Re: [PR] Enforce that S3 credentials are vended when requested [polaris]

Sat, 18 Oct 2025 07:52:29 -0700 


HonahX commented on code in PR #2711:
URL: https://github.com/apache/polaris/pull/2711#discussion_r2403085055


##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java:
##########
@@ -804,13 +804,22 @@ private LoadTableResponse.Builder 
buildLoadTableResponseWithDelegationCredential
           credentialDelegation.getAccessConfig(
               tableIdentifier, tableMetadata, actions, 
refreshCredentialsEndpoint);
       Map<String, String> credentialConfig = accessConfig.credentials();
-      if (!credentialConfig.isEmpty() && 
delegationModes.contains(VENDED_CREDENTIALS)) {
-        responseBuilder.addAllConfig(credentialConfig);
-        responseBuilder.addCredential(
-            ImmutableCredential.builder()
-                .prefix(tableMetadata.location())
-                .config(credentialConfig)
-                .build());
+      if (delegationModes.contains(VENDED_CREDENTIALS)) {
+        if (!credentialConfig.isEmpty()) {
+          responseBuilder.addAllConfig(credentialConfig);
+          responseBuilder.addCredential(
+              ImmutableCredential.builder()
+                  .prefix(tableMetadata.location())
+                  .config(credentialConfig)
+                  .build());
+        } else {
+          Boolean skipCredIndirection =
+              
realmConfig.getConfig(FeatureConfiguration.SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION);
+          Preconditions.checkArgument(
+              !accessConfig.supportsCredentialVending() || skipCredIndirection,
+              "Credential vending was requested for table %s, but no 
credentials are available",
+              tableIdentifier);

Review Comment:
   WDYT of moving this check to `getAccessConfig` 
/`FileIOUtil.refreshAccessConfig` in the later refactoring PR: 
https://github.com/apache/polaris/pull/2736, and we probably do not need the 
additional `supportsCredentialVending` field in AccessConfig, just adding an 
additional arg to let caller decide whether to require the credential to be 
vended.
   
   But I think that should be in a follow-up and after the 1.2.0 cut to avoid 
additional noise on the release. If I understand correctly, we do not offer 
backward compatibility of these inner interface. So we could do this if needed 
in the next release



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to