Remove redundant locations when constructing access policies (#2149)

eric-maynard · web-flow · commit 027d80b24f71 · 2025-08-13T10:08:27.000-07:00
Iceberg tables can technically store data across any number of paths, but Polaris currently uses 3 different locations for credential vending:
1. The table's base location
2. The table's `write.data.path`, if set
3. The table's `write.metadata.path`, if set

This was intended to capture scenarios where e.g. (2) is not a child path of (1), so that the vended credentials can still be valid for reading the entire table. However, there are systems that seem to always set (2) and (3), such as:

1. `s3:/my-bucket/base/iceberg`
2. `s3:/my-bucket/base/iceberg/data`
3. `s3:/my-bucket/base/iceberg/metadata`

In such cases the extra paths (e.g. extra resources in the AWS Policy) are redundant. In one such case, these redundant paths caused the policy to exceed the maximum allowable 2048 characters.

This PR removes redundant paths -- those that are the child of another path -- from the list of accessible locations tracked for a given table and does some slight refactoring to consolidate the logic for extracting these paths from a TableMetadata.
diff --git a/polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisStorageConfigurationInfo.java b/polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisStorageConfigurationInfo.java
@@ -32,18 +32,14 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
-import java.util.Map;
-import java.util.Objects;
 import java.util.Optional;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
+import java.util.Set;
 import org.apache.polaris.core.PolarisCallContext;
 import org.apache.polaris.core.admin.model.Catalog;
 import org.apache.polaris.core.config.FeatureConfiguration;
 import org.apache.polaris.core.entity.CatalogEntity;
 import org.apache.polaris.core.entity.PolarisEntity;
 import org.apache.polaris.core.entity.PolarisEntityConstants;
-import org.apache.polaris.core.entity.table.IcebergTableLikeEntity;
 import org.apache.polaris.core.storage.aws.AwsStorageConfigurationInfo;
 import org.apache.polaris.core.storage.azure.AzureStorageConfigurationInfo;
 import org.apache.polaris.core.storage.gcp.GcpStorageConfigurationInfo;
@@ -162,30 +158,19 @@ public static Optional<PolarisStorageConfigurationInfo> forEntityPath(
                     entityPathReversed.get(0).getName());
 
                 // TODO: figure out the purpose of adding `userSpecifiedWriteLocations`
-                List<String> locs =
-                    userSpecifiedWriteLocations(entityPathReversed.get(0).getPropertiesAsMap());
+                Set<String> locations =
+                    StorageUtil.getLocationsAllowedToBeAccessed(
+                        null, entityPathReversed.get(0).getPropertiesAsMap());
                 return new StorageConfigurationOverride(
                     configInfo,
                     ImmutableList.<String>builder()
                         .addAll(configInfo.getAllowedLocations())
-                        .addAll(locs)
+                        .addAll(locations)
                         .build());
               }
             });
   }
 
-  private static List<String> userSpecifiedWriteLocations(Map<String, String> properties) {
-    return Optional.ofNullable(properties)
-        .map(
-            p ->
-                Stream.of(
-                        p.get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY),
-                        p.get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_METADATA_LOCATION_KEY))
-                    .filter(Objects::nonNull)
-                    .collect(Collectors.toList()))
-        .orElse(List.of());
-  }
-
   private static @Nonnull Optional<PolarisEntity> findStorageInfoFromHierarchy(
       List<PolarisEntity> entityPath) {
     for (int i = entityPath.size() - 1; i >= 0; i--) {
diff --git a/polaris-core/src/main/java/org/apache/polaris/core/storage/StorageLocation.java b/polaris-core/src/main/java/org/apache/polaris/core/storage/StorageLocation.java
@@ -27,7 +27,11 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-/** An abstraction over a storage location */
+/**
+ * An abstraction over a storage location. This type may be used for a generic string-based
+ * location, but child classes might be used where behavior specific to a storage provider is
+ * needed.
+ */
 public class StorageLocation {
   private static final Logger LOGGER = LoggerFactory.getLogger(StorageLocation.class);
   private static final Pattern SCHEME_PATTERN = Pattern.compile("^(.+?):(.+)");
@@ -36,7 +40,7 @@ public class StorageLocation {
 
   private final String location;
 
-  /** Create a StorageLocation from a String path */
+  /** Create a StorageLocation of the appropriate type from a String path */
   public static StorageLocation of(String location) {
     // TODO implement StorageLocation for all supported file systems and add isValidLocation
     if (AzureLocation.isAzureLocation(location)) {
@@ -61,7 +65,7 @@ protected StorageLocation(@Nonnull String location) {
   }
 
   /** If a path doesn't end in `/`, this will add one */
-  protected final String ensureTrailingSlash(String location) {
+  protected static String ensureTrailingSlash(String location) {
     if (location == null || location.endsWith("/")) {
       return location;
     } else {
@@ -70,7 +74,7 @@ protected final String ensureTrailingSlash(String location) {
   }
 
   /** If a path doesn't start with `/`, this will add one */
-  protected final @Nonnull String ensureLeadingSlash(@Nonnull String location) {
+  protected static @Nonnull String ensureLeadingSlash(@Nonnull String location) {
     if (location.startsWith("/")) {
       return location;
     } else {
@@ -83,6 +87,12 @@ public int hashCode() {
     return location.hashCode();
   }
 
+  /**
+   * Checks if two StorageLocations represent the same physical location.
+   *
+   * <p>Child classes should override this behavior if a check other than basic string-matching
+   * should be done.
+   */
   @Override
   public boolean equals(Object obj) {
     if (obj instanceof StorageLocation) {
@@ -99,7 +109,10 @@ public String toString() {
 
   /**
    * Returns true if this StorageLocation's location string starts with the other StorageLocation's
-   * location string
+   * location string.
+   *
+   * <p>Child classes should override this behavior if a check other than basic string-matching
+   * should be done.
    */
   public boolean isChildOf(StorageLocation potentialParent) {
     if (this.location == null || potentialParent.location == null) {
diff --git a/polaris-core/src/main/java/org/apache/polaris/core/storage/StorageUtil.java b/polaris-core/src/main/java/org/apache/polaris/core/storage/StorageUtil.java
@@ -20,6 +20,12 @@
 
 import jakarta.annotation.Nonnull;
 import java.net.URI;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import org.apache.iceberg.TableMetadata;
+import org.apache.iceberg.view.ViewMetadata;
+import org.apache.polaris.core.entity.table.IcebergTableLikeEntity;
 
 public class StorageUtil {
   /**
@@ -62,4 +68,44 @@ public class StorageUtil {
   public static @Nonnull String getBucket(URI uri) {
     return uri.getAuthority();
   }
+
+  /** Given a TableMetadata, extracts the locations where the table's [meta]data might be found. */
+  public static @Nonnull Set<String> getLocationsAllowedToBeAccessed(TableMetadata tableMetadata) {
+    return getLocationsAllowedToBeAccessed(tableMetadata.location(), tableMetadata.properties());
+  }
+
+  /** Given a baseLocation and entity (table?) properties, extracts the relevant locations */
+  public static @Nonnull Set<String> getLocationsAllowedToBeAccessed(
+      String baseLocation, Map<String, String> properties) {
+    Set<String> locations = new HashSet<>();
+    locations.add(baseLocation);
+    locations.add(properties.get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY));
+    locations.add(
+        properties.get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_METADATA_LOCATION_KEY));
+    locations.remove(null);
+    return removeRedundantLocations(locations);
+  }
+
+  /** Given a ViewMetadata, extracts the locations where the view's [meta]data might be found. */
+  public static @Nonnull Set<String> getLocationsAllowedToBeAccessed(ViewMetadata viewMetadata) {
+    return Set.of(viewMetadata.location());
+  }
+
+  /** Removes "redundant" locations, so {/a/b/, /a/b/c, /a/b/d} will be reduced to just {/a/b/} */
+  private static @Nonnull Set<String> removeRedundantLocations(Set<String> locationStrings) {
+    HashSet<String> result = new HashSet<>(locationStrings);
+
+    for (String potentialParent : locationStrings) {
+      StorageLocation potentialParentLocation = StorageLocation.of(potentialParent);
+      for (String potentialChild : locationStrings) {
+        if (!potentialParent.equals(potentialChild)) {
+          StorageLocation potentialChildLocation = StorageLocation.of(potentialChild);
+          if (potentialChildLocation.isChildOf(potentialParentLocation)) {
+            result.remove(potentialChild);
+          }
+        }
+      }
+    }
+    return result;
+  }
 }
diff --git a/polaris-core/src/test/java/org/apache/polaris/core/storage/StorageUtilTest.java b/polaris-core/src/test/java/org/apache/polaris/core/storage/StorageUtilTest.java
@@ -18,6 +18,8 @@
  */
 package org.apache.polaris.core.storage;
 
+import java.util.Map;
+import org.apache.polaris.core.entity.table.IcebergTableLikeEntity;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -66,4 +68,44 @@ public void testAuthorityWithPort() {
     Assertions.assertThat(StorageUtil.getBucket("s3://bucket:8080/path/file.txt"))
         .isEqualTo("bucket:8080");
   }
+
+  @Test
+  public void getLocationsAllowedToBeAccessed() {
+    Assertions.assertThat(StorageUtil.getLocationsAllowedToBeAccessed(null, Map.of())).isEmpty();
+    Assertions.assertThat(StorageUtil.getLocationsAllowedToBeAccessed("", Map.of())).isNotEmpty();
+    Assertions.assertThat(StorageUtil.getLocationsAllowedToBeAccessed("/foo/", Map.of()))
+        .contains("/foo/");
+    Assertions.assertThat(
+            StorageUtil.getLocationsAllowedToBeAccessed(
+                "/foo/",
+                Map.of(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY, "/foo/")))
+        .contains("/foo/");
+    Assertions.assertThat(
+            StorageUtil.getLocationsAllowedToBeAccessed(
+                "/foo/",
+                Map.of(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY, "/bar/")))
+        .contains("/foo/", "/bar/");
+    Assertions.assertThat(
+            StorageUtil.getLocationsAllowedToBeAccessed(
+                "/foo/",
+                Map.of(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY, "/foo/bar/")))
+        .contains("/foo/");
+    Assertions.assertThat(
+            StorageUtil.getLocationsAllowedToBeAccessed(
+                "/foo/bar/",
+                Map.of(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY, "/foo/")))
+        .contains("/foo/");
+    Assertions.assertThat(
+            StorageUtil.getLocationsAllowedToBeAccessed(
+                "/foo/bar/",
+                Map.of(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_METADATA_LOCATION_KEY, "/foo/")))
+        .contains("/foo/");
+    Assertions.assertThat(
+            StorageUtil.getLocationsAllowedToBeAccessed(
+                "/1/",
+                Map.of(
+                    IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY, "/2/",
+                    IcebergTableLikeEntity.USER_SPECIFIED_WRITE_METADATA_LOCATION_KEY, "/3/")))
+        .contains("/1/", "/2/", "/3/");
+  }
 }
diff --git a/runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalog.java b/runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalog.java
@@ -35,7 +35,6 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
@@ -126,6 +125,7 @@
 import org.apache.polaris.core.storage.PolarisStorageConfigurationInfo;
 import org.apache.polaris.core.storage.PolarisStorageIntegration;
 import org.apache.polaris.core.storage.StorageLocation;
+import org.apache.polaris.core.storage.StorageUtil;
 import org.apache.polaris.core.storage.cache.StorageCredentialCache;
 import org.apache.polaris.service.catalog.SupportsNotifications;
 import org.apache.polaris.service.catalog.common.LocationUtils;
@@ -379,32 +379,6 @@ private String defaultNamespaceLocation(Namespace namespace) {
     }
   }
 
-  private Set<String> getLocationsAllowedToBeAccessed(TableMetadata tableMetadata) {
-    Set<String> locations = new HashSet<>();
-    locations.add(tableMetadata.location());
-    if (tableMetadata
-        .properties()
-        .containsKey(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY)) {
-      locations.add(
-          tableMetadata
-              .properties()
-              .get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY));
-    }
-    if (tableMetadata
-        .properties()
-        .containsKey(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_METADATA_LOCATION_KEY)) {
-      locations.add(
-          tableMetadata
-              .properties()
-              .get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_METADATA_LOCATION_KEY));
-    }
-    return locations;
-  }
-
-  private Set<String> getLocationsAllowedToBeAccessed(ViewMetadata viewMetadata) {
-    return Set.of(viewMetadata.location());
-  }
-
   @Override
   public boolean dropTable(TableIdentifier tableIdentifier, boolean purge) {
     TableOperations ops = newTableOps(tableIdentifier);
@@ -870,7 +844,7 @@ public AccessConfig getAccessConfig(
         storageCredentialCache,
         getCredentialVendor(),
         tableIdentifier,
-        getLocationsAllowedToBeAccessed(tableMetadata),
+        StorageUtil.getLocationsAllowedToBeAccessed(tableMetadata),
         storageActions,
         storageInfo.get());
   }
@@ -1473,7 +1447,7 @@ public void doCommit(TableMetadata base, TableMetadata metadata) {
       tableFileIO =
           loadFileIOForTableLike(
               tableIdentifier,
-              getLocationsAllowedToBeAccessed(metadata),
+              StorageUtil.getLocationsAllowedToBeAccessed(metadata),
               resolvedStorageEntity,
               new HashMap<>(metadata.properties()),
               Set.of(
@@ -1495,24 +1469,8 @@ public void doCommit(TableMetadata base, TableMetadata metadata) {
                   .get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY))) {
         // If location is changing then we must validate that the requested location is valid
         // for the storage configuration inherited under this entity's path.
-        Set<String> dataLocations = new HashSet<>();
-        dataLocations.add(metadata.location());
-        if (metadata.properties().get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY)
-            != null) {
-          dataLocations.add(
-              metadata
-                  .properties()
-                  .get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY));
-        }
-        if (metadata
-                .properties()
-                .get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_METADATA_LOCATION_KEY)
-            != null) {
-          dataLocations.add(
-              metadata
-                  .properties()
-                  .get(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_METADATA_LOCATION_KEY));
-        }
+        Set<String> dataLocations =
+            StorageUtil.getLocationsAllowedToBeAccessed(metadata.location(), metadata.properties());
         validateLocationsForTableLike(tableIdentifier, dataLocations, resolvedStorageEntity);
         // also validate that the table location doesn't overlap an existing table
         dataLocations.forEach(
@@ -1873,7 +1831,7 @@ public void doCommit(ViewMetadata base, ViewMetadata metadata) {
       viewFileIO =
           loadFileIOForTableLike(
               identifier,
-              getLocationsAllowedToBeAccessed(metadata),
+              StorageUtil.getLocationsAllowedToBeAccessed(metadata),
               resolvedStorageEntity,
               tableProperties,
               Set.of(PolarisStorageActions.READ, PolarisStorageActions.WRITE));
@@ -2616,16 +2574,6 @@ protected FileIO loadFileIO(String ioImpl, Map<String, String> properties) {
         callContext, ioImpl, properties, identifier, locations, storageActions, resolvedPath);
   }
 
-  private void blockedUserSpecifiedWriteLocation(Map<String, String> properties) {
-    if (properties != null
-        && (properties.containsKey(IcebergTableLikeEntity.USER_SPECIFIED_WRITE_DATA_LOCATION_KEY)
-            || properties.containsKey(
-                IcebergTableLikeEntity.USER_SPECIFIED_WRITE_METADATA_LOCATION_KEY))) {
-      throw new ForbiddenException(
-          "Delegate access to table with user-specified write location is temporarily not supported.");
-    }
-  }
-
   private int getMaxMetadataRefreshRetries() {
     return callContext
         .getRealmConfig()
