCredentialsEndpoint);
+ if (storageAccessConfig == null) {
+ return ImmutableLoadCredentialsResponse.builder().build();
+ }
+
+ Map<String, String> credentialConfig = storageAccessConfig.credentials();
+ ImmutableLoadCredentialsResponse.Builder responseBuilder =
+ ImmutableLoadCredentialsResponse.builder();
+
+ if (!credentialConfig.isEmpty()) {
+ responseBuilder.addCredentials(
+
ImmutableCredential.builder().prefix(baseLocation).config(credentialConfig).build());
+ } else {
+ Boolean skipCredIndirection =
+
realmConfig().getConfig(FeatureConfiguration.SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION);
+ Preconditions.checkArgument(
+ !storageAccessConfig.supportsCredentialVending() ||
skipCredIndirection,
Review Comment:
We should probably make this check when we exit via line 790 too (needs a
refactoring)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
