[I] bug: SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION loses S3 endpoint/path-style config, causing virtual-hosted TLS failures on CTAS [polaris]

Tue, 02 Jun 2026 06:11:11 -0700 


JayavarmaS318 opened a new issue, #4595:
URL: https://github.com/apache/polaris/issues/4595

   ## Summary
   
   When `SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION` is enabled, 
`StorageAccessConfigProvider.getStorageAccessConfig()` returns an **empty** 
`StorageAccessConfig`, silently discarding the S3 endpoint, path-style-access, 
and region properties that `AwsCredentialsStorageIntegration` would otherwise 
populate.
   
   This causes Iceberg's `S3FileIO` to fall back to **virtual-hosted-style 
addressing** (e.g. `bucket.s3-endpoint.example.com`). When the storage endpoint 
certificate covers only the base hostname (not a wildcard), TLS validation 
fails with a PKIX path-building error — appearing as a cert trust problem but 
actually being a hostname mismatch.
   
   ## Affected operations
   
   Any operation where Polaris writes table metadata to S3 using `S3FileIO` — 
most visibly **CTAS (CREATE TABLE AS SELECT)** and **CREATE TABLE** — fails 
with:
   
   ```
   Server error: SdkClientException: Unable to execute HTTP request:
   (certificate_unknown) PKIX path building failed: unable to find valid
   certification path to requested target
   ```
   
   ## Root cause
   
   In `StorageAccessConfigProvider.java`:
   
   ```java
   if (skipCredentialSubscopingIndirection) {
       return StorageAccessConfig.builder().build(); // empty — loses 
endpoint/path-style/region
   }
   ```
   
   The early return skips the code in `AwsCredentialsStorageIntegration` that 
sets `s3.endpoint`, `s3.path-style-access`, and `client.region` on the access 
config.
   
   ## Fix
   
   When subscoping is skipped, extract the non-credential storage properties 
from `AwsStorageConfigurationInfo` and return them in the `StorageAccessConfig` 
so `S3FileIO` uses the correct endpoint addressing.
   
   ## Environment
   
   - Apache Polaris 1.5.0
   - S3-compatible storage with `SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION=true` 
and `pathStyleAccess=true`
   - Storage endpoint certificate covers only the base host (no wildcard SAN)
   
   ## Checklist
   
   - [x] Root cause identified
   - [x] Fix implemented in `StorageAccessConfigProvider`
   - [x] Regression test added (`RestCatalogSkipSubscopingMinIOIT`)
   - [x] Fix verified in production deployment (CTAS succeeds after patch)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to