flyrain commented on code in PR #3066: URL: https://github.com/apache/polaris/pull/3066#discussion_r2539498277
########## site/content/in-dev/unreleased/configuring-polaris-for-production.md: ########## @@ -23,35 +23,39 @@ type: docs weight: 600 --- -The default server configuration is intended for development and testing. When you deploy Polaris in production, -review and apply the following checklist: +The default server configuration is intended for development and testing. When you deploy Polaris in production, review +and apply the following checklist: + - [ ] Configure OAuth2 keys - [ ] Enforce realm header validation (`require-header=true`) - [ ] Use a durable metastore (JDBC + PostgreSQL) - [ ] Bootstrap valid realms in the metastore - [ ] Disable local FILE storage +- [ ] Polaris Server Header +- [ ] Upgrade considerations +- [ ] Cloud Storage Specific Configuration ### Configure OAuth2 -Polaris authentication requires specifying a token broker factory type. Two implementations are -supported out of the box: +Polaris authentication requires specifying a token broker factory type. Two implementations are supported out of the +box: - [rsa-key-pair] uses a pair of public and private keys; - [symmetric-key] uses a shared secret. -[rsa-key-pair]: https://github.com/apache/polaris/blob/390f1fa57bb1af24a21aa95fdbff49a46e31add7/service/common/src/main/java/org/apache/polaris/service/auth/JWTRSAKeyPairFactory.java -[symmetric-key]: https://github.com/apache/polaris/blob/390f1fa57bb1af24a21aa95fdbff49a46e31add7/service/common/src/main/java/org/apache/polaris/service/auth/JWTSymmetricKeyFactory.java +[rsa-key-pair]: + https://github.com/apache/polaris/blob/390f1fa57bb1af24a21aa95fdbff49a46e31add7/service/common/src/main/java/org/apache/polaris/service/auth/JWTRSAKeyPairFactory.java +[symmetric-key]: + https://github.com/apache/polaris/blob/390f1fa57bb1af24a21aa95fdbff49a46e31add7/service/common/src/main/java/org/apache/polaris/service/auth/JWTSymmetricKeyFactory.java Review Comment: There seems be a lot of changes not related. Can we revert them? ########## site/content/in-dev/unreleased/configuring-polaris-for-production.md: ########## @@ -210,27 +204,39 @@ curl -X POST http://localhost:8181/api/catalog/v1/oauth/tokens \ ``` ### Disable FILE Storage Type -By default, Polaris allows using the local file system (`FILE`) for catalog storage. This is fine for testing, -but **not recommended for production**. To disable it, set the supported storage types like this: + +By default, Polaris allows using the local file system (`FILE`) for catalog storage. This is fine for testing, but **not +recommended for production**. To disable it, set the supported storage types like this: + ```hocon polaris.features."SUPPORTED_CATALOG_STORAGE_TYPES" = [ "S3", "Azure" ] ``` + Leave out `FILE` to prevent its use. Only include the storage types your setup needs. ### Polaris Server Header -Polaris can emit an informational `Server` HTTP response header using Quarkus' built-in header -configuration. Add the following property to one of the supported configuration sources (for example, -`application.properties`) to enable it with the Polaris version string: +Polaris can emit an informational `Server` HTTP response header using Quarkus' built-in header configuration. Add the +following property to one of the supported configuration sources (for example, `application.properties`) to enable it +with the Polaris version string: ```properties quarkus.http.header."Server".value=Polaris/${quarkus.application.version} ``` -If you prefer to scope the header to specific environments, only set the property for the desired -profile (for example, `%prod`). +If you prefer to scope the header to specific environments, only set the property for the desired profile (for example, +`%prod`). + +### Cloud Storage Specific Configuration + +GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on Review Comment: I'd suggest a subtitle ```suggestion #### GCS When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on ``` ########## site/content/in-dev/unreleased/configuring-polaris-for-production.md: ########## @@ -210,27 +204,39 @@ curl -X POST http://localhost:8181/api/catalog/v1/oauth/tokens \ ``` ### Disable FILE Storage Type -By default, Polaris allows using the local file system (`FILE`) for catalog storage. This is fine for testing, -but **not recommended for production**. To disable it, set the supported storage types like this: + +By default, Polaris allows using the local file system (`FILE`) for catalog storage. This is fine for testing, but **not +recommended for production**. To disable it, set the supported storage types like this: + ```hocon polaris.features."SUPPORTED_CATALOG_STORAGE_TYPES" = [ "S3", "Azure" ] ``` + Leave out `FILE` to prevent its use. Only include the storage types your setup needs. ### Polaris Server Header -Polaris can emit an informational `Server` HTTP response header using Quarkus' built-in header -configuration. Add the following property to one of the supported configuration sources (for example, -`application.properties`) to enable it with the Polaris version string: +Polaris can emit an informational `Server` HTTP response header using Quarkus' built-in header configuration. Add the +following property to one of the supported configuration sources (for example, `application.properties`) to enable it +with the Polaris version string: ```properties quarkus.http.header."Server".value=Polaris/${quarkus.application.version} ``` -If you prefer to scope the header to specific environments, only set the property for the desired -profile (for example, `%prod`). +If you prefer to scope the header to specific environments, only set the property for the desired profile (for example, +`%prod`). + +### Cloud Storage Specific Configuration + +GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on Review Comment: Can we use the term `credential vending` instead of `token vending` to be more consistent with other places? I'd also recommend to not mention `fine-grained access` to avoid any confusion with table's FGAC. I think the context is pretty clear when it comes to storage credential vending. `fine-grained access` isn't necessary. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
