Re: [PR] Add a flag to allow disabling credential vending for external catalogs [polaris]

Wed, 23 Oct 2024 15:06:40 -0700 


RussellSpitzer commented on code in PR #395:
URL: https://github.com/apache/polaris/pull/395#discussion_r1813758406


##########
polaris-service/src/test/java/org/apache/polaris/service/catalog/PolarisRestCatalogIntegrationTest.java:
##########
@@ -747,6 +789,107 @@ public void 
testCreateTableWithOverriddenBaseLocationMustResideInNsDirectory(
         .isInstanceOf(ForbiddenException.class);
   }
 
+  /**
+   * Create an EXTERNAL catalog. The test configuration, by default, disables 
access delegation for
+   * EXTERNAL catalogs, so register a table and try to load it with the REST 
client configured to
+   * try to fetch vended credentials. Expect a ForbiddenException.
+   */
+  @CatalogConfig(Catalog.TypeEnum.EXTERNAL)
+  @RestCatalogConfig({"header.X-Iceberg-Access-Delegation", 
"vended-credentials"})
+  @Test
+  public void 
testLoadTableWithAccessDelegationForExternalCatalogWithConfigDisabled() {
+    Namespace ns1 = Namespace.of("ns1");
+    restCatalog.createNamespace(ns1);
+    TableMetadata tableMetadata =
+        TableMetadata.newTableMetadata(
+            new Schema(List.of(Types.NestedField.of(1, false, "col1", new 
Types.StringType()))),
+            PartitionSpec.unpartitioned(),
+            "file:///tmp/ns1/my_table",
+            Map.of());
+    try (ResolvingFileIO resolvingFileIO = new ResolvingFileIO()) {
+      resolvingFileIO.initialize(Map.of());
+      resolvingFileIO.setConf(new Configuration());
+      String fileLocation = 
"file:///tmp/ns1/my_table/metadata/v1.metadata.json";
+      TableMetadataParser.write(tableMetadata, 
resolvingFileIO.newOutputFile(fileLocation));
+      restCatalog.registerTable(TableIdentifier.of(ns1, "my_table"), 
fileLocation);
+      try {
+        try {
+          restCatalog.loadTable(TableIdentifier.of(ns1, "my_table"));
+          Assertions.fail(
+              "Expected exception to be thrown when loading table from 
external catalog with access delegation disabled");
+        } catch (ForbiddenException e) {

Review Comment:
   Are we sure this is going to be related to our lack of credentials? Just 
wondering if we should also be checking the message or contents 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to