Re: [PR] add refresh credentials property to loadTableResult [polaris]

via GitHub Wed, 20 Aug 2025 19:08:07 -0700


dimas-b commented on code in PR #2341:
URL: https://github.com/apache/polaris/pull/2341#discussion_r2289674782



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCache.java:
##########
@@ -130,7 +131,8 @@ public AccessConfig getOrGenerateSubScopeCreds(
                   polarisEntity.getType(),
                   k.allowedListAction(),
                   k.allowedReadLocations(),
-                  k.allowedWriteLocations());
+                  k.allowedWriteLocations(),
+                  refreshCredentialsEndpoint);

Review Comment:
   `refreshCredentialsEndpoint` should be part of the cache key because 
`ScopedCredentialsResult` is a function also of `refreshCredentialsEndpoint`.



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java:
##########
@@ -39,6 +41,18 @@ public enum StorageAccessProperty {
       Boolean.class, "s3.path-style-access", "whether to use S3 path style 
access", false),
   CLIENT_REGION(
       String.class, "client.region", "region to configure client for making 
requests to AWS"),
+  AWS_REFRESH_CREDENTIALS_ENABLED(
+      Boolean.class,
+      AwsClientProperties.REFRESH_CREDENTIALS_ENABLED,
+      "whether to enable automatic refresh of credentials",
+      true,

Review Comment:
   I do not think this property is a credential property (logically)



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisStorageIntegration.java:
##########
@@ -61,7 +61,8 @@ public abstract AccessConfig getSubscopedCreds(
       @Nonnull RealmConfig realmConfig,
       boolean allowListOperation,
       @Nonnull Set<String> allowedReadLocations,
-      @Nonnull Set<String> allowedWriteLocations);
+      @Nonnull Set<String> allowedWriteLocations,
+      String refreshCredentialsEndpoint);

Review Comment:
   Maybe `Optional<String>`?



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java:
##########
@@ -52,6 +66,18 @@ public enum StorageAccessProperty {
   // it expects for SAS
   AZURE_ACCESS_TOKEN(String.class, "", "the azure scoped access token"),
   AZURE_SAS_TOKEN(String.class, "adls.sas-token.", "an azure shared access 
signature token"),
+  AZURE_REFRESH_CREDENTIALS_ENABLED(
+      Boolean.class,
+      "adls.refresh-credentials-enabled",
+      "whether to enable automatic refresh of credentials",
+      true,

Review Comment:
   I do not think this property is a credential property (logically)



##########
polaris-core/src/main/java/org/apache/polaris/core/rest/PolarisResourcePaths.java:
##########
@@ -57,6 +57,17 @@ public String genericTables(Namespace ns) {
         "polaris", "v1", prefix, "namespaces", RESTUtil.encodeNamespace(ns), 
"generic-tables");
   }
 
+  public String credentialsPath(TableIdentifier ident) {
+    return SLASH.join(
+        "v1",
+        prefix,
+        "namespaces",
+        RESTUtil.encodeNamespace(ident.namespace()),
+        "tables",
+        RESTUtil.encodeString(ident.name()),
+        "credentials");

Review Comment:
   Just to confirm: relative paths are correct in this case, right?



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java:
##########
@@ -52,6 +66,18 @@ public enum StorageAccessProperty {
   // it expects for SAS
   AZURE_ACCESS_TOKEN(String.class, "", "the azure scoped access token"),
   AZURE_SAS_TOKEN(String.class, "adls.sas-token.", "an azure shared access 
signature token"),
+  AZURE_REFRESH_CREDENTIALS_ENABLED(
+      Boolean.class,
+      "adls.refresh-credentials-enabled",
+      "whether to enable automatic refresh of credentials",
+      true,
+      false),
+  AZURE_REFRESH_CREDENTIALS_ENDPOINT(
+      String.class,
+      "adls.refresh-credentials-endpoint",
+      "the endpoint to use for refreshing credentials",
+      true,

Review Comment:
   I do not think this property is a credential property (logically)



##########
polaris-core/src/test/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegrationTest.java:
##########
@@ -32,20 +32,20 @@ public class AzureCredentialsStorageIntegrationTest {
   public void testAzureCredentialFormatting() {
     Instant expiresAt = Instant.ofEpochMilli(Long.MAX_VALUE);
 
-    AccessConfig noSuffixResult = toAccessConfig("sasToken", "some_account", 
expiresAt);
+    AccessConfig noSuffixResult = toAccessConfig("sasToken", "some_account", 
expiresAt, null);

Review Comment:
   Could you add tests for non-null refresh endpoint values? (sorry, if I 
missed them).



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/gcp/GcpCredentialsStorageIntegration.java:
##########
@@ -75,7 +75,8 @@ public AccessConfig getSubscopedCreds(
       @Nonnull RealmConfig realmConfig,
       boolean allowListOperation,
       @Nonnull Set<String> allowedReadLocations,
-      @Nonnull Set<String> allowedWriteLocations) {
+      @Nonnull Set<String> allowedWriteLocations,
+      String refreshCredentialsEndpoint) {

Review Comment:
   Why is `refreshCredentialsEndpoint` used for AWS and Azure but not for GCP?



##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java:
##########
@@ -430,9 +438,14 @@ public Response loadTable(
                     .loadTableIfStale(tableIdentifier, ifNoneMatch, snapshots)
                     .orElseThrow(() -> new 
WebApplicationException(Response.Status.NOT_MODIFIED));
           } else {
+            String refreshCredentialsEndpoint =
+                (delegationModes.contains(VENDED_CREDENTIALS))
+                    ? new 
PolarisResourcePaths(prefix).credentialsPath(tableIdentifier)

Review Comment:
   Might be worth extracting into a shared method (cf. line 366).



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java:
##########
@@ -39,6 +41,18 @@ public enum StorageAccessProperty {
       Boolean.class, "s3.path-style-access", "whether to use S3 path style 
access", false),
   CLIENT_REGION(
       String.class, "client.region", "region to configure client for making 
requests to AWS"),
+  AWS_REFRESH_CREDENTIALS_ENABLED(
+      Boolean.class,
+      AwsClientProperties.REFRESH_CREDENTIALS_ENABLED,
+      "whether to enable automatic refresh of credentials",
+      true,
+      false),
+  AWS_REFRESH_CREDENTIALS_ENDPOINT(
+      String.class,
+      AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT,
+      "the endpoint to use for refreshing credentials",
+      true,

Review Comment:
   I do not think this property is a credential property (logically)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] add refresh credentials property to loadTableResult [polaris]

Reply via email to