Hi Prashant, AFAIK, in current Polaris code the "loadCredentials" operations performs a "loadTable" internally, that is with the same auth checks as a normal "loadTable".
Side note: the "loadCredentials" endpoint was added a long time ago under PR [1107]. PR [2341] merely publishes that endpoint in "loadTable" responses. [1107] github.com/apache/polaris/issues/1107 [2341] https://github.com/apache/polaris/pull/2341 Cheers, Dmitri. Cheers, Dmitri. On Thu, Aug 21, 2025 at 8:11 PM Prashant Singh <prashant010...@gmail.com> wrote: > Hey Dmitri, > Thank you for starting the discussions. > I also don't think we need a separate feature flag for this, we anyway vend > creds and authorize again when the user hits the /credentials endpoint > right ? > I can't think of cases where we would vend credentials in loadTable but at > the same time not require it to come back to the server to get new creds. > > Best, > Prashant Singh > > On Thu, Aug 21, 2025 at 5:00 PM Dmitri Bourlatchkov <di...@apache.org> > wrote: > > > Hi All, > > > > PR [2341] enables sending endpoints for credential refresh to Iceberg > REST > > Catalog clients. > > > > Currently, the endpoints are sent if the client requested "credential > > vending". > > > > Shall we have a feature flag as an additional control for admin users to > > enable / disable this behaviour? If so, what should the default be? > > > > My personal opinion is that a feature flag is not necessary in this case. > > Existing tests ensure correct URIs are returned and ultimately it is the > > client's choice whether to use the refresh endpoint or not. > > > > All opinions are welcome. > > > > [2341] https://github.com/apache/polaris/pull/2341 > > > > Thanks, > > Dmitri. > > >
