[I] [Bug report] Flink Iceberg connector (REST backend) fails to authenticate against IRC when auth is enabled [gravitino]

[via GitHub]

danhuawang opened a new issue, #11601:
URL: https://github.com/apache/gravitino/issues/11601

   ### Version
   
   main branch
   
   ### Describe what's wrong
   
   When the Gravitino Iceberg REST Catalog (IRC) service has authentication 
enabled, the Flink connector fails with `NotAuthorizedException` when opening 
an Iceberg catalog with `catalog-backend=rest`. The user has already 
authenticated to Gravitino via OAuth2 through the Flink catalog store, but 
`GravitinoIcebergCatalog.open()` builds a native Iceberg `RESTCatalog` client 
that connects directly to the IRC endpoint without carrying any authentication 
credentials.
   
   The architecture issue: the connector bypasses the Gravitino server's auth 
proxy and makes the Flink client talk directly to IRC. Since IRC shares the 
same auth enforcement as Gravitino, the unauthenticated REST client is 
rejected. Users should not need to manually configure IRC authentication 
properties (e.g. `rest.auth.type`, `rest.auth.basic.username`) in the Gravitino 
catalog — Gravitino is the unified entry point and should transparently handle 
authentication propagation to its own IRC service.
   
   This is distinct from #11596 (JDBC backend `catalog-type` mapping issue). 
Here the `catalog-type=rest` is correctly recognized by Iceberg's 
`FlinkCatalogFactory`, but the resulting REST client lacks authentication 
credentials.
   
   ### Error message and/or stacktrace
   
   ```
   org.apache.iceberg.exceptions.NotAuthorizedException: Not authorized: The 
provided credentials did not support
       at 
org.apache.iceberg.rest.ErrorHandlers$DefaultErrorHandler.accept(ErrorHandlers.java:343)
       at 
org.apache.iceberg.rest.ErrorHandlers$ConfigErrorHandler.accept(ErrorHandlers.java:313)
       at org.apache.iceberg.rest.HTTPClient.throwFailure(HTTPClient.java:242)
       at org.apache.iceberg.rest.HTTPClient.execute(HTTPClient.java:347)
       at org.apache.iceberg.rest.BaseHTTPClient.get(BaseHTTPClient.java:77)
       at 
org.apache.iceberg.rest.RESTSessionCatalog.fetchConfig(RESTSessionCatalog.java:1337)
       at 
org.apache.iceberg.rest.RESTSessionCatalog.initialize(RESTSessionCatalog.java:211)
       at org.apache.iceberg.rest.RESTCatalog.initialize(RESTCatalog.java:96)
       at org.apache.iceberg.CatalogUtil.loadCatalog(CatalogUtil.java:295)
       at 
org.apache.iceberg.flink.CatalogLoader$RESTCatalogLoader.loadCatalog(CatalogLoader.java:163)
       at org.apache.iceberg.flink.FlinkCatalog.<init>(FlinkCatalog.java:119)
       at 
org.apache.iceberg.flink.FlinkCatalogFactory.createCatalog(FlinkCatalogFactory.java:166)
       at 
org.apache.gravitino.flink.connector.iceberg.GravitinoIcebergCatalog.open(GravitinoIcebergCatalog.java:98)
       at 
org.apache.flink.table.catalog.CatalogManager.setCurrentCatalog(CatalogManager.java:458)
       at 
org.apache.flink.table.api.internal.TableEnvironmentImpl.useCatalog(TableEnvironmentImpl.java:1222)
   ```
   
   ### How to reproduce
   
   + Gravitino version: main branch
   + Deploy Gravitino with IRC enabled and authentication enforced (OAuth2 or 
Basic auth):
     ```properties
     gravitino.iceberg-rest.catalog-config-provider = dynamic-config-provider
     gravitino.iceberg-rest.gravitino-uri = <gravitino-uri>
     gravitino.iceberg-rest.gravitino-metalake = test
     gravitino.iceberg-rest.default-catalog-name = catalog_1
     ```
   + Create an Iceberg catalog in Gravitino with `catalog-backend=rest` and 
`uri=<IRC endpoint>`.
   + Configure a Flink `TableEnvironment` with 
`table.catalog-store.kind=gravitino` and OAuth2 credentials (the user is fully 
authenticated to Gravitino).
   + Execute `USE CATALOG <iceberg_rest_catalog>;` — this triggers 
`GravitinoIcebergCatalog.open()`.
   + Observe `NotAuthorizedException: Not authorized: The provided credentials 
did not support`.
   
   ### Additional context
   
   The root cause is in `GravitinoIcebergCatalog.open()`: it constructs a 
native Iceberg `RESTCatalog` via `FlinkCatalogFactory.createCatalog()` using 
only the catalog properties stored in Gravitino (uri, io-impl, S3 config, 
etc.). No authentication properties (`rest.auth.type`, OAuth2 token, or bearer 
token) are injected into the Iceberg REST client properties.
   
   Expected behavior: Since the user has already authenticated to Gravitino 
(via the catalog store's OAuth2 config), the Flink connector should either:
   1. Propagate the user's OAuth2 token to the Iceberg REST client (e.g. set 
`rest.auth.type=oauth2` + token), or
   2. Route data-plane operations through the Gravitino server rather than 
having the Flink client connect directly to IRC.
   
   No other catalog type (Paimon, Hive) requires the user to manually configure 
backend-service authentication in `createCatalog` properties — this should be 
transparent. Related: #11596.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org