This is an automated email from the ASF dual-hosted git repository.

difin pushed a commit to branch vended_credentials_client1
in repository https://gitbox.apache.org/repos/asf/hive.git

commit 4a4cf4fccf588b60e4434cb352a53776ce0b4185
Author: Dmitriy Fingerman <[email protected]>
AuthorDate: Wed May 20 16:06:25 2026 -0400

    fixes 1
---
 .../iceberg/hive/IcebergCatalogProperties.java     |  9 -----
 .../iceberg/hive/client/HiveRESTCatalogClient.java | 42 +---------------------
 .../hive/client/TestHiveRESTCatalogClient.java     | 32 -----------------
 .../positive/iceberg_rest_catalog_gravitino.q      |  2 +-
 ...bergRESTCatalogGravitinoLlapLocalCliDriver.java | 29 ++-------------
 5 files changed, 5 insertions(+), 109 deletions(-)

diff --git 
a/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/IcebergCatalogProperties.java
 
b/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/IcebergCatalogProperties.java
index 9a8b639753e..424f8e10c35 100644
--- 
a/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/IcebergCatalogProperties.java
+++ 
b/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/IcebergCatalogProperties.java
@@ -32,15 +32,6 @@
 public class IcebergCatalogProperties {
   public static final String CATALOG_NAME = "iceberg.catalog";
   public static final String CATALOG_CONFIG_PREFIX = "iceberg.catalog.";
-
-  /**
-   * Optional comma-separated Iceberg REST access delegation modes for catalog 
HTTP requests (for example
-   * {@code vended-credentials}). Hive maps this to the {@code 
X-Iceberg-Access-Delegation} header when initializing the
-   * REST catalog client, unless {@code 
iceberg.catalog.<name>.header.X-Iceberg-Access-Delegation} is set explicitly.
-   *
-   * @see <a 
href="https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml";>REST
 catalog spec</a>
-   */
-  public static final String REST_ACCESS_DELEGATION = "rest.access-delegation";
   public static final String CATALOG_WAREHOUSE_TEMPLATE = 
"iceberg.catalog.%s.warehouse";
   public static final String CATALOG_IMPL_TEMPLATE = 
"iceberg.catalog.%s.catalog-impl";
   public static final String CATALOG_DEFAULT_CONFIG_PREFIX = 
"iceberg.catalog-default.";
diff --git 
a/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/client/HiveRESTCatalogClient.java
 
b/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/client/HiveRESTCatalogClient.java
index 2328407729b..4390d5a0bca 100644
--- 
a/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/client/HiveRESTCatalogClient.java
+++ 
b/iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/client/HiveRESTCatalogClient.java
@@ -64,12 +64,6 @@ public class HiveRESTCatalogClient extends 
BaseMetaStoreClient {
   public static final String DB_OWNER = "owner";
   public static final String DB_OWNER_TYPE = "ownerType";
 
-  /**
-   * Iceberg REST catalog property prefix recognized by {@link 
org.apache.iceberg.rest.RESTUtil#configHeaders}; values
-   * are sent as HTTP headers on REST requests.
-   */
-  public static final String ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY = 
"header.X-Iceberg-Access-Delegation";
-
   private static final Logger LOG = 
LoggerFactory.getLogger(HiveRESTCatalogClient.class);
 
   private RESTCatalog restCatalog;
@@ -87,44 +81,10 @@ public HiveRESTCatalogClient(Configuration conf) {
   public void reconnect()  {
     close();
     String catName = MetaStoreUtils.getDefaultCatalog(conf);
-    Map<String, String> properties =
-        
applyAccessDelegationHeader(IcebergCatalogProperties.getCatalogProperties(conf));
+    Map<String, String> properties = 
IcebergCatalogProperties.getCatalogProperties(conf);
     restCatalog = (RESTCatalog) CatalogUtil.buildIcebergCatalog(catName, 
properties, null);
   }
 
-  /**
-   * Maps Hive catalog property {@link 
IcebergCatalogProperties#REST_ACCESS_DELEGATION} to the Iceberg REST
-   * {@code X-Iceberg-Access-Delegation} header so any spec-compliant catalog 
may attach vended (or other delegated)
-   * storage credentials to load responses. An explicit {@link 
#ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY} entry
-   * always wins and is left unchanged.
-   */
-  static Map<String, String> applyAccessDelegationHeader(Map<String, String> 
catalogProps) {
-    if (catalogProps.containsKey(ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY)) {
-      return catalogProps;
-    }
-    String delegation = 
trimToNull(catalogProps.get(IcebergCatalogProperties.REST_ACCESS_DELEGATION));
-    if (delegation == null) {
-      return catalogProps;
-    }
-    ImmutableMap.Builder<String, String> builder = ImmutableMap.builder();
-    catalogProps.forEach(
-        (key, value) -> {
-          if (!IcebergCatalogProperties.REST_ACCESS_DELEGATION.equals(key)) {
-            builder.put(key, value);
-          }
-        });
-    builder.put(ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY, delegation);
-    return builder.build();
-  }
-
-  private static String trimToNull(String value) {
-    if (value == null) {
-      return null;
-    }
-    String trimmed = value.trim();
-    return trimmed.isEmpty() ? null : trimmed;
-  }
-
   @Override
   public void close() {
     try {
diff --git 
a/iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/client/TestHiveRESTCatalogClient.java
 
b/iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/client/TestHiveRESTCatalogClient.java
index b7812d0179a..1ae7e742774 100644
--- 
a/iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/client/TestHiveRESTCatalogClient.java
+++ 
b/iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/client/TestHiveRESTCatalogClient.java
@@ -44,7 +44,6 @@
 import org.apache.iceberg.catalog.Namespace;
 import org.apache.iceberg.catalog.TableIdentifier;
 import org.apache.iceberg.hive.HiveSchemaUtil;
-import org.apache.iceberg.hive.IcebergCatalogProperties;
 import org.apache.iceberg.io.FileIO;
 import org.apache.iceberg.io.LocationProvider;
 import org.apache.iceberg.relocated.com.google.common.collect.Maps;
@@ -137,37 +136,6 @@ public void after() {
 
   }
 
-  @Test
-  public void applyAccessDelegationHeaderMapsToIcebergRestHeader() {
-    Map<String, String> in = Maps.newHashMap();
-    in.put("uri", "http://localhost";);
-    in.put(IcebergCatalogProperties.REST_ACCESS_DELEGATION, 
"vended-credentials");
-    Map<String, String> out = 
HiveRESTCatalogClient.applyAccessDelegationHeader(in);
-    
assertThat(out.get(HiveRESTCatalogClient.ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY))
-        .isEqualTo("vended-credentials");
-    
assertThat(out.containsKey(IcebergCatalogProperties.REST_ACCESS_DELEGATION)).isFalse();
-    assertThat(out.get("uri")).isEqualTo("http://localhost";);
-  }
-
-  @Test
-  public void applyAccessDelegationHeaderExplicitHeaderWins() {
-    Map<String, String> in = Maps.newHashMap();
-    in.put(IcebergCatalogProperties.REST_ACCESS_DELEGATION, 
"vended-credentials");
-    in.put(HiveRESTCatalogClient.ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY, 
"remote-signing");
-    Map<String, String> out = 
HiveRESTCatalogClient.applyAccessDelegationHeader(in);
-    assertThat(out).isSameAs(in);
-    
assertThat(out.get(HiveRESTCatalogClient.ICEBERG_ACCESS_DELEGATION_HEADER_PROPERTY))
-        .isEqualTo("remote-signing");
-  }
-
-  @Test
-  public void applyAccessDelegationHeaderNoOpWhenUnset() {
-    Map<String, String> in = Maps.newHashMap();
-    in.put("uri", "http://localhost";);
-    Map<String, String> out = 
HiveRESTCatalogClient.applyAccessDelegationHeader(in);
-    assertThat(out).isSameAs(in);
-  }
-
   @Test
   public void testGetTable() throws TException {
     spyHiveRESTCatalogClient.getTable("default", "tableName");
diff --git 
a/iceberg/iceberg-handler/src/test/queries/positive/iceberg_rest_catalog_gravitino.q
 
b/iceberg/iceberg-handler/src/test/queries/positive/iceberg_rest_catalog_gravitino.q
index 11120b40b60..9d6a0cd3097 100644
--- 
a/iceberg/iceberg-handler/src/test/queries/positive/iceberg_rest_catalog_gravitino.q
+++ 
b/iceberg/iceberg-handler/src/test/queries/positive/iceberg_rest_catalog_gravitino.q
@@ -30,7 +30,7 @@ set hive.stats.autogather=false;
 set metastore.client.impl=org.apache.iceberg.hive.client.HiveRESTCatalogClient;
 set metastore.catalog.default=ice01;
 set iceberg.catalog.ice01.type=rest;
-set iceberg.catalog.ice01.rest.access-delegation=vended-credentials;
+set 
iceberg.catalog.ice01.header.X-Iceberg-Access-Delegation=vended-credentials;
 
 --! REST URI, OAuth, MinIO + Gravitino S3 warehouse / credential vending, and 
host S3A are set in
 --! TestIcebergRESTCatalogGravitinoLlapLocalCliDriver.
diff --git 
a/itests/qtest-iceberg/src/test/java/org/apache/hadoop/hive/cli/TestIcebergRESTCatalogGravitinoLlapLocalCliDriver.java
 
b/itests/qtest-iceberg/src/test/java/org/apache/hadoop/hive/cli/TestIcebergRESTCatalogGravitinoLlapLocalCliDriver.java
index 1bd57d8c292..5f01085e6cc 100644
--- 
a/itests/qtest-iceberg/src/test/java/org/apache/hadoop/hive/cli/TestIcebergRESTCatalogGravitinoLlapLocalCliDriver.java
+++ 
b/itests/qtest-iceberg/src/test/java/org/apache/hadoop/hive/cli/TestIcebergRESTCatalogGravitinoLlapLocalCliDriver.java
@@ -164,7 +164,7 @@ public void setup() throws Exception {
     conf.set(restCatalogPrefix + "rest.auth.type", "oauth2");
     conf.set(restCatalogPrefix + "oauth2-server-uri", 
oAuth2AuthorizationServer.getTokenEndpoint());
     conf.set(restCatalogPrefix + "credential", 
oAuth2AuthorizationServer.getClientCredential());
-    conf.set(restCatalogPrefix + "rest.access-delegation", 
"vended-credentials");
+    conf.set(restCatalogPrefix + "header.X-Iceberg-Access-Delegation", 
"vended-credentials");
 
     // Hadoop S3A + Iceberg S3FileIO on the host JVM (Hive CLI / Tez / LLAP), 
see class Javadoc
     applyHostS3aForMinio(conf);
@@ -217,28 +217,6 @@ private void 
applyIcebergS3ClientEndpointOverride(Configuration conf, String res
     conf.set(restCatalogPrefix + "s3.secret-access-key", MINIO_SECRET_KEY);
   }
 
-  /**
-   * Same mapping as {@link HiveRESTCatalogClient#reconnect()} for Iceberg 
REST vended credentials; inlined here so
-   * this test compiles against the Iceberg classes bundled with {@code 
hive-iceberg-handler} (which may lag
-   * {@code hive-iceberg-catalog} sources).
-   */
-  private static Map<String, String> applyVendedDelegationForRest(Map<String, 
String> catalogProps) {
-    final String headerProp = "header.X-Iceberg-Access-Delegation";
-    if (catalogProps.containsKey(headerProp)) {
-      return catalogProps;
-    }
-
-    String delegation = catalogProps.get("rest.access-delegation");
-    if (delegation == null || delegation.trim().isEmpty()) {
-      return catalogProps;
-    }
-
-    java.util.HashMap<String, String> copy = new 
java.util.HashMap<>(catalogProps);
-    copy.remove("rest.access-delegation");
-    copy.put(headerProp, delegation.trim());
-    return copy;
-  }
-
   /**
    * Hadoop S3A settings for the test bucket on the published MinIO endpoint. 
Uses per-bucket keys because Hive
    * strips global {@code fs.s3a.access.key} / {@code fs.s3a.secret.key} from 
configs sent to Tez (see
@@ -406,14 +384,13 @@ private String getJwksUri() {
 
   /**
    * Proves the Iceberg REST client receives vended S3 credentials from 
Gravitino: create/load an S3-located table and
-   * run a scan (same property mapping as {@link 
HiveRESTCatalogClient#reconnect()}). Invoked from {@link #setup()}
+   * run a scan (same catalog properties as {@link 
HiveRESTCatalogClient#reconnect()}). Invoked from {@link #setup()}
    * after Hive session configuration is complete.
    */
   private void verifyIcebergRestUsesVendedS3FromGravitino() throws Exception {
     Configuration conf = SessionState.get().getConf();
     String catalogName = MetastoreConf.getVar(conf, 
MetastoreConf.ConfVars.CATALOG_DEFAULT);
-    Map<String, String> props =
-        
applyVendedDelegationForRest(IcebergCatalogProperties.getCatalogProperties(conf));
+    Map<String, String> props = 
IcebergCatalogProperties.getCatalogProperties(conf);
 
     try (RESTCatalog rest = new RESTCatalog()) {
       rest.setConf(conf);

Reply via email to