nastra commented on code in PR #14065:
URL: https://github.com/apache/iceberg/pull/14065#discussion_r2374685687
##########
docs/docs/configuration.md:
##########
@@ -143,6 +143,43 @@ The properties can be manually constructed or passed in
from a compute engine li
Spark uses its session properties as catalog properties, see more details in
the [Spark configuration](spark-configuration.md#catalog-configuration) section.
Flink passes in catalog properties through `CREATE CATALOG` statement, see
more details in the [Flink](flink.md#adding-catalogs) section.
+### Catalog REST auth properties
+
+The following catalog properties configure authentication for the REST catalog.
+They support Basic, OAuth2, SigV4, and Google authentication, in addition to
the default none.
+
+### REST auth properties
+
+| Property | Default | Description
|
+|--------------------------------------|------------------|-------------------------------------------------------------------------------------------------------------------|
+| `rest.auth.type` | none | Authentication
mechanism for REST catalog access. Supported values: `none`, `basic`, `oauth2`,
`sigv4`, `google`. |
+| `rest.auth.basic.username` | null | Username for Basic
authentication. Required if `rest.auth.type` = `basic`.
|
+| `rest.auth.basic.password` | null | Password for Basic
authentication. Required if `rest.auth.type` = `basic`.
|
+| `rest.auth.sigv4.delegate-auth-type` | `oauth2` | Auth type to
delegate to after `sigv4` signing.
|
+
+### OAuth2 auth properties
+Required and Optional properties to include while using OAuth2 authentication
+
+| Property | Default | Description
|
+|-------------------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `token` | null | A Bearer token to interact
with the server. Either `token` or `credential` is required.
|
+| `credential` | null | Credential string in the form
of `client_id:client_secret` to exchange for a token in the OAuth2 client
credentials flow. Either `token` or `credential` is required. |
+| `oauth2-server-uri` | `v1/oauth/tokens` | OAuth2 token endpoint URI.
Required if the REST catalog is not the OAuth2 authentication server.
|
+| `token-expires-in-ms` | 3600000 (1 hour) | Time in milliseconds after
which a bearer token is considered expired. Used to decide when to refresh or
re-exchange a token. |
+| `token-refresh-enabled` | true | Determines whether tokens are
automatically refreshed when expiration details are available.
|
+| `token-exchange-enabled`| true | Determines whether to use the
token exchange flow to acquire new tokens. Disabling this will allow fallback
to the client credential flow. |
+| `scope` | `catalog` | Additional scope for `oauth2`.
|
+| `audience` | null | Optional param to specify
token `audience`
|
+| `resource` | null | Optional param to specify
`resource`
|
+
+### Google auth properties
+Required and Optional properties to include while using Google authentication
+
+| Property | Default
| Description |
+|----------------------------|--------------------------------------------------|--------------------------------------------------|
+| `gcp.auth.credentials-path`| Default Application Credentials
| Path to a service account JSON key file. |
Review Comment:
```suggestion
| `gcp.auth.credentials-path`| Application Default Credentials (ADC)
| Path to a service account JSON key file. |
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
