[PR] [Catalog Federation] Enable Credential Vending for Passthrough Facade Catalog [polaris]

Fri, 17 Oct 2025 19:08:36 -0700 


HonahX opened a new pull request, #2784:
URL: https://github.com/apache/polaris/pull/2784

   <!--
       Possible security vulnerabilities: STOP here and contact 
[email protected] instead!
   
       Please update the title of the PR with a meaningful message - do not 
leave it "empty" or "generated"
       Please update this summary field:
   
       The summary should cover these topics, if applicable:
       * the motivation for the change
       * a description of the status quo, for example the current behavior
       * the desired behavior
       * etc
   
       PR checklist:
       - Do a self-review of your code before opening a pull request
       - Make sure that there's good test coverage for the changes included in 
this PR
       - Run tests locally before pushing a PR (./gradlew check)
       - Code should have comments where applicable. Particularly 
hard-to-understand
         areas deserve good in-line documentation.
       - Include changes and enhancements to the documentation (in 
site/content/in-dev/unreleased)
       - For Work In Progress Pull Requests, please use the Draft PR feature.
   
       Make sure to add the information BELOW this comment.
       Everything in this comment will NOT be added to the PR description.
   -->
   This PR introduces credential vending support for passthrough-facade 
catalogs.
   
   When creating a passthrough-facade catalog, the configuration currently 
requires two components:
   
   - StorageConfig – specifies the storage info for the remote catalog.
   - ConnectionInfo – defines connection parameters for the underlying remote 
catalog.
   
   With this change, the StorageConfig is now also used to vend temporary 
credentials for user requests.
   Credential vending honors table-level RBAC policies to determine whether to 
issue read-only or read-write credentials, ensuring access control consistency 
with Polaris authorization semantics.
   
   A new test case validates the credential vending workflow, verifying both 
read and write credential vending.
   
   Note: the remote catalog referenced by the passthrough-facade does not need 
to support IRC


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to