Re: [PR] Add support for S3 request signing [polaris]

Tue, 19 Aug 2025 02:14:57 -0700 


adutra commented on code in PR #2280:
URL: https://github.com/apache/polaris/pull/2280#discussion_r2284644758


##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalog.java:
##########
@@ -834,13 +855,50 @@ public AccessConfig getAccessConfig(
       return AccessConfig.builder().build();
     }
     return FileIOUtil.refreshAccessConfig(
-        callContext,
-        storageCredentialCache,
-        getCredentialVendor(),
-        tableIdentifier,
-        StorageUtil.getLocationsAllowedToBeAccessed(tableMetadata),
-        storageActions,
-        storageInfo.get());
+            callContext,
+            storageCredentialCache,
+            getCredentialVendor(),
+            tableIdentifier,
+            StorageUtil.getLocationsAllowedToBeAccessed(tableMetadata),
+            storageActions,
+            storageInfo.get())
+        .orElse(AccessConfig.EMPTY);
+  }
+
+  @Override
+  public AccessConfig getAccessConfigForRemoteSigning(TableIdentifier 
tableIdentifier) {
+
+    Optional<PolarisStorageConfigurationInfo> configurationInfo =
+        findStorageInfo(tableIdentifier)
+            .map(PolarisEntity::getInternalPropertiesAsMap)
+            .map(info -> 
info.get(PolarisEntityConstants.getStorageConfigInfoPropertyName()))
+            .map(PolarisStorageConfigurationInfo::deserialize);
+
+    if (configurationInfo.isEmpty()) {
+      LOGGER
+          .atWarn()
+          .addKeyValue("tableIdentifier", tableIdentifier)
+          .log("Remote signing: table entity has no storage configuration in 
its hierarchy");
+      return AccessConfig.builder().build();
+    }
+
+    PolarisStorageIntegration<AwsStorageConfigurationInfo> storageIntegration =
+        
storageIntegrationProvider.getStorageIntegrationForConfig(configurationInfo.get());
+
+    if (!(storageIntegration instanceof AwsCredentialsStorageIntegration)) {
+      LOGGER
+          .atWarn()
+          .addKeyValue("tableIdentifier", tableIdentifier)
+          .log("Table entity storage integration is not an AWS credentials 
storage integration");
+      return AccessConfig.builder().build();
+    }
+
+    String prefix = 
prefixParser.catalogNameToPrefix(callContext.getRealmContext(), catalogName);
+    URI signerUri = uriInfo.getBaseUri().resolve("api/");

Review Comment:
   FYI, resolving the signer URI in case of HTTP proxies is left for a 
follow-up PR.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to