add refresh credentials property to loadTableResult

[wolflex888]

This PR will add necessary refresh-vended-credentials properties to LoadTableResponse to allow each IoFile will get appropriate properties to initiate VendedCredentialsProvider.

[wolflex888]

Is there a better way to grab the server host here? I don't think this is reliable but I do not know a better way to get the host. Potentially, we can get it from the request header? but it looks like the headers are being filtered out.

[dimas-b]

This is not so simple, I'm afraid :) We need to think of proxies too.

At the very minimum, I think we need to get a UriInfo injected and use uriInfo.getBaseUri().

A more robust approach is here: https://github.com/projectnessie/nessie/blob/a9028f12c5152ebc14ba32731b52fdc9a107db94/servers/quarkus-catalog/src/main/java/org/projectnessie/server/catalog/ExternalBaseUriImpl.java#L38

[dimas-b]

Does this do proper escaping of special chars in the URI path?

Cf. IcebergCatalogAdapter.decodeNamespace()

[dimas-b]

IcebergCatalog does not deal with the REST API at all, but this config requires understanding namespace path encoding/decoding.

I believe it is preferable to inject this config in IcebergCatalogAdapter (where the decoding code exists).

[wolflex888]

I moved the string construction to IcebergCatalogAdapter where the decoding code exists, but I feel that's a little bit clumsy to pass it all the way down to SupportsCredentialDelegation. I wonder if you have a more elegant way of doing this

[dimas-b]

Is this change still needed?

[wolflex888]

This is removed

[dimas-b]

Is this property specific to the AWS client? I did not find any formal definition for it in Iceberg.

I believe it would be preferable to have a local constant for it in Polaris to avoid the impression that it is supposed to work only for AWS.

Given apache/iceberg#11281, why do we have to set this property at all? Why is it not discovered automatically?

[wolflex888]

That was my question to the iceberg team as well, but they insist on having this property set so iceberg knows which endpoint to reach out to.

[wolflex888]

Regarding the AwsClientProperties, there's also discussion here

[collado-mike]

unnecessary import?

[wolflex888]

This has been removed

[collado-mike]

I don't know why these extra blank lines are added

[wolflex888]

this has been removed

[collado-mike]

This needs to be configurable. E.g., some hosts may prefix the URL with /polaris or with /your_account_name or any number of prefixes

[wolflex888]

does that mean they will do something like /polaris-catalog-name instead of just /catalog-name? or I'm misunderstanding this?

[dimas-b]

prefix identifies the catalog, does it not? Why would the .../credentials endpoint for a table in one catalog need to be under a different prefix?

[collado-mike]

unnecessary import?

[wolflex888]

this is removed.

[collado-mike]

same

[wolflex888]

sorry, i forgot to do spotlessApply. these should all be fixed now.

[collado-mike]

Why is this a whole new method rather than just putting this directly in the IcebergCatalogHandler. You're just putting values into a map, so...

[wolflex888]

I see. I thought it can be more organized that way. I removed it.

[dimas-b]

I believe this class (or class above it in the call chain) should inject credentialsEndpoint in this response. We should not push this parameter down to loadTableWithAccessDelegationIfStale because the lower level class has nothing to do with REST URIs.

[wolflex888]

I see. does that mean we should be building the response here instead of having a complete response returned from loadTableAccessDelegationIfStale?

[wolflex888]

I created a function to do the injection at the proper level. Let me know if that's what you have in mind! Thanks for all the feedback! really appreciate it

[dimas-b]

@wolflex888 : Are you still working on this? Sorry for the delay with reviews. Could you resolve conflicts, please?

[smaheshwar-pltr]

(Saw that #1164 (comment) got lost but think it still holds)

[singhpk234]

Agree the uri should be :

  public String tableCredentials(TableIdentifier ident) {
    return SLASH.join(
        "v1",
        prefix,
        "namespaces",
        RESTUtil.encodeNamespace(ident.namespace()),
        "tables",
        RESTUtil.encodeString(ident.name()),
        "credentials");
  }

[jasonf20]

Hi,

Just following up—any updates on this? It should address apache/polaris#2177.

I understand this is an open-source project, but this is a small yet important change, especially given this projects role as a backend for enterprise products like Snowflake Open Catalog. Any update or timeline would be greatly appreciated.

Thank you.

[flyrain]

cc @singhpk234

[singhpk234]

ADLS also now supports creds refresh

[singhpk234]

Agree the uri should be :

  public String tableCredentials(TableIdentifier ident) {
    return SLASH.join(
        "v1",
        prefix,
        "namespaces",
        RESTUtil.encodeNamespace(ident.namespace()),
        "tables",
        RESTUtil.encodeString(ident.name()),
        "credentials");
  }

[singhpk234]

do we need to update metadata-location too ?

[singhpk234]

we should check the credential type too and send this only when storage is AWS

[singhpk234]

@wolflex888 would you mind rebasing i can help in review

[dimas-b]

@jasonf20 : If you have the capacity to make an alternative PR for this, I think it might be a reasonable path forward. If you do, please see my comments about URI handling I made under this PR.

[jasonf20]

@dimas-b Please see here: #2341

This PR has gotten a little messy so please leave new comments if I missed anything.

I understand everyone’s busy, but I’m a bit concerned that no one from the Snowflake team or other contributors has taken this on yet. I’ll do my best to assist where I can. I don't have a lot of capacity for this, but long as we keep it simple it should be fine.

[wolflex888]

I'm gonna be closing this PR as this has gotten a little bit messy. we can move forward with #2341