adutra commented on PR #15171: URL: https://github.com/apache/iceberg/pull/15171#issuecomment-3997950170
@steveloughran I am trying to update this PR to incorporate your (very good) ideas. I will push a new commit shortly. But I am not sure about the unsigned headers set that you came up with. First off, looking here: https://github.com/aws/aws-sdk-java-v2/blob/4e02716bdcf19aaada4db141150910becc75ee8c/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequest.java#L45-L46 It seems there are some headers that we should add to the set: "connection", "x-amzn-trace-id", "expect", "transfer-encoding", "x-forwarded-for" – since the signer itself excludes them. And OTOH, your set includes headers like "x-amz-content-sha256", that the signer would by default include in the signature. In my work on Apache Polaris to implement request signing, I can confirm that this header ends up signed. I would rather remove that header from the set. For other headers like "range", I agree that they should be stripped off. But this means that catalog servers will need to strip off those headers **manually** before calling the signer, if we want them to stay unsigned. Thinking more broadly, imho we need a spec change to formalize things. We should define a new `LoadTableResult` property, e.g. `signer.unsigned-headers`, that the server will communicate to the client and that contains all headers that are guaranteed to never be signed. Wdyt? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
