rdblue commented on issue #16490: URL: https://github.com/apache/iceberg/issues/16490#issuecomment-4510794876
This is incorrect. The `plan-id` and `plan-task` values used by server-side planning are not server-held planning state, nor are they "security significant". These could be references to server-side state (such as a database ID reference) but they could also be self-contained values to avoid requiring server-side state. For instance, `plan-task` could be a manifest location to produce tasks from. The spec is purposely flexible to allow services to implement this how they choose, but that still means that services are responsible for security. The existence of these values is far from a security issue with the spec or implementation. For `idempotency-key`, the contract of this field is to retrieve the response for an update that was lost due to some unrelated error. The service is still responsible for identifying and authorizing the client. This is not a vulnerability. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
