(gravitino) branch main updated: [#9247] fix(iceberg): lazy check for authz configuration items in IRC to start Gravitino server (#9360)

Mon, 08 Dec 2025 22:22:20 -0800 

This is an automated email from the ASF dual-hosted git repository.

yuqi4733 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git


The following commit(s) were added to refs/heads/main by this push:
     new 7560d64ca9 [#9247] fix(iceberg): lazy check for authz configuration 
items in IRC to start Gravitino server (#9360)
7560d64ca9 is described below

commit 7560d64ca9dccc29f522453e92b4fd7711f6b3b9
Author: FANNG <[email protected]>
AuthorDate: Tue Dec 9 15:21:09 2025 +0900

    [#9247] fix(iceberg): lazy check for authz configuration items in IRC to 
start Gravitino server (#9360)
    
    ### What changes were proposed in this pull request?
    
    1. move check for authz configuration items from server startup phase to
    request process phase
    2. add dynamic config provider config hints
    
    ### Why are the changes needed?
    
    Fix: #9247
    
    ### Does this PR introduce _any_ user-facing change?
    no
    
    ### How was this patch tested?
    add UT and test in local enviroment
---
 conf/gravitino.conf.template                          |  8 ++++++++
 .../iceberg/service/IcebergCatalogWrapperManager.java | 10 ++++++++++
 .../authorization/IcebergRESTServerContext.java       |  6 ------
 .../TestIcebergCatalogWrapperManagerForREST.java      | 19 +++++++++++++++++++
 .../iceberg/service/rest/IcebergRestTestUtil.java     |  3 +--
 5 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/conf/gravitino.conf.template b/conf/gravitino.conf.template
index c1210100d9..7867576a0b 100644
--- a/conf/gravitino.conf.template
+++ b/conf/gravitino.conf.template
@@ -93,6 +93,14 @@ gravitino.iceberg-rest.httpPort = 9001
 gravitino.iceberg-rest.catalog-backend = memory
 # The warehouse directory of Iceberg catalog for Iceberg REST service
 gravitino.iceberg-rest.warehouse = /tmp/
+# If authorization is enabled, you must use dynamic config provider for 
Iceberg REST server
+# gravitino.iceberg-rest.catalog-config-provider = dynamic-config-provider
+# URI of the Gravitino server that the dynamic config provider will call to 
fetch catalog configs
+# gravitino.iceberg-rest.gravitino-uri = http://localhost:8090
+# Metalake name used by the dynamic config provider when querying Gravitino 
for Iceberg catalogs
+# gravitino.iceberg-rest.gravitino-metalake = <metalake-name>
+# Default Iceberg catalog name to use when clients do not specify one
+# gravitino.iceberg-rest.default-catalog-name = <default-iceberg-catalog>
 
 # Lance REST service classpath
 gravitino.lance-rest.classpath = lance-rest-server/libs
diff --git 
a/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/IcebergCatalogWrapperManager.java
 
b/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/IcebergCatalogWrapperManager.java
index 58733d7847..40dbf543d2 100644
--- 
a/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/IcebergCatalogWrapperManager.java
+++ 
b/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/IcebergCatalogWrapperManager.java
@@ -33,6 +33,8 @@ import 
org.apache.gravitino.iceberg.common.authentication.AuthenticationConfig;
 import org.apache.gravitino.iceberg.common.authentication.SupportsKerberos;
 import org.apache.gravitino.iceberg.common.ops.IcebergCatalogWrapper;
 import 
org.apache.gravitino.iceberg.common.ops.KerberosAwareIcebergCatalogProxy;
+import 
org.apache.gravitino.iceberg.service.authorization.IcebergRESTServerContext;
+import 
org.apache.gravitino.iceberg.service.provider.DynamicIcebergConfigProvider;
 import org.apache.gravitino.iceberg.service.provider.IcebergConfigProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -91,6 +93,14 @@ public class IcebergCatalogWrapperManager implements 
AutoCloseable {
   }
 
   private CatalogWrapperForREST createCatalogWrapper(String catalogName) {
+    IcebergRESTServerContext serverContext = 
IcebergRESTServerContext.getInstance();
+    if (serverContext.isAuthorizationEnabled()
+        && !(configProvider instanceof DynamicIcebergConfigProvider)) {
+      throw new IllegalArgumentException(
+          "Authorization is enabled. Set 
`gravitino.iceberg-rest.catalog-config-provider="
+              + "dynamic-config-provider` in gravitino.conf for Iceberg 
REST.");
+    }
+
     Optional<IcebergConfig> icebergConfig = 
configProvider.getIcebergCatalogConfig(catalogName);
     if (!icebergConfig.isPresent()) {
       throw new NoSuchCatalogException(
diff --git 
a/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/authorization/IcebergRESTServerContext.java
 
b/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/authorization/IcebergRESTServerContext.java
index ad14e6e3b8..1df9ff0478 100644
--- 
a/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/authorization/IcebergRESTServerContext.java
+++ 
b/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/authorization/IcebergRESTServerContext.java
@@ -20,7 +20,6 @@
 package org.apache.gravitino.iceberg.service.authorization;
 
 import com.google.common.base.Preconditions;
-import 
org.apache.gravitino.iceberg.service.provider.DynamicIcebergConfigProvider;
 import org.apache.gravitino.iceberg.service.provider.IcebergConfigProvider;
 
 public class IcebergRESTServerContext {
@@ -41,11 +40,6 @@ public class IcebergRESTServerContext {
 
   public static IcebergRESTServerContext create(
       IcebergConfigProvider configProvider, Boolean enableAuth) {
-    if (enableAuth) {
-      Preconditions.checkArgument(
-          configProvider instanceof DynamicIcebergConfigProvider,
-          "Please enable dynamic config provider if using authorization.");
-    }
     InstanceHolder.INSTANCE =
         new IcebergRESTServerContext(
             enableAuth, configProvider.getMetalakeName(), 
configProvider.getDefaultCatalogName());
diff --git 
a/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/iceberg/service/TestIcebergCatalogWrapperManagerForREST.java
 
b/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/iceberg/service/TestIcebergCatalogWrapperManagerForREST.java
index 2f51f2c371..6a2e20b425 100644
--- 
a/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/iceberg/service/TestIcebergCatalogWrapperManagerForREST.java
+++ 
b/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/iceberg/service/TestIcebergCatalogWrapperManagerForREST.java
@@ -26,6 +26,7 @@ import 
org.apache.gravitino.iceberg.service.authorization.IcebergRESTServerConte
 import org.apache.gravitino.iceberg.service.provider.IcebergConfigProvider;
 import 
org.apache.gravitino.iceberg.service.provider.IcebergConfigProviderFactory;
 import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ValueSource;
 
@@ -44,6 +45,7 @@ public class TestIcebergCatalogWrapperManagerForREST {
     config.put(String.format("catalog.%s.catalog-backend-name", prefix), 
prefix);
     IcebergConfigProvider configProvider = 
IcebergConfigProviderFactory.create(config);
     configProvider.initialize(config);
+    IcebergRESTServerContext.create(configProvider, false);
     IcebergCatalogWrapperManager manager = new 
IcebergCatalogWrapperManager(config, configProvider);
 
     IcebergCatalogWrapper ops = manager.getOps(rawPrefix);
@@ -66,4 +68,21 @@ public class TestIcebergCatalogWrapperManagerForREST {
 
     Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> 
manager.getOps(rawPrefix));
   }
+
+  @Test
+  public void testAuthorizationRequiresDynamicProvider() {
+    Map<String, String> config = Maps.newHashMap();
+    IcebergConfigProvider configProvider = 
IcebergConfigProviderFactory.create(config);
+    configProvider.initialize(config);
+    IcebergRESTServerContext.create(configProvider, true);
+    IcebergCatalogWrapperManager manager = new 
IcebergCatalogWrapperManager(config, configProvider);
+
+    IllegalArgumentException exception =
+        Assertions.assertThrowsExactly(
+            IllegalArgumentException.class, () -> 
manager.getCatalogWrapper("any"));
+    Assertions.assertTrue(
+        exception
+            .getMessage()
+            
.contains("gravitino.iceberg-rest.catalog-config-provider=dynamic-config-provider"));
+  }
 }
diff --git 
a/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/iceberg/service/rest/IcebergRestTestUtil.java
 
b/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/iceberg/service/rest/IcebergRestTestUtil.java
index 63a4d4ad49..211bb15700 100644
--- 
a/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/iceberg/service/rest/IcebergRestTestUtil.java
+++ 
b/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/iceberg/service/rest/IcebergRestTestUtil.java
@@ -129,12 +129,11 @@ public class IcebergRestTestUtil {
           "true");
       IcebergConfigProvider configProvider = 
IcebergConfigProviderFactory.create(catalogConf);
       configProvider.initialize(catalogConf);
+      IcebergRESTServerContext.create(configProvider, false);
       // used to override register table interface
       IcebergCatalogWrapperManager icebergCatalogWrapperManager =
           new IcebergCatalogWrapperManagerForTest(catalogConf, configProvider);
 
-      IcebergRESTServerContext.create(configProvider, false);
-
       EventBus eventBus = new EventBus(eventListenerPlugins);
 
       IcebergTableOperationExecutor icebergTableOperationExecutor =

Reply via email to