JayavarmaS318 commented on issue #4595:
URL: https://github.com/apache/polaris/issues/4595#issuecomment-4628557436
Hi @dimas-b , Thanks for reviewing the issue.
The `SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION` is documented as a way to
bypass the credential vending path - the flag name says credential subscoping.
It says nothing about suppressing storage addressing properties. The current
early-return path returns a fully empty StorageAccessConfig, which discards not
just credentials (intentional) but also:
- `s3.endpoint `— where the object store is
- `s3.path-style-access` — how to address buckets
- `s3.region` — which region to route to
These are not credentials. They are the addressing configuration that
S3FileIO needs to construct the correct URL scheme regardless of who supplies
the credentials. On S3-compatible stores (MinIO, RustFS, Nutanix Objects) that
require path-style access, dropping these silently causes S3FileIO to fall back
to virtual-hosted-style addressing, producing TLS failures when the certificate
covers only the base hostname - exactly the error in
[#4595](https://github.com/apache/polaris/issues/4595).
During our experimentation, the `stsUnavailable` was set to true in this
path, which further reinforces that the intent is to skip credential vending,
not to strip addressing config.
The fix is minimal and surgical: when the skip path is taken, it calls
buildStoragePropertiesOnlyConfig() which extracts only the non-credential
storage properties. No credentials are vended. The credential-skipping intent
is fully preserved - only the addressing config is surfaced, which is what
S3FileIO needs to work correctly.
Happy to add a test that demonstrates the regression on a standard MinIO
setup if that would help.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
