This is an automated email from the ASF dual-hosted git repository. difin pushed a commit to branch vended_credentials_client1 in repository https://gitbox.apache.org/repos/asf/hive.git
commit 4a4cf4fccf588b60e4434cb352a53776ce0b4185 Author: Dmitriy Fingerman <[email protected]> AuthorDate: Wed May 20 16:06:25 2026 -0400 fixes 1 --- .../iceberg/hive/IcebergCatalogProperties.java | 9 ----- .../iceberg/hive/client/HiveRESTCatalogClient.java | 42 +--------------------- .../hive/client/TestHiveRESTCatalogClient.java | 32 ----------------- .../positive/iceberg_rest_catalog_gravitino.q | 2 +- ...bergRESTCatalogGravitinoLlapLocalCliDriver.java | 29 ++------------- 5 files changed, 5 insertions(+), 109 deletions(-) diff --git a/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/IcebergCatalogProperties.java b/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/IcebergCatalogProperties.java index 9a8b639753e..424f8e10c35 100644 --- a/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/IcebergCatalogProperties.java +++ b/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/IcebergCatalogProperties.java @@ -32,15 +32,6 @@ public class IcebergCatalogProperties { public static final String CATALOG_NAME = "iceberg.catalog"; public static final String CATALOG_CONFIG_PREFIX = "iceberg.catalog."; - - /** - * Optional comma-separated Iceberg REST access delegation modes for catalog HTTP requests (for example - * {@code vended-credentials}). Hive maps this to the {@code X-Iceberg-Access-Delegation} header when initializing the - * REST catalog client, unless {@code iceberg.catalog.<name>.header.X-Iceberg-Access-Delegation} is set explicitly. - * - * @see <a href="https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml">REST catalog spec</a> - */ - public static final String REST_ACCESS_DELEGATION = "rest.access-delegation"; public static final String CATALOG_WAREHOUSE_TEMPLATE = "iceberg.catalog.%s.warehouse"; public static final String CATALOG_IMPL_TEMPLATE = "iceberg.catalog.%s.catalog-impl"; public static final String CATALOG_DEFAULT_CONFIG_PREFIX = "iceberg.catalog-default."; diff --git a/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/client/HiveRESTCatalogClient.java b/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/client/HiveRESTCatalogClient.java index 2328407729b..4390d5a0bca 100644 --- a/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/client/HiveRESTCatalogClient.java +++ b/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/client/HiveRESTCatalogClient.java @@ -64,12 +64,6 @@ public class HiveRESTCatalogClient extends BaseMetaStoreClient { public static final String DB_OWNER = "owner"; public static final String DB_OWNER_TYPE = "ownerType"; - /** - * Iceberg REST catalog property prefix recognized by {@link org.apache.iceberg.rest.RESTUtil#configHeaders}; values - * are sent as HTTP headers on REST requests. - */ - public static final String ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY = "header.X-Iceberg-Access-Delegation"; - private static final Logger LOG = LoggerFactory.getLogger(HiveRESTCatalogClient.class); private RESTCatalog restCatalog; @@ -87,44 +81,10 @@ public HiveRESTCatalogClient(Configuration conf) { public void reconnect() { close(); String catName = MetaStoreUtils.getDefaultCatalog(conf); - Map<String, String> properties = - applyAccessDelegationHeader(IcebergCatalogProperties.getCatalogProperties(conf)); + Map<String, String> properties = IcebergCatalogProperties.getCatalogProperties(conf); restCatalog = (RESTCatalog) CatalogUtil.buildIcebergCatalog(catName, properties, null); } - /** - * Maps Hive catalog property {@link IcebergCatalogProperties#REST_ACCESS_DELEGATION} to the Iceberg REST - * {@code X-Iceberg-Access-Delegation} header so any spec-compliant catalog may attach vended (or other delegated) - * storage credentials to load responses. An explicit {@link #ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY} entry - * always wins and is left unchanged. - */ - static Map<String, String> applyAccessDelegationHeader(Map<String, String> catalogProps) { - if (catalogProps.containsKey(ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY)) { - return catalogProps; - } - String delegation = trimToNull(catalogProps.get(IcebergCatalogProperties.REST_ACCESS_DELEGATION)); - if (delegation == null) { - return catalogProps; - } - ImmutableMap.Builder<String, String> builder = ImmutableMap.builder(); - catalogProps.forEach( - (key, value) -> { - if (!IcebergCatalogProperties.REST_ACCESS_DELEGATION.equals(key)) { - builder.put(key, value); - } - }); - builder.put(ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY, delegation); - return builder.build(); - } - - private static String trimToNull(String value) { - if (value == null) { - return null; - } - String trimmed = value.trim(); - return trimmed.isEmpty() ? null : trimmed; - } - @Override public void close() { try { diff --git a/iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/client/TestHiveRESTCatalogClient.java b/iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/client/TestHiveRESTCatalogClient.java index b7812d0179a..1ae7e742774 100644 --- a/iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/client/TestHiveRESTCatalogClient.java +++ b/iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/client/TestHiveRESTCatalogClient.java @@ -44,7 +44,6 @@ import org.apache.iceberg.catalog.Namespace; import org.apache.iceberg.catalog.TableIdentifier; import org.apache.iceberg.hive.HiveSchemaUtil; -import org.apache.iceberg.hive.IcebergCatalogProperties; import org.apache.iceberg.io.FileIO; import org.apache.iceberg.io.LocationProvider; import org.apache.iceberg.relocated.com.google.common.collect.Maps; @@ -137,37 +136,6 @@ public void after() { } - @Test - public void applyAccessDelegationHeaderMapsToIcebergRestHeader() { - Map<String, String> in = Maps.newHashMap(); - in.put("uri", "http://localhost"); - in.put(IcebergCatalogProperties.REST_ACCESS_DELEGATION, "vended-credentials"); - Map<String, String> out = HiveRESTCatalogClient.applyAccessDelegationHeader(in); - assertThat(out.get(HiveRESTCatalogClient.ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY)) - .isEqualTo("vended-credentials"); - assertThat(out.containsKey(IcebergCatalogProperties.REST_ACCESS_DELEGATION)).isFalse(); - assertThat(out.get("uri")).isEqualTo("http://localhost"); - } - - @Test - public void applyAccessDelegationHeaderExplicitHeaderWins() { - Map<String, String> in = Maps.newHashMap(); - in.put(IcebergCatalogProperties.REST_ACCESS_DELEGATION, "vended-credentials"); - in.put(HiveRESTCatalogClient.ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY, "remote-signing"); - Map<String, String> out = HiveRESTCatalogClient.applyAccessDelegationHeader(in); - assertThat(out).isSameAs(in); - assertThat(out.get(HiveRESTCatalogClient.ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY)) - .isEqualTo("remote-signing"); - } - - @Test - public void applyAccessDelegationHeaderNoOpWhenUnset() { - Map<String, String> in = Maps.newHashMap(); - in.put("uri", "http://localhost"); - Map<String, String> out = HiveRESTCatalogClient.applyAccessDelegationHeader(in); - assertThat(out).isSameAs(in); - } - @Test public void testGetTable() throws TException { spyHiveRESTCatalogClient.getTable("default", "tableName"); diff --git a/iceberg/iceberg-handler/src/test/queries/positive/iceberg_rest_catalog_gravitino.q b/iceberg/iceberg-handler/src/test/queries/positive/iceberg_rest_catalog_gravitino.q index 11120b40b60..9d6a0cd3097 100644 --- a/iceberg/iceberg-handler/src/test/queries/positive/iceberg_rest_catalog_gravitino.q +++ b/iceberg/iceberg-handler/src/test/queries/positive/iceberg_rest_catalog_gravitino.q @@ -30,7 +30,7 @@ set hive.stats.autogather=false; set metastore.client.impl=org.apache.iceberg.hive.client.HiveRESTCatalogClient; set metastore.catalog.default=ice01; set iceberg.catalog.ice01.type=rest; -set iceberg.catalog.ice01.rest.access-delegation=vended-credentials; +set iceberg.catalog.ice01.header.X-Iceberg-Access-Delegation=vended-credentials; --! REST URI, OAuth, MinIO + Gravitino S3 warehouse / credential vending, and host S3A are set in --! TestIcebergRESTCatalogGravitinoLlapLocalCliDriver. diff --git a/itests/qtest-iceberg/src/test/java/org/apache/hadoop/hive/cli/TestIcebergRESTCatalogGravitinoLlapLocalCliDriver.java b/itests/qtest-iceberg/src/test/java/org/apache/hadoop/hive/cli/TestIcebergRESTCatalogGravitinoLlapLocalCliDriver.java index 1bd57d8c292..5f01085e6cc 100644 --- a/itests/qtest-iceberg/src/test/java/org/apache/hadoop/hive/cli/TestIcebergRESTCatalogGravitinoLlapLocalCliDriver.java +++ b/itests/qtest-iceberg/src/test/java/org/apache/hadoop/hive/cli/TestIcebergRESTCatalogGravitinoLlapLocalCliDriver.java @@ -164,7 +164,7 @@ public void setup() throws Exception { conf.set(restCatalogPrefix + "rest.auth.type", "oauth2"); conf.set(restCatalogPrefix + "oauth2-server-uri", oAuth2AuthorizationServer.getTokenEndpoint()); conf.set(restCatalogPrefix + "credential", oAuth2AuthorizationServer.getClientCredential()); - conf.set(restCatalogPrefix + "rest.access-delegation", "vended-credentials"); + conf.set(restCatalogPrefix + "header.X-Iceberg-Access-Delegation", "vended-credentials"); // Hadoop S3A + Iceberg S3FileIO on the host JVM (Hive CLI / Tez / LLAP), see class Javadoc applyHostS3aForMinio(conf); @@ -217,28 +217,6 @@ private void applyIcebergS3ClientEndpointOverride(Configuration conf, String res conf.set(restCatalogPrefix + "s3.secret-access-key", MINIO_SECRET_KEY); } - /** - * Same mapping as {@link HiveRESTCatalogClient#reconnect()} for Iceberg REST vended credentials; inlined here so - * this test compiles against the Iceberg classes bundled with {@code hive-iceberg-handler} (which may lag - * {@code hive-iceberg-catalog} sources). - */ - private static Map<String, String> applyVendedDelegationForRest(Map<String, String> catalogProps) { - final String headerProp = "header.X-Iceberg-Access-Delegation"; - if (catalogProps.containsKey(headerProp)) { - return catalogProps; - } - - String delegation = catalogProps.get("rest.access-delegation"); - if (delegation == null || delegation.trim().isEmpty()) { - return catalogProps; - } - - java.util.HashMap<String, String> copy = new java.util.HashMap<>(catalogProps); - copy.remove("rest.access-delegation"); - copy.put(headerProp, delegation.trim()); - return copy; - } - /** * Hadoop S3A settings for the test bucket on the published MinIO endpoint. Uses per-bucket keys because Hive * strips global {@code fs.s3a.access.key} / {@code fs.s3a.secret.key} from configs sent to Tez (see @@ -406,14 +384,13 @@ private String getJwksUri() { /** * Proves the Iceberg REST client receives vended S3 credentials from Gravitino: create/load an S3-located table and - * run a scan (same property mapping as {@link HiveRESTCatalogClient#reconnect()}). Invoked from {@link #setup()} + * run a scan (same catalog properties as {@link HiveRESTCatalogClient#reconnect()}). Invoked from {@link #setup()} * after Hive session configuration is complete. */ private void verifyIcebergRestUsesVendedS3FromGravitino() throws Exception { Configuration conf = SessionState.get().getConf(); String catalogName = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.CATALOG_DEFAULT); - Map<String, String> props = - applyVendedDelegationForRest(IcebergCatalogProperties.getCatalogProperties(conf)); + Map<String, String> props = IcebergCatalogProperties.getCatalogProperties(conf); try (RESTCatalog rest = new RESTCatalog()) { rest.setConf(conf);
