Re: [PR] IRC: Optimize Credential Vending [polaris]

Thu, 26 Mar 2026 17:00:16 -0700 


dimas-b commented on code in PR #3997:
URL: https://github.com/apache/polaris/pull/3997#discussion_r2998313979


##########
runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/AbstractIcebergCatalogHandlerAuthzTest.java:
##########
@@ -597,6 +555,16 @@ Stream<DynamicNode> 
testLoadTableWithReadAccessDelegationPrivileges() {
             () -> newHandler().loadTableWithAccessDelegation(TABLE_NS1A_2, 
"all", Optional.empty()))
         .shouldPassWith(PolarisPrivilege.TABLE_READ_DATA)
         .shouldPassWith(PolarisPrivilege.TABLE_WRITE_DATA)
+        .createTests();
+  }
+
+  @TestFactory
+  Stream<DynamicNode> testLoadCredentialsFromEntityPropertiesPrivileges() {
+    return authzTestsBuilder("loadCredentialsFromEntityProperties")
+        .action(
+            () -> 
newHandler().loadCredentialsFromEntityProperties(TABLE_NS1A_2, 
Optional.empty()))
+        .shouldPassWith(PolarisPrivilege.TABLE_READ_DATA)
+        .shouldPassWith(PolarisPrivilege.TABLE_WRITE_DATA)
         .shouldPassWith(PolarisPrivilege.CATALOG_MANAGE_CONTENT)

Review Comment:
   Should we add some negative cases too?



##########
polaris-core/src/main/java/org/apache/polaris/core/config/FeatureConfiguration.java:
##########
@@ -64,6 +64,18 @@ public static void enforceFeatureEnabledOrThrow(
               .defaultValue(false)
               .buildFeatureConfiguration();
 
+  public static final FeatureConfiguration<Boolean> 
OPTIMIZED_CREDENTIAL_VENDING =
+      PolarisConfiguration.<Boolean>builder()
+          .key("OPTIMIZED_CREDENTIAL_VENDING")
+          .catalogConfig("polaris.config.optimized-credential-vending")
+          .description(
+              "When enabled, the loadCredentials endpoint vends storage 
credentials using "
+                  + "location data from entity internal properties, avoiding a 
full table metadata "
+                  + "read from object storage. Falls back to the standard path 
if the entity lacks "
+                  + "the required properties.")
+          .defaultValue(false)

Review Comment:
   nit: I'd default to `true` ... Are there any adverse effects with that? In 
case of (unexpected) bugs, people can revert manually.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to