adutra commented on code in PR #3734:
URL: https://github.com/apache/polaris/pull/3734#discussion_r3274164850
##########
integration-tests/src/main/java/org/apache/polaris/service/it/test/PolarisRestCatalogIntegrationBase.java:
##########
@@ -708,15 +708,101 @@ public void
testCreateTableWithOverriddenBaseLocationMustResideInNsDirectory() {
.isInstanceOf(ForbiddenException.class);
}
+ /**
+ * Create an INTERNAL catalog. Register a table WITH access delegation and
verify that the
+ * registerTable response contains vended credentials (when supported by the
storage type).
+ */
+ @RestCatalogConfig({"header.X-Iceberg-Access-Delegation",
"vended-credentials"})
+ @Test
+ public void testRegisterTableWithAccessDelegation() {
+ Namespace ns1 = Namespace.of("ns1");
+ restCatalog.createNamespace(ns1);
+ TableMetadata tableMetadata =
+ TableMetadata.newTableMetadata(
+ new Schema(List.of(Types.NestedField.required(1, "col1", new
Types.StringType()))),
+ PartitionSpec.unpartitioned(),
+ catalogBaseLocation + "/ns1/my_table",
+ Map.of());
+ try (ResolvingFileIO resolvingFileIO = new ResolvingFileIO()) {
+ initializeClientFileIO(resolvingFileIO);
+ resolvingFileIO.setConf(new Configuration());
+ String fileLocation = catalogBaseLocation +
"/ns1/my_table/metadata/v1.metadata.json";
+ TableMetadataParser.write(tableMetadata,
resolvingFileIO.newOutputFile(fileLocation));
+ try {
+ LoadTableResponse registerResponse =
+ catalogApi.registerTableWithAccessDelegation(
+ currentCatalogName, ns1, "my_table", fileLocation);
+
+ assertThat(registerResponse).isNotNull();
+ assertThat(registerResponse.tableMetadata()).isNotNull();
+
assertThat(registerResponse.tableMetadata().location()).isEqualTo(tableMetadata.location());
+
assertThat(registerResponse.metadataLocation()).isEqualTo(fileLocation);
+
+ if (getStorageConfigInfo().getStorageType() !=
StorageConfigInfo.StorageTypeEnum.FILE) {
+ assertThat(registerResponse.credentials())
+ .as("Cloud storage should vend credentials")
+ .isNotEmpty();
+ }
+ } finally {
+ resolvingFileIO.deleteFile(fileLocation);
+ }
+ }
+ }
+
+ /**
+ * Create an EXTERNAL catalog with credential vending enabled. Register a
table WITH access
+ * delegation and verify that the registerTable response contains vended
credentials (when
+ * supported by the storage type).
+ */
+ @CatalogConfig(
+ value = Catalog.TypeEnum.EXTERNAL,
+ properties = {"polaris.config.enable.credential.vending", "true"})
+ @RestCatalogConfig({"header.X-Iceberg-Access-Delegation",
"vended-credentials"})
+ @Test
+ public void testRegisterTableWithAccessDelegationForExternalCatalog() {
+ Namespace ns1 = Namespace.of("ns1");
+ restCatalog.createNamespace(ns1);
+ TableMetadata tableMetadata =
+ TableMetadata.newTableMetadata(
+ new Schema(List.of(Types.NestedField.required(1, "col1", new
Types.StringType()))),
+ PartitionSpec.unpartitioned(),
+ externalCatalogBaseLocation + "/ns1/my_table",
+ Map.of());
+ try (ResolvingFileIO resolvingFileIO = new ResolvingFileIO()) {
+ initializeClientFileIO(resolvingFileIO);
+ resolvingFileIO.setConf(new Configuration());
+ String fileLocation = externalCatalogBaseLocation +
"/ns1/my_table/metadata/v1.metadata.json";
+ TableMetadataParser.write(tableMetadata,
resolvingFileIO.newOutputFile(fileLocation));
+ try {
+ LoadTableResponse registerResponse =
+ catalogApi.registerTableWithAccessDelegation(
+ currentCatalogName, ns1, "my_table", fileLocation);
+
+ assertThat(registerResponse).isNotNull();
+ assertThat(registerResponse.tableMetadata()).isNotNull();
+
assertThat(registerResponse.tableMetadata().location()).isEqualTo(tableMetadata.location());
+
assertThat(registerResponse.metadataLocation()).isEqualTo(fileLocation);
+
+ if (getStorageConfigInfo().getStorageType() !=
StorageConfigInfo.StorageTypeEnum.FILE) {
+ assertThat(registerResponse.credentials())
+ .as("Cloud storage should vend credentials")
+ .isNotEmpty();
+ }
+ } finally {
+ resolvingFileIO.deleteFile(fileLocation);
+ }
+ }
+ }
+
/**
* Create an EXTERNAL catalog. The test configuration, by default, disables
access delegation for
- * EXTERNAL catalogs, so register a table and try to load it with the REST
client configured to
- * try to fetch vended credentials. Expect a ForbiddenException.
+ * EXTERNAL catalogs, so try to register a table with the REST client
configured to try to fetch
+ * vended credentials. Expect a ForbiddenException.
*/
@CatalogConfig(Catalog.TypeEnum.EXTERNAL)
@RestCatalogConfig({"header.X-Iceberg-Access-Delegation",
"vended-credentials"})
@Test
- public void
testLoadTableWithAccessDelegationForExternalCatalogWithConfigDisabled() {
+ public void
testRegisterTableWithAccessDelegationForExternalCatalogWithConfigDisabled() {
Review Comment:
I could not design such a test. The test framework either enables or
disables vended credentials for the entire test. Thus, in order to load a table
with access delegation on, I first need to create such a table; but then, the
create-table operation fails, and we never get to the load-table operation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
