FANNG1 commented on code in PR #6071:
URL: https://github.com/apache/gravitino/pull/6071#discussion_r1903609448
##########
docs/iceberg-rest-service.md:
##########
@@ -160,40 +145,28 @@ Supports using static GCS credential file or generating
GCS token to access GCS
| Configuration item | Description
|
Default value | Required | Since Version |
|---------------------------------------------------|----------------------------------------------------------------------------------------------------|---------------|----------|------------------|
| `gravitino.iceberg-rest.io-impl` | The io implementation
for `FileIO` in Iceberg, use `org.apache.iceberg.gcp.gcs.GCSFileIO` for GCS. |
(none) | No | 0.6.0-incubating |
-| `gravitino.iceberg-rest.credential-provider-type` | Deprecated, please use
`gravitino.iceberg-rest.credential-providers` instead. |
(none) | No |
0.7.0-incubating |
-| `gravitino.iceberg-rest.credential-providers` | Supports `gcs-token`,
generates a temporary token according to the query data path. |
(none) | No | 0.7.0-incubating |
-| `gravitino.iceberg-rest.gcs-credential-file-path` | Deprecated, please use
`gravitino.iceberg-rest.gcs-service-account-file` instead. |
(none) | No | 0.7.0-incubating |
-| `gravitino.iceberg-rest.gcs-service-account-file` | The location of GCS
credential file, only used when `credential-provider-type` is `gcs-token`.
| (none) | No | 0.8.0-incubating |
For other Iceberg GCS properties not managed by Gravitino like
`gcs.project-id`, you could config it directly by
`gravitino.iceberg-rest.gcs.project-id`.
-If you set `credential-providers` explicitly, please downloading [Gravitino
GCP bundle
jar](https://mvnrepository.com/artifact/org.apache.gravitino/gcp-bundle), and
place it to the classpath of Iceberg REST server.
+Please refer to [GCS
credentials](./security/credential-vending.md#gcs-credentials) for credential
related configurations.
-Please make sure the credential file is accessible by Gravitino, like using
`export
GOOGLE_APPLICATION_CREDENTIALS=/xx/application_default_credentials.json` before
Gravitino Iceberg REST server is started.
+:::note
+For Gravitino Iceberg REST server, please make sure the credential file is
accessible by Gravitino, like using `export
GOOGLE_APPLICATION_CREDENTIALS=/xx/application_default_credentials.json` even
`gcs-service-account-file` is setting.
Review Comment:
updated
##########
docs/security/credential-vending.md:
##########
@@ -0,0 +1,178 @@
+---
+title: "Gravitino credential vending"
+slug: /security/credential-vending
+keyword: security credential vending
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Background
+
+Gravitino credential vending is used to generate temporary or static
credentials for accessing data. With credential vending, Gravitino provides an
unified way to control the access to diverse data sources in different
platforms.
+
+### Capabilities
+
+- Supports Gravitino Iceberg REST server.
+- Supports Gravitino server, only support Hadoop catalog.
+- Supports pluggable credentials with build-in credentials:
+ - S3: `S3TokenCredential`, `S3SecretKeyCredential`
+ - GCS: `GCSTokenCredential`
+ - ADLS: `ADLSTokenCredential`, `AzureAccountKeyCredential`
+ - OSS: `OSSTokenCredential`, `OSSSecretKeyCredential`
+- Doesn't support Spark/Trino/Flink connector.
Review Comment:
updated
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
