[PR] fix: surface S3 endpoint/path-style/region when credential subscoping is skipped [polaris]

Tue, 02 Jun 2026 06:11:41 -0700 


JayavarmaS318 opened a new pull request, #4596:
URL: https://github.com/apache/polaris/pull/4596

   ## Summary
   
   Fixes #4595
   
   When `SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION` is enabled, 
`StorageAccessConfigProvider.getStorageAccessConfig()` returned an empty 
`StorageAccessConfig`, silently discarding the S3 endpoint, 
`path-style-access`, and region properties. This caused `S3FileIO` to use 
**virtual-hosted-style addressing** (`bucket.s3-endpoint.example.com`), which 
fails TLS validation when the certificate covers only the base hostname.
   
   The error manifests as a misleading PKIX path-building failure on CTAS and 
CREATE TABLE operations.
   
   ## Root cause
   
   ```java
   // StorageAccessConfigProvider.java — before fix
   if (skipCredentialSubscopingIndirection) {
       return StorageAccessConfig.builder().build(); // empty: loses 
endpoint/path-style/region
   }
   ```
   
   The early-return path bypassed `AwsCredentialsStorageIntegration`'s 
endpoint/path-style population code entirely.
   
   ## Changes
   
   - **`StorageAccessConfigProvider`**: add 
`buildStoragePropertiesOnlyConfig()` — when subscoping is skipped, extract 
`s3.endpoint`, `s3.path-style-access`, and `client.region` from 
`AwsStorageConfigurationInfo` and return them in the `StorageAccessConfig`.
   - **`RestCatalogSkipSubscopingMinIOIT`**: new integration test running 
against MinIO with `SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION=true` that 
reproduces the failure and verifies the fix.
   
   ## Testing
   
   - New integration test `RestCatalogSkipSubscopingMinIOIT` exercises the 
exact failure scenario (path-style S3-compatible endpoint + subscoping skipped).
   - Fix verified in production against a ZeroSSL-certified S3-compatible 
endpoint: CTAS succeeds after patch, failed before.
   
   ## Notes
   
   > This contribution was developed with AI assistance (Kiro). The author 
understands the implementation end-to-end and is responsible for the change.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to