Skip to content

Commit ce85b8f

Browse files
piyushdubeypiyushdubey
authored
Docs: Add REST catalog authentication properties (#14065)
1 parent 16c9dd6 commit ce85b8f

File tree

1 file changed

+37
-0
lines changed

1 file changed

+37
-0
lines changed

docs/docs/configuration.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,43 @@ The properties can be manually constructed or passed in from a compute engine li
143143
Spark uses its session properties as catalog properties, see more details in the [Spark configuration](spark-configuration.md#catalog-configuration) section.
144144
Flink passes in catalog properties through `CREATE CATALOG` statement, see more details in the [Flink](flink.md#adding-catalogs) section.
145145

146+
### REST Catalog auth properties
147+
148+
The following catalog properties configure authentication for the REST catalog.
149+
They support Basic, OAuth2, SigV4, and Google authentication.
150+
151+
#### REST auth properties
152+
153+
| Property | Default | Description |
154+
|--------------------------------------|------------------|-------------------------------------------------------------------------------------------------------------------|
155+
| `rest.auth.type` | `none` | Authentication mechanism for REST catalog access. Supported values: `none`, `basic`, `oauth2`, `sigv4`, `google`. |
156+
| `rest.auth.basic.username` | null | Username for Basic authentication. Required if `rest.auth.type` = `basic`. |
157+
| `rest.auth.basic.password` | null | Password for Basic authentication. Required if `rest.auth.type` = `basic`. |
158+
| `rest.auth.sigv4.delegate-auth-type` | `oauth2` | Auth type to delegate to after `sigv4` signing. |
159+
160+
#### OAuth2 auth properties
161+
Required and optional properties to include while using `oauth2` authentication
162+
163+
| Property | Default | Description |
164+
|-------------------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
165+
| `token` | null | A Bearer token to interact with the server. Either `token` or `credential` is required. |
166+
| `credential` | null | Credential string in the form of `client_id:client_secret` to exchange for a token in the OAuth2 client credentials flow. Either `token` or `credential` is required. |
167+
| `oauth2-server-uri` | `v1/oauth/tokens` | OAuth2 token endpoint URI. Required if the REST catalog is not the OAuth2 authentication server. |
168+
| `token-expires-in-ms` | 3600000 (1 hour) | Time in milliseconds after which a bearer token is considered expired. Used to decide when to refresh or re-exchange a token. |
169+
| `token-refresh-enabled` | true | Determines whether tokens are automatically refreshed when expiration details are available. |
170+
| `token-exchange-enabled`| true | Determines whether to use the token exchange flow to acquire new tokens. Disabling this will allow fallback to the client credential flow. |
171+
| `scope` | `catalog` | Additional scope for `oauth2`. |
172+
| `audience` | null | Optional param to specify token `audience` |
173+
| `resource` | null | Optional param to specify `resource` |
174+
175+
#### Google auth properties
176+
Required and optional properties to include while using `google` authentication
177+
178+
| Property | Default | Description |
179+
|----------------------------|--------------------------------------------------|--------------------------------------------------|
180+
| `gcp.auth.credentials-path`| Application Default Credentials (ADC) | Path to a service account JSON key file. |
181+
| `gcp.auth.scopes` | `https://www.googleapis.com/auth/cloud-platform` | Comma-separated list of OAuth scopes to request. |
182+
146183
### Lock catalog properties
147184

148185
Here are the catalog properties related to locking. They are used by some catalog implementations to control the locking behavior during commits.

0 commit comments

Comments
 (0)