jackye1995 commented on pull request #4280: URL: https://github.com/apache/iceberg/pull/4280#issuecomment-1062008372
> Why put this in Iceberg at all? If it can't be enforced then is it worth complication? Wouldn't this just open up the project to other ineffective integrations? The fact is that Glue and LakeFormation are 2 very tightly coupled products, around 70% of customers using `GlueCatalog` we interact brings up LakeFormation integration at some point of time. The LakeFormation permission control consists of 2 parts, (1) normal AWS credential is used to check access against Glue based on IAM + LakeFormation policy, (2) LF-vended temporary credential is used to access S3. When a user enrolls in LakeFormation, the Glue access control automatically changes respect LakeFormation policy because of (1). This works fine for Hive tables because data and catalog are operated separately, but for Iceberg table all of a sudden users can no longer write and commit to the table because of (2). I would say this is more like a bug of `GlueCatalog` so we have to solve within this class. We do need at least `GlueCatalog` to support (2), which means it will use a specialized AWS client factory where the S3 client uses a different LF-vended temporary credential, and the credential needs to be different for each table based on the table name. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
