bharos commented on code in PR #9988:
URL: https://github.com/apache/gravitino/pull/9988#discussion_r2826473542
##########
iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/dispatcher/IcebergTableOperationExecutor.java:
##########
@@ -122,13 +123,39 @@ public void dropTable(
@Override
public LoadTableResponse loadTable(
IcebergRequestContext context, TableIdentifier tableIdentifier) {
+ String catalogName = context.catalogName();
+
+ // Per Iceberg REST spec, /tables/ endpoint should only serve tables, not
views.
+ // Check if the identifier is a view and throw NoSuchTableException to
trigger
+ // Spark's fallback logic to use /views/ endpoint instead.
+ if
(icebergCatalogWrapperManager.getCatalogWrapper(catalogName).viewExists(tableIdentifier))
{
Review Comment:
Added TODO with your suggestion
##########
iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/dispatcher/IcebergTableOperationExecutor.java:
##########
@@ -122,13 +122,15 @@ public void dropTable(
@Override
public LoadTableResponse loadTable(
IcebergRequestContext context, TableIdentifier tableIdentifier) {
+ String catalogName = context.catalogName();
Review Comment:
Sorry, reverted now
##########
iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/server/web/filter/LoadTableAuthzHandler.java:
##########
@@ -58,7 +65,7 @@ public void process(Map<EntityType, NameIdentifier>
nameIdentifierMap) {
IcebergAuthorizationMetadata icebergMetadata =
parameter.getAnnotation(IcebergAuthorizationMetadata.class);
if (icebergMetadata != null && icebergMetadata.type() ==
RequestType.LOAD_TABLE) {
- tableName = String.valueOf(args[i]);
+ tableName = RESTUtil.decodeString(String.valueOf(args[i]));
Review Comment:
We create the nameIdentifier map within this method in Line 117
So it's not straightforward. The table parameter has
@IcebergAuthorizationMetadata(type = LOAD_TABLE) but NOT
@AuthorizationMetadata(type = TABLE), so the interceptor doesn't automatically
decode and add it to nameIdentifierMap
##########
iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/rest/IcebergViewOperations.java:
##########
@@ -131,10 +161,17 @@ public Response createView(
@Produces(MediaType.APPLICATION_JSON)
@Timed(name = "load-view." + MetricNames.HTTP_PROCESS_DURATION, absolute =
true)
@ResponseMetered(name = "load-view", absolute = true)
+ @AuthorizationExpression(
+ expression =
+ "ANY(OWNER, METALAKE, CATALOG) || "
+ + "SCHEMA_OWNER_WITH_USE_CATALOG || "
+ + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (VIEW::OWNER ||
ANY_SELECT_VIEW)",
Review Comment:
is this the correct code for REST backend:
https://github.com/apache/iceberg/blob/de3125afe64fc2b171a52b6e884c72f901e3cba1/core/src/main/java/org/apache/iceberg/rest/CatalogHandlers.java#L113
I guess in createTable , `catalog.tableExists` was called inside
stageTableCreate.
But for views, I don't find that happening. But I think we can still keep
`ANY_CREATE_VIEW` to be consistent with the table auth
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
