Hi all, We also agreed last Wednesday on the fact that the signer endpoint lacks a standard way to pass catalog-specific information, especially RBAC data.
The status quo today is that open-source catalogs are generally leveraging the signer URI to pass the extra information, since that's the only possible way today. We agreed this is suboptimal, and a proper request body parameter would be better. It turns out that the current signer spec already has support for arbitrary properties in the request body [1]. Unfortunately, in Iceberg OSS there is no way for the server to communicate those properties to the signer client – these are always empty (see Java [2] and Python [3] impls). We would need to introduce a new table configuration property that could be a JSON-encoded bag of properties; if this property is present in the loadTable response, then the signer client would be *required* to include it in *every* request to the signer endpoint. What are your thoughts on this? Moving forward on this topic would be beneficial to Apache Polaris ongoing effort to support remote signing. Thanks, Alex [1]: https://github.com/apache/iceberg/blob/55bfc7e82d03b5038bc5d0da852bd16615486926/aws/src/main/resources/s3-signer-open-api.yaml#L120-L123 [2]: https://github.com/apache/iceberg/blob/08d9ee02092f6fd59f8103c1c4de1a7f1e9fa1fe/aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java#L90-L93 [3]: https://github.com/apache/iceberg-python/blob/155af262724a42f18a08450c43a021791fb29880/pyiceberg/io/fsspec.py#L129-L134
