MonkeyCanCode commented on issue #3440: URL: https://github.com/apache/polaris/issues/3440#issuecomment-3775262492
Hello @netapp-acheng, Thanks for the test again and the conclusion is expected. The primary change I made is the emit of KMS policy when KMS are not defined. However, the existed code base does include wildcard KMS policy when it is not defined unless it is non-AWS S3 policy (I think the assumption was if not being implicitly defined, it may be better to use wildcard). And just to be clear on the changes we made/tested: 1. We removed the KMS policies when KMS keys are not being set if the backend is a non-AWS S3-compatible storage. If the backend got classified as AWS S3 (in this case, have accoundid and region, it will still do wildcard with current code. We may need a better way to check if there is a way to distinguish between AWS and non-AWS S3 or update the doc to include this info to avoid confusion). I will create a dev mailing list for this later today. 2. During table refresh, we implicitly returned a fully functional state to include WRITE primission as the refresh is READ-ONLY and the subsequent attempt to write data can then failed. This was validated last night as with the change, it is able to use the STS temporary credentials with AssumeRole action. I am not sure if that is possible, do you think we can get a minimal reproducible from your end so we can have better code coverage for this edge case? For the setup I have, I went with slightly different route with IAM role and KMS keys and both are working fine since 1.1.0 release. Thus, I would think it is something specifically which may be fully covered with current code. Please help confirm is above reflected your observations then I will raise two different PRs for adding these the corresponding fixes. Again, thanks for working with us to have this edge case covered. Thanks, Yong Zheng -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
