GreenBinary commented on issue #2398:
URL: https://github.com/apache/polaris/issues/2398#issuecomment-3211931049
Still issues.
Here's what I did (I tried "header.X-Iceberg-Access-Delegation" setting):
**Below is my create catalog command from flink-sql**:
```
CREATE CATALOG IF NOT EXISTS my_iceberg_polaris_catalog WITH (
'type'='iceberg',
'catalog-type'='rest',
'uri'='http://polaris-service.my-ns.svc.cluster.local:8181/api/catalog',
'credential'='root:s3cr3t',
'warehouse'='my_iceberg_polaris_catalog',
'oauth2-server-uri'='http://polaris-service.my-ns.svc.cluster.local:8181/api/catalog/v1/oauth/tokens',
's3.region'='auto',
's3.endpoint'='http://minio-data-lake-service.my-ns.svc.cluster.local:9000',
's3.path-style-access'='true',
's3.access-key-id'='polaris-service-user',
's3.secret-access-key'='Passw0rd1',
'token-refresh-enabled'='true',
'header.X-Iceberg-Access-Delegation'='vended-credentials',
'scope'='PRINCIPAL_ROLE:ALL'
);
```
**Then below is catalog I created beforehand using polaris api curl
command:**
```
curl -i -X POST -H "Authorization: Bearer $POLARIS_TOKEN"
"http://polaris-service.my-ns.svc.cluster.local:8181/api/management/v1/catalogs";
\
-H "Content-Type: application/json" \
-d '{
"catalog": {
"name": "my_iceberg_polaris_catalog",
"type": "INTERNAL",
"properties": {
"default-base-location": "s3://iceberg-bucket",
"s3.endpoint":
"http://minio-data-lake-service.my-ns.svc.cluster.local:9000";,
"s3.path-style-access": "true",
"s3.access-key-id": "polaris-service-user",
"s3.secret-access-key": "Passw0rd1",
"s3.region": "auto"
},
"storageConfigInfo": {
"roleArn":
"arn:aws:iam::000000000000:role/minio-polaris-role",
"region": "auto",
"storageType": "S3",
"endpoint":"http://localhost:9000";,
"endpointInternal":"http://minio-data-lake-service.my-ns.svc.cluster.local:9000";,
"pathStyleAccess":"true",
"allowedLocations": [
"s3://iceberg-bucket/*"
]
}
}
}'
```
**I get this error:**
`Caused by: org.apache.iceberg.exceptions.ForbiddenException: Forbidden:
Principal 'root' with activated PrincipalRoles '[]' and activated grants via
'[service_admin, catalog_admin]' is not authorized for op
CREATE_TABLE_DIRECT_WITH_WRITE_DELEGATION`
===
**So, then I went ahead and provided the root user appropriate roles using
below curl commands:**
```
# Create a catalog admin role
curl -X PUT \
-H "Authorization: Bearer $POLARIS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"grant":{"type":"catalog", "privilege":"CATALOG_MANAGE_CONTENT"}}' \
"http://localhost:8181/api/management/v1/catalogs/my_iceberg_polaris_catalog/catalog-roles/catalog_admin/grants";
# Create a data engineer role
curl -X POST \
-H "Authorization: Bearer $POLARIS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"principalRole":{"name":"data_engineer"}}' \
"http://localhost:8181/api/management/v1/principal-roles";
# Connect the roles
curl -X PUT \
-H "Authorization: Bearer $POLARIS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"catalogRole":{"name":"catalog_admin"}}' \
"http://localhost:8181/api/management/v1/principal-roles/data_engineer/catalog-roles/my_iceberg_polaris_catalog";
# Give root the data engineer role
curl -X PUT \
-H "Authorization: Bearer $POLARIS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"principalRole": {"name":"data_engineer"}}' \
"http://localhost:8181/api/management/v1/principals/root/principal-roles";
```
**Now I get the original error back!**
```
Caused by: java.net.UnknownHostException:
iceberg-bucket.minio-data-lake-service.ock-ns.svc.cluster.local: Name or
service not known
at java.base/java.net.Inet6AddressImpl.lookupAllHostAddr(Native
Method)
at
java.base/java.net.Inet6AddressImpl.lookupAllHostAddr(Inet6AddressImpl.java:52)
```
Please help, thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
