add refresh credentials property to loadTableResult

quarkus/service/src/test/java/org/apache/polaris/service/quarkus/auth/JWTSymmetricKeyGeneratorTest.java

@@ -24,6 +24,7 @@
 import com.auth0.jwt.JWTVerifier;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.interfaces.DecodedJWT;
+import java.net.URI;
 import java.util.Map;
 import org.apache.polaris.core.PolarisCallContext;
 import org.apache.polaris.core.context.CallContext;
@@ -65,6 +66,11 @@ public PolarisCallContext getPolarisCallContext() {
           public Map<String, Object> contextVariables() {
             return Map.of();
           }
+
+          @Override
+          public URI getBaseUri() {
+            return null;
+          }
         });
     PolarisMetaStoreManager metastoreManager = Mockito.mock(PolarisMetaStoreManager.class);
     String mainSecret = "test_secret";

quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/IcebergCatalogHandlerWrapperAuthzTest.java

@@ -23,6 +23,7 @@
 import io.quarkus.test.junit.TestProfile;
 import jakarta.ws.rs.core.SecurityContext;
 import java.time.Instant;
+import java.util.EnumSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -64,6 +65,7 @@
 import org.apache.polaris.core.persistence.PolarisEntityManager;
 import org.apache.polaris.core.persistence.dao.entity.CreatePrincipalResult;
 import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest;
+import org.apache.polaris.service.catalog.AccessDelegationMode;
 import org.apache.polaris.service.catalog.iceberg.IcebergCatalogHandlerWrapper;
 import org.apache.polaris.service.catalog.io.DefaultFileIOFactory;
 import org.apache.polaris.service.config.RealmEntityManagerFactory;
@@ -872,7 +874,10 @@ public void testLoadTableWithReadAccessDelegationSufficientPrivileges() {
             PolarisPrivilege.TABLE_READ_DATA,
             PolarisPrivilege.TABLE_WRITE_DATA,
             PolarisPrivilege.CATALOG_MANAGE_CONTENT),
-        () -> newWrapper().loadTableWithAccessDelegation(TABLE_NS1A_2, "all"),
+        () ->
+            newWrapper()
+                .loadTableWithAccessDelegation(
+                    TABLE_NS1A_2, "all", EnumSet.noneOf(AccessDelegationMode.class)),
         null /* cleanupAction */);
   }
 
@@ -888,7 +893,10 @@ public void testLoadTableWithReadAccessDelegationInsufficientPermissions() {
             PolarisPrivilege.TABLE_CREATE,
             PolarisPrivilege.TABLE_LIST,
             PolarisPrivilege.TABLE_DROP),
-        () -> newWrapper().loadTableWithAccessDelegation(TABLE_NS1A_2, "all"));
+        () ->
+            newWrapper()
+                .loadTableWithAccessDelegation(
+                    TABLE_NS1A_2, "all", EnumSet.noneOf(AccessDelegationMode.class)));
   }
 
   @Test
@@ -901,7 +909,10 @@ public void testLoadTableWithWriteAccessDelegationSufficientPrivileges() {
             PolarisPrivilege.TABLE_READ_DATA,
             PolarisPrivilege.TABLE_WRITE_DATA,
             PolarisPrivilege.CATALOG_MANAGE_CONTENT),
-        () -> newWrapper().loadTableWithAccessDelegation(TABLE_NS1A_2, "all"),
+        () ->
+            newWrapper()
+                .loadTableWithAccessDelegation(
+                    TABLE_NS1A_2, "all", EnumSet.noneOf(AccessDelegationMode.class)),
         null /* cleanupAction */);
   }
 
@@ -917,7 +928,10 @@ public void testLoadTableWithWriteAccessDelegationInsufficientPermissions() {
             PolarisPrivilege.TABLE_CREATE,
             PolarisPrivilege.TABLE_LIST,
             PolarisPrivilege.TABLE_DROP),
-        () -> newWrapper().loadTableWithAccessDelegation(TABLE_NS1A_2, "all"));
+        () ->
+            newWrapper()
+                .loadTableWithAccessDelegation(
+                    TABLE_NS1A_2, "all", EnumSet.noneOf(AccessDelegationMode.class)));
   }
 
   @Test

service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalog.java

@@ -51,6 +51,7 @@
 import org.apache.iceberg.TableMetadata;
 import org.apache.iceberg.TableMetadataParser;
 import org.apache.iceberg.TableOperations;
+import org.apache.iceberg.aws.AwsClientProperties;
 import org.apache.iceberg.catalog.Namespace;
 import org.apache.iceberg.catalog.SupportsNamespaces;
 import org.apache.iceberg.catalog.TableIdentifier;
@@ -853,6 +854,19 @@ public Map<String, String> getCredentialConfig(
         storageInfo.get());
   }
 
+  @Override
+  public Map<String, String> getVendedCredentialConfig(TableIdentifier tableIdentifier) {
+    Map<String, String> vendedCredentialConfig = new HashMap<>();
+    String credentialsEndpoint =
+        String.format(
+            "/v1/%s/namespaces/%s/tables/%s/credentials",
+            catalogName, tableIdentifier.namespace().toString(), tableIdentifier.name());
+    vendedCredentialConfig.put(AwsClientProperties.REFRESH_CREDENTIALS_ENABLED, "true");
+    vendedCredentialConfig.put(
+        AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT, credentialsEndpoint);
+    return vendedCredentialConfig;
+  }
+
   /**
    * Based on configuration settings, for callsites that need to handle potentially setting a new
    * base location for a TableLike entity, produces the transformed location if applicable, or else

service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java

@@ -344,7 +344,9 @@ public Response loadTable(
           if (delegationModes.isEmpty()) {
             return Response.ok(catalog.loadTable(tableIdentifier, snapshots)).build();
           } else {
-            return Response.ok(catalog.loadTableWithAccessDelegation(tableIdentifier, snapshots))
+            return Response.ok(
+                    catalog.loadTableWithAccessDelegation(
+                        tableIdentifier, snapshots, delegationModes))
                 .build();
           }
         });
@@ -485,7 +487,8 @@ public Response loadCredentials(
         prefix,
         catalog -> {
           LoadTableResponse loadTableResponse =
-              catalog.loadTableWithAccessDelegation(tableIdentifier, "all");
+              catalog.loadTableWithAccessDelegation(
+                  tableIdentifier, "all", EnumSet.noneOf(AccessDelegationMode.class));
           return Response.ok(
                   ImmutableLoadCredentialsResponse.builder()
                       .credentials(loadTableResponse.credentials())

service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandlerWrapper.java

@@ -26,6 +26,7 @@
 import java.time.ZoneOffset;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.EnumSet;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -90,6 +91,7 @@
 import org.apache.polaris.core.persistence.resolver.ResolverPath;
 import org.apache.polaris.core.persistence.resolver.ResolverStatus;
 import org.apache.polaris.core.storage.PolarisStorageActions;
+import org.apache.polaris.service.catalog.AccessDelegationMode;
 import org.apache.polaris.service.catalog.SupportsNotifications;
 import org.apache.polaris.service.context.CallContextCatalogFactory;
 import org.apache.polaris.service.types.NotificationRequest;
@@ -777,7 +779,9 @@ public LoadTableResponse loadTable(TableIdentifier tableIdentifier, String snaps
   }
 
   public LoadTableResponse loadTableWithAccessDelegation(
-      TableIdentifier tableIdentifier, String snapshots) {
+      TableIdentifier tableIdentifier,
+      String snapshots,
+      EnumSet<AccessDelegationMode> accessDelegationModes) {
     // Here we have a single method that falls through multiple candidate
     // PolarisAuthorizableOperations because instead of identifying the desired operation up-front
     // and
@@ -839,6 +843,10 @@ public LoadTableResponse loadTableWithAccessDelegation(
         responseBuilder.addAllConfig(
             credentialDelegation.getCredentialConfig(
                 tableIdentifier, tableMetadata, actionsRequested));
+        if (accessDelegationModes.contains(AccessDelegationMode.VENDED_CREDENTIALS)) {
+          responseBuilder.addAllConfig(
+              credentialDelegation.getVendedCredentialConfig(tableIdentifier));
+        }
       }
       return responseBuilder.build();
     } else if (table instanceof BaseMetadataTable) {

service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/SupportsCredentialDelegation.java

@@ -36,4 +36,6 @@ Map<String, String> getCredentialConfig(
       TableIdentifier tableIdentifier,
       TableMetadata tableMetadata,
       Set<PolarisStorageActions> storageActions);
+
+  Map<String, String> getVendedCredentialConfig(TableIdentifier tableIdentifier);
 }

service/common/src/test/java/org/apache/polaris/service/catalog/io/FileIOFactoryTest.java

@@ -25,6 +25,7 @@
 import com.google.common.collect.ImmutableMap;
 import jakarta.annotation.Nonnull;
 import java.lang.reflect.Method;
+import java.net.URI;
 import java.time.Clock;
 import java.util.HashMap;
 import java.util.List;
@@ -149,6 +150,11 @@ public PolarisCallContext getPolarisCallContext() {
           public Map<String, Object> contextVariables() {
             return new HashMap<>();
           }
+
+          @Override
+          public URI getBaseUri() {
+            return null;
+          }
         };
   }
 

service/common/src/testFixtures/java/org/apache/polaris/service/TestServices.java

@@ -21,6 +21,7 @@
 import com.google.auth.oauth2.AccessToken;
 import com.google.auth.oauth2.GoogleCredentials;
 import jakarta.ws.rs.core.SecurityContext;
+import java.net.URI;
 import java.security.Principal;
 import java.time.Clock;
 import java.time.Instant;
@@ -158,6 +159,11 @@ public PolarisCallContext getPolarisCallContext() {
             public Map<String, Object> contextVariables() {
               return new HashMap<>();
             }
+
+            @Override
+            public URI getBaseUri() {
+              return null;
+            }
           };
 
       FileIOFactory fileIOFactory =