Skip to content

Unify create/loadTable call paths #2589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Unify create/loadTable call paths #2589

wants to merge 1 commit into from
+119 −93

Conversation

dimas-b
Copy link
Contributor

@dimas-b dimas-b commented Sep 17, 2025
edited
Loading

In preparation for implementing sending non-credential config to REST Catalog clients for #2207 this PR unifies calls paths for create/load table operations.

This change does not have any differences in authorization.

This change is not expected to have any material behaviour differences to the affected code paths.

The main idea is to consolidate decision-making for what to include into REST responses and use method parameters like EnumSet<AccessDelegationMode> delegationModes for driving those decisions.

@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Sep 17, 2025
adutra
adutra previously approved these changes Sep 17, 2025
View reviewed changes
Copy link
Contributor

@adutra adutra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

This will also facilitate implementing #2351 imho, which is nice!

.../service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java
Optional<String> refreshCredentialsEndpoint) {
LoadTableResponse.Builder responseBuilder =
LoadTableResponse.builder().withTableMetadata(tableMetadata);

if (!delegationModes.contains(VENDED_CREDENTIALS)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably safer when more delegation modes get supported:

Suggested change
if (!delegationModes.contains(VENDED_CREDENTIALS)) {
if (delegationModes.isEmpty()) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used .isEmpty() in other cases, but in this method the code below specifically performs credential vending, so I think this check is correct :)

We can certainly refactor when we support remote S3 request signing. WDYT?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, WFM.

@github-project-automation github-project-automation bot moved this from PRs In Progress to Ready to merge in Basic Kanban Board Sep 17, 2025
@dimas-b
Unify create/loadTable call paths
1a0d7ea 
In preparation for implementing sending non-credential config
to REST Catalog clients for apache#2207 this PR unifies calls paths
for create/load table operations.

This change does not have any differences in authorization.

This change is not expecte to have any material behaviour
differences to the affected code paths.

The main idea is to consolidate decision-making for that
to include into REST responses and use method parameters
like `EnumSet<AccessDelegationMode> delegationModes` for
driving those decisions.
@dimas-b dimas-b force-pushed the refactor-load-table branch from dab8b08 to 1a0d7ea Compare September 18, 2025 15:06
@dimas-b
Copy link
Contributor Author

dimas-b commented Sep 18, 2025

Rebased and resolved conflicts.

@adnanhemani : please take a look to double check that I did not break any of your changes from #2480.

@dimas-b dimas-b requested a review from adutra September 18, 2025 20:55
dimas-b added a commit to dimas-b/polaris that referenced this pull request Sep 18, 2025
@dimas-b
Always propagate non-credential properties from AccessConfig to clients
5ca28ad 
This change builds on top of apache#2589 and further prepares Polaris code to
support non-STS S3 implementations for apache#2589.

For S3 implementations that do have STS, this change enables clients to
run with local credentials (no credential vending) and still receive
endpoint configuration from the catalog.

* Call `SupportsCredentialDelegation.getAccessConfig()` on all relevant
  create/load requests (previously it was called only when
  `vended-credentials` was requested

* Always sent `AccessConfig.extraProperties()` to clients

* Expose credentials to clients only when the `vended-credentials` access
  delegation mode is requested.

* There is not client-visible behaviour change for implementations of
  `PolarisStorageIntegration` that do not produce "extra" `AccessConfig`
  properties.
@dimas-b dimas-b mentioned this pull request Sep 18, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dennishuo dennishuo Awaiting requested review from dennishuo

@eric-maynard eric-maynard Awaiting requested review from eric-maynard

@adutra adutra Awaiting requested review from adutra

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dimas-b @adutra