Copilot commented on code in PR #9380: URL: https://github.com/apache/gravitino/pull/9380#discussion_r2592197028
########## docs/iceberg-rest-service.md: ########## @@ -284,6 +284,29 @@ The detailed configuration items are as follows: Please refer to [Credential vending](./security/credential-vending.md) for more details. +### Access control + +#### Prerequisites + +To use access control with the Iceberg REST service: + +1. Enable authorization in the Gravitino server by setting `gravitino.authorization.enable = true` +2. Use the [dynamic configuration provider](#dynamic-catalog-configuration-provider) to retrieve catalog configurations from Gravitino + +Please refer to [Access Control](./security/access-control.md) for details on how to configure authorization, create roles, and grant privileges in Gravitino. + +#### How access control works + +When access control is enabled: + +1. Clients authenticate with the Iceberg REST service (Now we support Basic auth and OAuth2) Review Comment: [nitpick] The parenthetical statement should be capitalized and formatted more formally. Consider rephrasing to: 'Currently supported authentication methods are Basic Auth and OAuth2.' or 'Authentication methods: Basic Auth and OAuth2.' ```suggestion 1. Clients authenticate with the Iceberg REST service. Currently supported authentication methods are Basic Auth and OAuth2. ``` ########## docs/iceberg-rest-service.md: ########## @@ -676,3 +699,128 @@ sh ./dev/docker/build-docker.sh --platform linux/arm64 --type iceberg-rest-serve ``` You could try Spark with Gravitino REST catalog service in our [playground](./how-to-use-the-playground.md#using-apache-iceberg-rest-service). + +## Quick Start: Enable Access Control for Iceberg REST Server + +To enable access control for the Iceberg REST server using Gravitino's dynamic configuration provider, follow these steps: + +### 1. Enable Authorization and Dynamic Config Provider + +Add the following to your Gravitino server configuration file (`gravitino.conf`) if running the Iceberg REST server as an auxiliary service (recommended for access control): + +```properties +gravitino.authorization.enable = true +gravitino.authorization.serviceAdmins = adminUser + +gravitino.iceberg-rest.catalog-config-provider = dynamic-config-provider +gravitino.iceberg-rest.gravitino-uri = http://127.0.0.1:8090 +gravitino.iceberg-rest.gravitino-metalake = test +``` + +Restart the Iceberg REST server after updating the configuration. + +--- + +### 2. Create a Metalake + +```shell +curl -X POST -H "Accept: application/vnd.gravitino.v1+json" \ +-H "Content-Type: application/json" -d '{ + "name": "test" +}' http://localhost:8090/api/metalakes +``` + +--- + +### 3. Create a Catalog + +```shell +curl -X POST -H "Accept: application/vnd.gravitino.v1+json" \ +-H "Content-Type: application/json" -d '{ + "name": "catalog1", + "type": "ICEBERG", + "comment": "Iceberg catalog", + "properties": {} +}' http://localhost:8090/api/metalakes/test/catalogs +``` + +--- + +### 4. Create a Role and Grant Privileges + +```shell +curl -X POST -H "Accept: application/vnd.gravitino.v1+json" \ +-H "Content-Type: application/json" -d '{ + "name": "role1", + "properties": {}, + "securableObjects": [ + { + "fullName": "catalog1", + "type": "CATALOG", + "privileges": [ + { + "name": "USE_CATALOG", + "condition": "ALLOW" + }, + { + "name": "USE_SCHEMA", + "condition": "ALLOW" + }, + { + "name": "SELECT_TABLE", + "condition": "ALLOW" + } + ] + } + ] +}' http://localhost:8090/api/metalakes/test/roles +``` + +--- + +### 5. Grant Role to User + +```shell +curl -X PUT -H "Accept: application/vnd.gravitino.v1+json" \ +-H "Content-Type: application/json" -d '{ + "roleNames": ["role1"] +}' http://localhost:8090/api/metalakes/test/permissions/users/user1/grant +``` + +--- + +### 6. Verify Access Control in Action + +Before granting privileges, the user should not be able to access the table. +For example, try to list tables as `user1` (replace with your actual authentication method): + +```shell +curl -u user1:password -H "Accept: application/vnd.gravitino.v1+json" \ + http://localhost:9001/iceberg/v1/catalog1/namespaces/default/tables +``` + +This should return an error indicating insufficient privileges (such as HTTP 403 Forbidden). + +After granting the role with privileges, repeat the request as `user1`: + +```shell +curl -u user1:password -H "Accept: application/vnd.gravitino.v1+json" \ + http://localhost:9001/iceberg/v1/catalog1/namespaces/default/tables +``` + +This time, the request should succeed and return the list of tables. + +--- + +**Summary:** +- Enable authorization and set configuration provider to `dynamic-config-provider` +- Create metalake +- Create catalog +- Create role and grant privileges +- Assign role to user + +For more details, see the [Access Control documentation](./security/access-control.md). + +> **Note:** IRC (Iceberg REST Catalog) authorization is not supported for standalone Iceberg REST server deployments. +> Access control features described here require the Iceberg REST server to be run as an auxiliary service within the Gravitino server, +> using the dynamic configuration provider. Standalone deployments do not support IRC-based authorization. Review Comment: [nitpick] The last sentence is redundant with the first sentence. Consider removing 'Standalone deployments do not support IRC-based authorization.' as it repeats information already stated in the first sentence. ```suggestion > using the dynamic configuration provider. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
