[I] Support Storage Credentials for Vended Credentials [iceberg-python]

[via GitHub]

varpa89 opened a new issue, #2594:
URL: https://github.com/apache/iceberg-python/issues/2594

   ### Feature Request / Improvement
   
   ### **Summary**
   Currently, PyIceberg only loads storage credentials from the `config` 
section of the table response.  
   Meanwhile, Java Iceberg has added support for *vended credentials* via the 
`storage-credentials` field.  
   
   ---
   
   ### **📋 Current Behavior**
   
   In `pyiceberg/catalog/rest.py`, the `Table` is initialized using only 
`config` and metadata properties:
   
   ```python
   def _response_to_table(self, identifier_tuple: Tuple[str, ...], 
table_response: TableResponse) -> Table:
       return Table(
           identifier=identifier_tuple,
           metadata_location=table_response.metadata_location,
           metadata=table_response.metadata,
           io=self._load_file_io(
               {**table_response.metadata.properties, **table_response.config},
               table_response.metadata_location,
           ),
           catalog=self,
           config=table_response.config,
       )
   ```
   
   The `load_file_io` call only considers the merged `properties` (metadata + 
config):
   
   ```python
   def load_file_io(properties: Properties = EMPTY_DICT, location: 
Optional[str] = None) -> FileIO:
       ...
   ```
   
   As a result, any credentials returned via the `storage-credentials` field in 
the REST catalog response are ignored.
   
   ---
   
   ### **✅ Expected Behavior**
   
   According the Iceberg 
[specification](https://github.com/apache/iceberg/blob/apache-iceberg-1.9.2/open-api/rest-catalog-open-api.yaml#L3255)
 clients should **first check for credentials in the `storage-credentials` 
field**, and only fall back to `config` if not present.
   
   **Proposed behavior (pseudocode):**
   
   ```python
   def _response_to_table(self, identifier_tuple: Tuple[str, ...], 
table_response: TableResponse) -> Table:
       credentials = table_response.storage_credentials or {}
       return Table(
           identifier=identifier_tuple,
           metadata_location=table_response.metadata_location,
           metadata=table_response.metadata,
           io=self._load_file_io(
               {**table_response.metadata.properties, **credentials, 
**table_response.config},
               table_response.metadata_location,
           ),
           catalog=self,
           config=table_response.config,
       )
   ```
   
   ---
   
   ### **🧩 References**
   
   The same behavior has been implemented in **Java Iceberg**:
   - [PR #12591 – Support REST Catalog storage 
credentials](https://github.com/apache/iceberg/pull/12591)
   - [PR #12799 – Extend storage credentials to all 
clients](https://github.com/apache/iceberg/pull/12799)
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org