flyrain commented on code in PR #4540:
URL: https://github.com/apache/polaris/pull/4540#discussion_r3312506707


##########
runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandlerTest.java:
##########
@@ -0,0 +1,232 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.service.catalog.iceberg;
+
+import static 
org.apache.polaris.service.catalog.AccessDelegationMode.VENDED_CREDENTIALS;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyBoolean;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import jakarta.enterprise.inject.Instance;
+import java.time.Clock;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import org.apache.iceberg.BaseTable;
+import org.apache.iceberg.TableMetadata;
+import org.apache.iceberg.TableOperations;
+import org.apache.iceberg.catalog.Catalog;
+import org.apache.iceberg.catalog.Namespace;
+import org.apache.iceberg.catalog.TableIdentifier;
+import org.apache.iceberg.rest.credentials.Credential;
+import org.apache.iceberg.rest.responses.ImmutableLoadCredentialsResponse;
+import org.apache.polaris.core.PolarisDiagnostics;
+import org.apache.polaris.core.auth.PolarisAuthorizer;
+import org.apache.polaris.core.auth.PolarisPrincipal;
+import org.apache.polaris.core.catalog.LocalCatalogFactory;
+import org.apache.polaris.core.config.RealmConfig;
+import org.apache.polaris.core.context.CallContext;
+import org.apache.polaris.core.context.RealmContext;
+import org.apache.polaris.core.credentials.PolarisCredentialManager;
+import org.apache.polaris.core.entity.CatalogEntity;
+import org.apache.polaris.core.entity.PolarisBaseEntity;
+import org.apache.polaris.core.entity.PolarisEntity;
+import org.apache.polaris.core.entity.PolarisEntitySubType;
+import org.apache.polaris.core.entity.PolarisEntityType;
+import org.apache.polaris.core.entity.table.IcebergTableLikeEntity;
+import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
+import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
+import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest;
+import org.apache.polaris.core.persistence.resolver.ResolutionManifestFactory;
+import org.apache.polaris.core.persistence.resolver.ResolverFactory;
+import org.apache.polaris.core.storage.StorageAccessConfig;
+import org.apache.polaris.service.catalog.AccessDelegationModeResolver;
+import org.apache.polaris.service.catalog.CatalogPrefixParser;
+import org.apache.polaris.service.catalog.io.StorageAccessConfigProvider;
+import org.apache.polaris.service.config.ReservedProperties;
+import org.apache.polaris.service.events.EventAttributeMap;
+import org.apache.polaris.service.reporting.PolarisMetricsReporter;
+import org.junit.jupiter.api.Test;
+
+class IcebergCatalogHandlerTest {
+
+  private static final String CATALOG_NAME = "test";
+  private static final Namespace NS1 = Namespace.of("ns1");
+  private static final TableIdentifier TABLE2 = TableIdentifier.of(NS1, 
"table2");
+
+  private final PolarisResolutionManifest resolutionManifest =
+      mock(PolarisResolutionManifest.class);
+  private final PolarisResolvedPathWrapper resolvedPath = 
mock(PolarisResolvedPathWrapper.class);
+  private final CatalogEntity catalogEntity = mock(CatalogEntity.class);
+  private final CallContext callContext = mock(CallContext.class);
+  private final RealmConfig realmConfig = mock(RealmConfig.class);
+  private final LocalCatalogFactory localCatalogFactory = 
mock(LocalCatalogFactory.class);
+  private final AccessDelegationModeResolver accessDelegationModeResolver =
+      mock(AccessDelegationModeResolver.class);
+  private final StorageAccessConfigProvider storageAccessConfigProvider =
+      mock(StorageAccessConfigProvider.class);
+
+  @SuppressWarnings({"unchecked", "rawtypes"})
+  private IcebergCatalogHandler newHandler() {
+    when(callContext.getRealmConfig()).thenReturn(realmConfig);
+    when(callContext.getRealmContext()).thenReturn(mock(RealmContext.class));
+
+    // Resolution manifest factory always returns our pre-configured manifest 
mock so we can
+    // observe and stub interactions with it.
+    ResolutionManifestFactory resolutionManifestFactory = 
mock(ResolutionManifestFactory.class);
+    when(resolutionManifestFactory.createResolutionManifest(any(), any()))
+        .thenReturn(resolutionManifest);
+
+    // Authorization path: any resolved path lookup returns a non-null wrapper 
so the
+    // "not found" check in 
CatalogHandler#authorizeBasicTableLikeOperationsOrThrow passes.
+    when(resolutionManifest.getResolvedPath(any(), any(), 
anyBoolean())).thenReturn(resolvedPath);
+    when(resolutionManifest.getResolvedPath(any(), 
any())).thenReturn(resolvedPath);
+    when(resolutionManifest.getResolvedPath(any())).thenReturn(resolvedPath);
+    
when(resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles()).thenReturn(Set.of());
+
+    // initializeCatalog() reads the resolved catalog entity to decide 
federated vs. local.
+    // Return a CatalogEntity without a connection config so we take the 
local-catalog path.
+    
when(resolutionManifest.getResolvedCatalogEntity()).thenReturn(catalogEntity);
+    when(catalogEntity.getConnectionConfigInfoDpo()).thenReturn(null);
+
+    return ImmutableIcebergCatalogHandler.builder()
+        .catalogName(CATALOG_NAME)
+        .polarisPrincipal(PolarisPrincipal.of("test", Map.of(), Set.of()))
+        .callContext(callContext)
+        .metaStoreManager(mock(PolarisMetaStoreManager.class))
+        .resolutionManifestFactory(resolutionManifestFactory)
+        .authorizer(mock(PolarisAuthorizer.class))
+        .diagnostics(mock(PolarisDiagnostics.class))
+        .credentialManager(mock(PolarisCredentialManager.class))
+        .federatedCatalogFactories(mock(Instance.class))
+        .prefixParser(mock(CatalogPrefixParser.class))
+        .resolverFactory(mock(ResolverFactory.class))
+        .localCatalogFactory(localCatalogFactory)
+        .reservedProperties(mock(ReservedProperties.class))
+        .catalogHandlerUtils(mock(CatalogHandlerUtils.class))
+        .storageAccessConfigProvider(storageAccessConfigProvider)
+        .eventAttributeMap(mock(EventAttributeMap.class))
+        .metricsReporter(mock(PolarisMetricsReporter.class))
+        .clock(mock(Clock.class))
+        .accessDelegationModeResolver(accessDelegationModeResolver)
+        .build();
+  }
+
+  /**
+   * For external (non-Polaris) catalogs, loadCredentials must skip the 
optimized
+   * entity-properties-based path and fall through to a full loadTable on the 
underlying catalog,
+   * propagating the credentials the storage provider returns for that table.
+   */
+  @Test
+  void loadCredentialsFallsBackForExternalCatalog() {
+    String tableLocation = "s3://fake-bucket/tables/table2";
+    Map<String, String> fakeCredentials =
+        Map.of("fake.access.key", "AKIAFAKE", "fake.secret.key", "fakeSecret");
+
+    TableMetadata metadata = mock(TableMetadata.class);
+    when(metadata.location()).thenReturn(tableLocation);
+    when(metadata.properties()).thenReturn(Map.of());
+    TableOperations ops = mock(TableOperations.class);
+    when(ops.current()).thenReturn(metadata);
+    BaseTable table = mock(BaseTable.class);
+    when(table.operations()).thenReturn(ops);
+
+    Catalog externalCatalog = mock(Catalog.class);
+    when(externalCatalog.loadTable(TABLE2)).thenReturn(table);
+    when(localCatalogFactory.createCatalog(any())).thenReturn(externalCatalog);
+
+    // VENDED_CREDENTIALS is what triggers the handler to attach credentials 
to the response.
+    when(accessDelegationModeResolver.resolve(any(), any()))
+        .thenReturn(Optional.of(VENDED_CREDENTIALS));
+
+    StorageAccessConfig storageAccessConfig =
+        StorageAccessConfig.builder()
+            .putCredential("fake.access.key", "AKIAFAKE")
+            .putCredential("fake.secret.key", "fakeSecret")
+            .build();
+    when(storageAccessConfigProvider.getStorageAccessConfig(any(), any(), 
any(), any(), any()))
+        .thenReturn(storageAccessConfig);
+
+    IcebergCatalogHandler handler = newHandler();
+
+    ImmutableLoadCredentialsResponse response = 
handler.loadCredentials(TABLE2, Optional.empty());
+
+    verify(externalCatalog).loadTable(TABLE2);
+    assertThat(response.credentials())
+        .singleElement()
+        .satisfies(
+            (Credential c) -> {
+              assertThat(c.prefix()).isEqualTo(tableLocation);
+              
assertThat(c.config()).containsExactlyInAnyOrderEntriesOf(fakeCredentials);
+            });
+  }
+
+  /**
+   * For native Polaris (Iceberg) catalogs, loadCredentials takes the 
optimized path: it reads the
+   * table location from the entity's internal properties and vends 
credentials without loading the
+   * full table metadata. The underlying catalog's loadTable must NOT be 
invoked.
+   */
+  @Test
+  void loadCredentialsUsesOptimizedPathForIcebergCatalog() {
+    String tableLocation = "s3://fake-bucket/tables/table2";
+    Map<String, String> fakeCredentials =
+        Map.of("fake.access.key", "AKIAFAKE", "fake.secret.key", "fakeSecret");
+
+    // The entity returned via the resolution manifest carries the table 
location in its internal
+    // properties; that's what lets the optimized path skip a full loadTable.
+    PolarisEntity leafEntity =
+        new PolarisEntity(
+            new PolarisBaseEntity.Builder()
+                .typeCode(PolarisEntityType.TABLE_LIKE.getCode())
+                .subTypeCode(PolarisEntitySubType.ICEBERG_TABLE.getCode())
+                .name(TABLE2.name())
+                
.internalPropertiesAsMap(Map.of(IcebergTableLikeEntity.LOCATION, tableLocation))
+                .build());
+    when(resolvedPath.getRawLeafEntity()).thenReturn(leafEntity);
+
+    IcebergCatalog icebergCatalog = mock(IcebergCatalog.class);
+    when(localCatalogFactory.createCatalog(any())).thenReturn(icebergCatalog);
+
+    StorageAccessConfig storageAccessConfig =
+        StorageAccessConfig.builder()
+            .putCredential("fake.access.key", "AKIAFAKE")
+            .putCredential("fake.secret.key", "fakeSecret")
+            .build();
+    when(storageAccessConfigProvider.getStorageAccessConfig(any(), any(), 
any(), any(), any()))
+        .thenReturn(storageAccessConfig);
+
+    IcebergCatalogHandler handler = newHandler();
+
+    ImmutableLoadCredentialsResponse response = 
handler.loadCredentials(TABLE2, Optional.empty());
+
+    // The whole point of the optimized path is to skip loadTable on the 
underlying catalog.
+    verify(icebergCatalog, never()).loadTable(any());
+    assertThat(response.credentials())
+        .singleElement()
+        .satisfies(
+            (Credential c) -> {
+              assertThat(c.prefix()).isEqualTo(tableLocation);
+              
assertThat(c.config()).containsExactlyInAnyOrderEntriesOf(fakeCredentials);
+            });
+  }
+}

Review Comment:
   Minor: Worth a third case for the `baseLocation == null` branch (handler 
line ~784, entity present but no LOCATION in internal properties → also falls 
back to full loadTable). Cheap to add given the harness you've built here, and 
it locks in the backfill-fallback behavior the comment in the handler 
explicitly calls out.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to