adutra commented on code in PR #2280:
URL: https://github.com/apache/polaris/pull/2280#discussion_r2263155414
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java:
##########
@@ -758,21 +741,55 @@ public Optional<LoadTableResponse>
loadTableWithAccessDelegationIfStale(
throw new IllegalStateException("Cannot wrap catalog that does not produce
BaseTable");
}
+ private CatalogEntity getCatalogEntity() {
+ PolarisResolvedPathWrapper catalogPath =
resolutionManifest.getResolvedReferenceCatalogEntity();
+ callContext
+ .getPolarisCallContext()
+ .getDiagServices()
+ .checkNotNull(catalogPath, "No catalog available for loadTable
request");
+ CatalogEntity catalogEntity =
CatalogEntity.of(catalogPath.getRawLeafEntity());
+ LOGGER.info("Catalog type: {}", catalogEntity.getCatalogType());
+ return catalogEntity;
+ }
+
private LoadTableResponse.Builder
buildLoadTableResponseWithDelegationCredentials(
TableIdentifier tableIdentifier,
TableMetadata tableMetadata,
Set<PolarisStorageActions> actions,
- String snapshots) {
+ Set<AccessDelegationMode> delegationModes,
+ CatalogEntity catalogEntity) {
LoadTableResponse.Builder responseBuilder =
LoadTableResponse.builder().withTableMetadata(tableMetadata);
- if (baseCatalog instanceof SupportsCredentialDelegation
credentialDelegation) {
+ if (baseCatalog instanceof SupportsCredentialDelegation
credentialDelegation
+ && delegationModes.contains(AccessDelegationMode.VENDED_CREDENTIALS)) {
LOGGER
.atDebug()
.addKeyValue("tableIdentifier", tableIdentifier)
.addKeyValue("tableLocation", tableMetadata.location())
.log("Fetching client credentials for table");
AccessConfig accessConfig =
- credentialDelegation.getAccessConfig(tableIdentifier, tableMetadata,
actions);
+ credentialDelegation.getAccessConfigForCredentialDelegation(
+ tableIdentifier, tableMetadata, actions);
+ Map<String, String> credentialConfig = accessConfig.credentials();
+ responseBuilder.addAllConfig(credentialConfig);
+ responseBuilder.addAllConfig(accessConfig.extraProperties());
+ if (!credentialConfig.isEmpty()) {
+ responseBuilder.addCredential(
+ ImmutableCredential.builder()
+ .prefix(tableMetadata.location())
+ .config(credentialConfig)
+ .build());
+ }
+ } else if (baseCatalog instanceof SupportsRemoteSigning remoteSigning
+ && delegationModes.contains(AccessDelegationMode.REMOTE_SIGNING)) {
+ S3RemoteSigningCatalogHandler.throwIfRemoteSigningNotEnabled(
+ callContext.getRealmConfig(), catalogEntity);
+ LOGGER
+ .atDebug()
+ .addKeyValue("tableIdentifier", tableIdentifier)
+ .addKeyValue("tableLocation", tableMetadata.location())
+ .log("Enabling remote signing for table");
+ AccessConfig accessConfig =
remoteSigning.getAccessConfigForRemoteSigning(tableIdentifier);
Review Comment:
This is where all `LoadTableResponse`s get remote signing enablement.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
