Copilot commented on code in PR #3230:
URL: https://github.com/apache/doris-website/pull/3230#discussion_r2647799698
##########
i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "集成 Lakekeeper",
+ "language": "zh-CN"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) 是一个基于 Rust 实现的开源 Apache Iceberg REST
Catalog 服务。它提供了轻量级、高性能的元数据管理服务,支持多种存储后端,包括 AWS S3、阿里云 OSS、MinIO 等。
+
+本文将详细介绍如何将 Apache Doris 与 Lakekeeper 进行集成,实现对 Iceberg
数据的高效查询与管理。我们将一步步带你完成从环境准备到最终查询的全过程。
+
+**通过本文档,你将可以快速了解:**
+
+* **AWS 环境准备**:如何在 AWS 中创建并配置 S3 存储桶,以及为 Lakekeeper 准备必须的 IAM 角色和策略,使得
Lakekeeper 能够访问 S3,并能向 Doris 下发访问凭证。
+
+* **Lakekeeper 部署与配置**:如何使用 Docker Compose 部署 Lakekeeper 服务,并在 Lakekeeper 中创建
Project 和 Warehouse,为 Doris 提供元数据访问端点。
+
+* **Doris 连接 Lakekeeper**:演示两种核心的底层存储访问方式:
+
+ 1. Doris 直接使用静态 AK/SK 访问对象存储
+ 2. 由 Lakekeeper 发放临时 AK/SK(凭证发放机制,Credential Vending)
+
+## 1. AWS 环境准备
+
+在开始之前,我们需要在 AWS 上准备好 S3 存储桶和相应的 IAM 角色,这是 Lakekeeper 管理数据和 Doris 访问数据的基础。
+
+### 1.1 创建 S3 存储桶
+
+首先,我们创建一个名为 `lakekeeper-doris-demo` 的 S3 Bucket,用于存放后续创建的 Iceberg 表数据。
+
+```bash
+# 创建 S3 存储桶
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# 验证存储桶创建成功
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 创建访问对象存储的 IAM Role
+
+为了实现安全的凭证管理,我们需要创建一个 IAM 角色供 Lakekeeper 通过 STS AssumeRole
机制使用。这个设计遵循了最小权限原则和职责分离的安全最佳实践。
+
+1. 创建信任策略文件
+
+ 创建 `lakekeeper-trust-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > 注意:请将 YOUR\_ACCOUNT\_ID 替换为您的实际 AWS 账户 ID,可通过 `aws sts
get-caller-identity --query Account --output text` 获取。将 YOUR\_USER 替换为实际的 IAM
用户名。
+
+2. 创建 IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. 附加 S3 访问权限策略
+
+ 创建 `lakekeeper-s3-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ 附加策略到角色:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. 为用户授予 AssumeRole 权限
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. 验证创建结果
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # 验证 AssumeRole 是否可用
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper 部署与 Warehouse 创建
+
+环境准备就绪后,我们开始部署 Lakekeeper 服务并配置 Warehouse。
+
+### 2.1 使用 Docker Compose 部署 Lakekeeper
+
+创建 `docker-compose.yml` 文件:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
Review Comment:
The placeholder value "CHANGE_ME_TO_A_LONG_RANDOM_SECRET" appears in the
example configuration. While this is clearly marked as a placeholder, consider
adding a warning comment or note immediately after this code block to emphasize
that this value MUST be changed before production use, as it's a
security-sensitive encryption key.
##########
i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "集成 Lakekeeper",
+ "language": "zh-CN"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) 是一个基于 Rust 实现的开源 Apache Iceberg REST
Catalog 服务。它提供了轻量级、高性能的元数据管理服务,支持多种存储后端,包括 AWS S3、阿里云 OSS、MinIO 等。
+
+本文将详细介绍如何将 Apache Doris 与 Lakekeeper 进行集成,实现对 Iceberg
数据的高效查询与管理。我们将一步步带你完成从环境准备到最终查询的全过程。
+
+**通过本文档,你将可以快速了解:**
+
+* **AWS 环境准备**:如何在 AWS 中创建并配置 S3 存储桶,以及为 Lakekeeper 准备必须的 IAM 角色和策略,使得
Lakekeeper 能够访问 S3,并能向 Doris 下发访问凭证。
+
+* **Lakekeeper 部署与配置**:如何使用 Docker Compose 部署 Lakekeeper 服务,并在 Lakekeeper 中创建
Project 和 Warehouse,为 Doris 提供元数据访问端点。
+
+* **Doris 连接 Lakekeeper**:演示两种核心的底层存储访问方式:
+
+ 1. Doris 直接使用静态 AK/SK 访问对象存储
+ 2. 由 Lakekeeper 发放临时 AK/SK(凭证发放机制,Credential Vending)
+
+## 1. AWS 环境准备
+
+在开始之前,我们需要在 AWS 上准备好 S3 存储桶和相应的 IAM 角色,这是 Lakekeeper 管理数据和 Doris 访问数据的基础。
+
+### 1.1 创建 S3 存储桶
+
+首先,我们创建一个名为 `lakekeeper-doris-demo` 的 S3 Bucket,用于存放后续创建的 Iceberg 表数据。
+
+```bash
+# 创建 S3 存储桶
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# 验证存储桶创建成功
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 创建访问对象存储的 IAM Role
+
+为了实现安全的凭证管理,我们需要创建一个 IAM 角色供 Lakekeeper 通过 STS AssumeRole
机制使用。这个设计遵循了最小权限原则和职责分离的安全最佳实践。
+
+1. 创建信任策略文件
+
+ 创建 `lakekeeper-trust-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > 注意:请将 YOUR\_ACCOUNT\_ID 替换为您的实际 AWS 账户 ID,可通过 `aws sts
get-caller-identity --query Account --output text` 获取。将 YOUR\_USER 替换为实际的 IAM
用户名。
+
+2. 创建 IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. 附加 S3 访问权限策略
+
+ 创建 `lakekeeper-s3-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ 附加策略到角色:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. 为用户授予 AssumeRole 权限
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. 验证创建结果
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # 验证 AssumeRole 是否可用
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper 部署与 Warehouse 创建
+
+环境准备就绪后,我们开始部署 Lakekeeper 服务并配置 Warehouse。
+
+### 2.1 使用 Docker Compose 部署 Lakekeeper
+
+创建 `docker-compose.yml` 文件:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - RUST_LOG=info
+ command: ["migrate"]
+ depends_on:
+ db:
+ condition: service_healthy
+
+ lakekeeper:
+ image: quay.io/lakekeeper/catalog:latest-main
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
Review Comment:
The encryption key "CHANGE_ME_TO_A_LONG_RANDOM_SECRET" is duplicated on line
184. This creates a security risk if users copy-paste the configuration without
changing both values. Consider adding a note that emphasizes both occurrences
must use the same value and must be changed from the default.
##########
versioned_docs/version-4.x/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "Integration with Lakekeeper",
+ "language": "en"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) is an open-source Apache Iceberg REST
Catalog implementation written in Rust. It provides a lightweight,
high-performance metadata management service that supports multiple storage
backends including AWS S3, Alibaba Cloud OSS, and MinIO.
+
+This article will guide you through integrating Apache Doris with Lakekeeper
to achieve efficient querying and management of Iceberg data. We will take you
through the entire process from environment preparation to final querying step
by step.
+
+**Through this document, you will learn:**
+
+* **AWS Environment Preparation**: How to create and configure S3 storage
buckets in AWS, and prepare necessary IAM roles and policies for Lakekeeper,
enabling Lakekeeper to access S3 and distribute access credentials to Doris.
+
+* **Lakekeeper Deployment and Configuration**: How to deploy Lakekeeper
service using Docker Compose, and create Project and Warehouse in Lakekeeper to
provide metadata access endpoints for Doris.
+
+* **Doris Connection to Lakekeeper**: Demonstrates two core underlying storage
access methods:
+
+ 1. Doris directly using static AK/SK to access object storage
+ 2. Temporary AK/SK issued by Lakekeeper (Credential Vending mechanism)
+
+## 1. AWS Environment Preparation
+
+Before we begin, we need to prepare S3 storage buckets and corresponding IAM
roles on AWS, which forms the foundation for Lakekeeper to manage data and
Doris to access data.
+
+### 1.1 Create S3 Storage Bucket
+
+First, we create an S3 Bucket named `lakekeeper-doris-demo` to store Iceberg
table data that will be created later.
+
+```bash
+# Create S3 storage bucket
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# Verify bucket creation success
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 Create IAM Role for Object Storage Access
+
+To implement secure credential management, we need to create an IAM role for
Lakekeeper to use through the STS AssumeRole mechanism. This design follows the
security best practices of least privilege principle and separation of duties.
+
+1. Create trust policy file
+
+ Create `lakekeeper-trust-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > Note: Please replace YOUR\_ACCOUNT\_ID with your actual AWS Account ID,
which can be obtained via `aws sts get-caller-identity --query Account --output
text`. Replace YOUR\_USER with the actual IAM username.
+
+2. Create IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. Attach S3 access permission policy
+
+ Create `lakekeeper-s3-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ Attach the policy to the role:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. Grant AssumeRole permission to the user
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. Verify creation results
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # Verify AssumeRole is available
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper Deployment and Warehouse Creation
+
+After environment preparation is complete, we begin deploying the Lakekeeper
service and configuring the Warehouse.
+
+### 2.1 Deploy Lakekeeper Using Docker Compose
+
+Create a `docker-compose.yml` file:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
Review Comment:
The placeholder value "CHANGE_ME_TO_A_LONG_RANDOM_SECRET" appears in the
example configuration. While this is clearly marked as a placeholder, consider
adding a warning comment or note immediately after this code block to emphasize
that this value MUST be changed before production use, as it's a
security-sensitive encryption key.
##########
versioned_docs/version-4.x/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "Integration with Lakekeeper",
+ "language": "en"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) is an open-source Apache Iceberg REST
Catalog implementation written in Rust. It provides a lightweight,
high-performance metadata management service that supports multiple storage
backends including AWS S3, Alibaba Cloud OSS, and MinIO.
+
+This article will guide you through integrating Apache Doris with Lakekeeper
to achieve efficient querying and management of Iceberg data. We will take you
through the entire process from environment preparation to final querying step
by step.
+
+**Through this document, you will learn:**
+
+* **AWS Environment Preparation**: How to create and configure S3 storage
buckets in AWS, and prepare necessary IAM roles and policies for Lakekeeper,
enabling Lakekeeper to access S3 and distribute access credentials to Doris.
+
+* **Lakekeeper Deployment and Configuration**: How to deploy Lakekeeper
service using Docker Compose, and create Project and Warehouse in Lakekeeper to
provide metadata access endpoints for Doris.
+
+* **Doris Connection to Lakekeeper**: Demonstrates two core underlying storage
access methods:
+
+ 1. Doris directly using static AK/SK to access object storage
+ 2. Temporary AK/SK issued by Lakekeeper (Credential Vending mechanism)
+
+## 1. AWS Environment Preparation
+
+Before we begin, we need to prepare S3 storage buckets and corresponding IAM
roles on AWS, which forms the foundation for Lakekeeper to manage data and
Doris to access data.
+
+### 1.1 Create S3 Storage Bucket
+
+First, we create an S3 Bucket named `lakekeeper-doris-demo` to store Iceberg
table data that will be created later.
+
+```bash
+# Create S3 storage bucket
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# Verify bucket creation success
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 Create IAM Role for Object Storage Access
+
+To implement secure credential management, we need to create an IAM role for
Lakekeeper to use through the STS AssumeRole mechanism. This design follows the
security best practices of least privilege principle and separation of duties.
+
+1. Create trust policy file
+
+ Create `lakekeeper-trust-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > Note: Please replace YOUR\_ACCOUNT\_ID with your actual AWS Account ID,
which can be obtained via `aws sts get-caller-identity --query Account --output
text`. Replace YOUR\_USER with the actual IAM username.
+
+2. Create IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. Attach S3 access permission policy
+
+ Create `lakekeeper-s3-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ Attach the policy to the role:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. Grant AssumeRole permission to the user
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. Verify creation results
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # Verify AssumeRole is available
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper Deployment and Warehouse Creation
+
+After environment preparation is complete, we begin deploying the Lakekeeper
service and configuring the Warehouse.
+
+### 2.1 Deploy Lakekeeper Using Docker Compose
+
+Create a `docker-compose.yml` file:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - RUST_LOG=info
+ command: ["migrate"]
+ depends_on:
+ db:
+ condition: service_healthy
+
+ lakekeeper:
+ image: quay.io/lakekeeper/catalog:latest-main
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - LAKEKEEPER__BASE_URI=http://YOUR_HOST_IP:8181
+ - LAKEKEEPER__ENABLE_DEFAULT_PROJECT=true
+ - RUST_LOG=info
+ command: ["serve"]
+ ports:
+ - "8181:8181"
+ depends_on:
+ migrate:
+ condition: service_completed_successfully
+ db:
+ condition: service_healthy
+
+volumes:
+ pgdata:
+```
+
+**Key Configuration Parameters:**
+
+| Parameter | Description |
+| --------- | ----------- |
+| `LAKEKEEPER__PG_ENCRYPTION_KEY` | Used to encrypt sensitive secrets stored
in Postgres when using the default Postgres secret backend. Should be set to a
sufficiently long random string. |
+| `LAKEKEEPER__BASE_URI` | The base URI of the Lakekeeper service. Replace
`YOUR_HOST_IP` with your actual host IP address. |
+| `LAKEKEEPER__ENABLE_DEFAULT_PROJECT` | When set to `true`, enables the
default project feature. |
+
+Start Lakekeeper:
+
+```bash
+docker compose up -d
+```
+
+After starting, you can access the following endpoints:
+
+* Swagger UI: `http://YOUR_HOST_IP:8181/swagger-ui/`
+* Web UI: `http://YOUR_HOST_IP:8181/ui`
+
+### 2.2 Create Project and Warehouse
+
+1. Create Project
+
+ ```bash
+ curl -i -X POST "http://localhost:8181/management/v1/project"; \
+ -H "Content-Type: application/json" \
+ --data '{"project-name":"default"}'
+ ```
+
+ Verify:
+
+ ```bash
+ curl -s "http://localhost:8181/management/v1/project-list";
+ ```
+
+ Note the `project-id` from the response, which will be used as
`PROJECT_ID` in subsequent steps.
+
+2. Create Warehouse (Static Credentials Mode)
+
+ Create the warehouse configuration file `create-warehouse-static.json`:
+
+ ```bash
+ cat > create-warehouse-static.json <<'JSON'
+ {
+ "warehouse-name": "lakekeeper-warehouse",
+ "storage-profile": {
+ "type": "s3",
+ "bucket": "lakekeeper-doris-demo",
+ "key-prefix": "warehouse",
+ "region": "us-east-1",
+ "endpoint": "https://s3.us-east-1.amazonaws.com";,
+ "sts-enabled": false,
+ "flavor": "aws"
+ },
+ "storage-credential": {
+ "type": "s3",
+ "credential-type": "access-key",
+ "aws-access-key-id": "YOUR_ACCESS_KEY",
+ "aws-secret-access-key": "YOUR_SECRET_KEY"
+ }
Review Comment:
The documentation includes examples with hardcoded AWS credentials
(YOUR_ACCESS_KEY, YOUR_SECRET_KEY) in the JSON configuration files. While these
are placeholders, consider adding a security warning that these credentials
should never be committed to version control and should be managed through
secure secret management systems in production environments.
##########
docs/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "Integration with Lakekeeper",
+ "language": "en"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) is an open-source Apache Iceberg REST
Catalog implementation written in Rust. It provides a lightweight,
high-performance metadata management service that supports multiple storage
backends including AWS S3, Alibaba Cloud OSS, and MinIO.
+
+This article will guide you through integrating Apache Doris with Lakekeeper
to achieve efficient querying and management of Iceberg data. We will take you
through the entire process from environment preparation to final querying step
by step.
+
+**Through this document, you will learn:**
+
+* **AWS Environment Preparation**: How to create and configure S3 storage
buckets in AWS, and prepare necessary IAM roles and policies for Lakekeeper,
enabling Lakekeeper to access S3 and distribute access credentials to Doris.
+
+* **Lakekeeper Deployment and Configuration**: How to deploy Lakekeeper
service using Docker Compose, and create Project and Warehouse in Lakekeeper to
provide metadata access endpoints for Doris.
+
+* **Doris Connection to Lakekeeper**: Demonstrates two core underlying storage
access methods:
+
+ 1. Doris directly using static AK/SK to access object storage
+ 2. Temporary AK/SK issued by Lakekeeper (Credential Vending mechanism)
+
+## 1. AWS Environment Preparation
+
+Before we begin, we need to prepare S3 storage buckets and corresponding IAM
roles on AWS, which forms the foundation for Lakekeeper to manage data and
Doris to access data.
+
+### 1.1 Create S3 Storage Bucket
+
+First, we create an S3 Bucket named `lakekeeper-doris-demo` to store Iceberg
table data that will be created later.
+
+```bash
+# Create S3 storage bucket
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# Verify bucket creation success
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 Create IAM Role for Object Storage Access
+
+To implement secure credential management, we need to create an IAM role for
Lakekeeper to use through the STS AssumeRole mechanism. This design follows the
security best practices of least privilege principle and separation of duties.
+
+1. Create trust policy file
+
+ Create `lakekeeper-trust-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > Note: Please replace YOUR\_ACCOUNT\_ID with your actual AWS Account ID,
which can be obtained via `aws sts get-caller-identity --query Account --output
text`. Replace YOUR\_USER with the actual IAM username.
+
+2. Create IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. Attach S3 access permission policy
+
+ Create `lakekeeper-s3-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ Attach the policy to the role:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. Grant AssumeRole permission to the user
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. Verify creation results
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # Verify AssumeRole is available
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper Deployment and Warehouse Creation
+
+After environment preparation is complete, we begin deploying the Lakekeeper
service and configuring the Warehouse.
+
+### 2.1 Deploy Lakekeeper Using Docker Compose
+
+Create a `docker-compose.yml` file:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - RUST_LOG=info
+ command: ["migrate"]
+ depends_on:
+ db:
+ condition: service_healthy
+
+ lakekeeper:
+ image: quay.io/lakekeeper/catalog:latest-main
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
Review Comment:
The encryption key "CHANGE_ME_TO_A_LONG_RANDOM_SECRET" is duplicated on line
184. This creates a security risk if users copy-paste the configuration without
changing both values. Consider adding a note that emphasizes both occurrences
must use the same value and must be changed from the default.
##########
docs/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "Integration with Lakekeeper",
+ "language": "en"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) is an open-source Apache Iceberg REST
Catalog implementation written in Rust. It provides a lightweight,
high-performance metadata management service that supports multiple storage
backends including AWS S3, Alibaba Cloud OSS, and MinIO.
+
+This article will guide you through integrating Apache Doris with Lakekeeper
to achieve efficient querying and management of Iceberg data. We will take you
through the entire process from environment preparation to final querying step
by step.
+
+**Through this document, you will learn:**
+
+* **AWS Environment Preparation**: How to create and configure S3 storage
buckets in AWS, and prepare necessary IAM roles and policies for Lakekeeper,
enabling Lakekeeper to access S3 and distribute access credentials to Doris.
+
+* **Lakekeeper Deployment and Configuration**: How to deploy Lakekeeper
service using Docker Compose, and create Project and Warehouse in Lakekeeper to
provide metadata access endpoints for Doris.
+
+* **Doris Connection to Lakekeeper**: Demonstrates two core underlying storage
access methods:
+
+ 1. Doris directly using static AK/SK to access object storage
+ 2. Temporary AK/SK issued by Lakekeeper (Credential Vending mechanism)
+
+## 1. AWS Environment Preparation
+
+Before we begin, we need to prepare S3 storage buckets and corresponding IAM
roles on AWS, which forms the foundation for Lakekeeper to manage data and
Doris to access data.
+
+### 1.1 Create S3 Storage Bucket
+
+First, we create an S3 Bucket named `lakekeeper-doris-demo` to store Iceberg
table data that will be created later.
+
+```bash
+# Create S3 storage bucket
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# Verify bucket creation success
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 Create IAM Role for Object Storage Access
+
+To implement secure credential management, we need to create an IAM role for
Lakekeeper to use through the STS AssumeRole mechanism. This design follows the
security best practices of least privilege principle and separation of duties.
+
+1. Create trust policy file
+
+ Create `lakekeeper-trust-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > Note: Please replace YOUR\_ACCOUNT\_ID with your actual AWS Account ID,
which can be obtained via `aws sts get-caller-identity --query Account --output
text`. Replace YOUR\_USER with the actual IAM username.
+
+2. Create IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. Attach S3 access permission policy
+
+ Create `lakekeeper-s3-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ Attach the policy to the role:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. Grant AssumeRole permission to the user
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. Verify creation results
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # Verify AssumeRole is available
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper Deployment and Warehouse Creation
+
+After environment preparation is complete, we begin deploying the Lakekeeper
service and configuring the Warehouse.
+
+### 2.1 Deploy Lakekeeper Using Docker Compose
+
+Create a `docker-compose.yml` file:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - RUST_LOG=info
+ command: ["migrate"]
+ depends_on:
+ db:
+ condition: service_healthy
+
+ lakekeeper:
+ image: quay.io/lakekeeper/catalog:latest-main
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - LAKEKEEPER__BASE_URI=http://YOUR_HOST_IP:8181
+ - LAKEKEEPER__ENABLE_DEFAULT_PROJECT=true
+ - RUST_LOG=info
+ command: ["serve"]
+ ports:
+ - "8181:8181"
+ depends_on:
+ migrate:
+ condition: service_completed_successfully
+ db:
+ condition: service_healthy
+
+volumes:
+ pgdata:
+```
+
+**Key Configuration Parameters:**
+
+| Parameter | Description |
+| --------- | ----------- |
+| `LAKEKEEPER__PG_ENCRYPTION_KEY` | Used to encrypt sensitive secrets stored
in Postgres when using the default Postgres secret backend. Should be set to a
sufficiently long random string. |
+| `LAKEKEEPER__BASE_URI` | The base URI of the Lakekeeper service. Replace
`YOUR_HOST_IP` with your actual host IP address. |
+| `LAKEKEEPER__ENABLE_DEFAULT_PROJECT` | When set to `true`, enables the
default project feature. |
+
+Start Lakekeeper:
+
+```bash
+docker compose up -d
+```
+
+After starting, you can access the following endpoints:
+
+* Swagger UI: `http://YOUR_HOST_IP:8181/swagger-ui/`
+* Web UI: `http://YOUR_HOST_IP:8181/ui`
+
+### 2.2 Create Project and Warehouse
+
+1. Create Project
+
+ ```bash
+ curl -i -X POST "http://localhost:8181/management/v1/project"; \
+ -H "Content-Type: application/json" \
+ --data '{"project-name":"default"}'
+ ```
+
+ Verify:
+
+ ```bash
+ curl -s "http://localhost:8181/management/v1/project-list";
+ ```
+
+ Note the `project-id` from the response, which will be used as
`PROJECT_ID` in subsequent steps.
+
+2. Create Warehouse (Static Credentials Mode)
+
+ Create the warehouse configuration file `create-warehouse-static.json`:
+
+ ```bash
+ cat > create-warehouse-static.json <<'JSON'
+ {
+ "warehouse-name": "lakekeeper-warehouse",
+ "storage-profile": {
+ "type": "s3",
+ "bucket": "lakekeeper-doris-demo",
+ "key-prefix": "warehouse",
+ "region": "us-east-1",
+ "endpoint": "https://s3.us-east-1.amazonaws.com";,
+ "sts-enabled": false,
+ "flavor": "aws"
+ },
+ "storage-credential": {
+ "type": "s3",
+ "credential-type": "access-key",
+ "aws-access-key-id": "YOUR_ACCESS_KEY",
+ "aws-secret-access-key": "YOUR_SECRET_KEY"
+ }
Review Comment:
The documentation includes examples with hardcoded AWS credentials
(YOUR_ACCESS_KEY, YOUR_SECRET_KEY) in the JSON configuration files. While these
are placeholders, consider adding a security warning that these credentials
should never be committed to version control and should be managed through
secure secret management systems in production environments.
##########
versioned_docs/version-4.x/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "Integration with Lakekeeper",
+ "language": "en"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) is an open-source Apache Iceberg REST
Catalog implementation written in Rust. It provides a lightweight,
high-performance metadata management service that supports multiple storage
backends including AWS S3, Alibaba Cloud OSS, and MinIO.
+
+This article will guide you through integrating Apache Doris with Lakekeeper
to achieve efficient querying and management of Iceberg data. We will take you
through the entire process from environment preparation to final querying step
by step.
+
+**Through this document, you will learn:**
+
+* **AWS Environment Preparation**: How to create and configure S3 storage
buckets in AWS, and prepare necessary IAM roles and policies for Lakekeeper,
enabling Lakekeeper to access S3 and distribute access credentials to Doris.
+
+* **Lakekeeper Deployment and Configuration**: How to deploy Lakekeeper
service using Docker Compose, and create Project and Warehouse in Lakekeeper to
provide metadata access endpoints for Doris.
+
+* **Doris Connection to Lakekeeper**: Demonstrates two core underlying storage
access methods:
+
+ 1. Doris directly using static AK/SK to access object storage
+ 2. Temporary AK/SK issued by Lakekeeper (Credential Vending mechanism)
+
+## 1. AWS Environment Preparation
+
+Before we begin, we need to prepare S3 storage buckets and corresponding IAM
roles on AWS, which forms the foundation for Lakekeeper to manage data and
Doris to access data.
+
+### 1.1 Create S3 Storage Bucket
+
+First, we create an S3 Bucket named `lakekeeper-doris-demo` to store Iceberg
table data that will be created later.
+
+```bash
+# Create S3 storage bucket
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# Verify bucket creation success
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 Create IAM Role for Object Storage Access
+
+To implement secure credential management, we need to create an IAM role for
Lakekeeper to use through the STS AssumeRole mechanism. This design follows the
security best practices of least privilege principle and separation of duties.
+
+1. Create trust policy file
+
+ Create `lakekeeper-trust-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > Note: Please replace YOUR\_ACCOUNT\_ID with your actual AWS Account ID,
which can be obtained via `aws sts get-caller-identity --query Account --output
text`. Replace YOUR\_USER with the actual IAM username.
+
+2. Create IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. Attach S3 access permission policy
+
+ Create `lakekeeper-s3-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ Attach the policy to the role:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. Grant AssumeRole permission to the user
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. Verify creation results
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # Verify AssumeRole is available
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper Deployment and Warehouse Creation
+
+After environment preparation is complete, we begin deploying the Lakekeeper
service and configuring the Warehouse.
+
+### 2.1 Deploy Lakekeeper Using Docker Compose
+
+Create a `docker-compose.yml` file:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - RUST_LOG=info
+ command: ["migrate"]
+ depends_on:
+ db:
+ condition: service_healthy
+
+ lakekeeper:
+ image: quay.io/lakekeeper/catalog:latest-main
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
Review Comment:
The encryption key "CHANGE_ME_TO_A_LONG_RANDOM_SECRET" is duplicated on line
184. This creates a security risk if users copy-paste the configuration without
changing both values. Consider adding a note that emphasizes both occurrences
must use the same value and must be changed from the default.
##########
i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "集成 Lakekeeper",
+ "language": "zh-CN"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) 是一个基于 Rust 实现的开源 Apache Iceberg REST
Catalog 服务。它提供了轻量级、高性能的元数据管理服务,支持多种存储后端,包括 AWS S3、阿里云 OSS、MinIO 等。
+
+本文将详细介绍如何将 Apache Doris 与 Lakekeeper 进行集成,实现对 Iceberg
数据的高效查询与管理。我们将一步步带你完成从环境准备到最终查询的全过程。
+
+**通过本文档,你将可以快速了解:**
+
+* **AWS 环境准备**:如何在 AWS 中创建并配置 S3 存储桶,以及为 Lakekeeper 准备必须的 IAM 角色和策略,使得
Lakekeeper 能够访问 S3,并能向 Doris 下发访问凭证。
+
+* **Lakekeeper 部署与配置**:如何使用 Docker Compose 部署 Lakekeeper 服务,并在 Lakekeeper 中创建
Project 和 Warehouse,为 Doris 提供元数据访问端点。
+
+* **Doris 连接 Lakekeeper**:演示两种核心的底层存储访问方式:
+
+ 1. Doris 直接使用静态 AK/SK 访问对象存储
+ 2. 由 Lakekeeper 发放临时 AK/SK(凭证发放机制,Credential Vending)
+
+## 1. AWS 环境准备
+
+在开始之前,我们需要在 AWS 上准备好 S3 存储桶和相应的 IAM 角色,这是 Lakekeeper 管理数据和 Doris 访问数据的基础。
+
+### 1.1 创建 S3 存储桶
+
+首先,我们创建一个名为 `lakekeeper-doris-demo` 的 S3 Bucket,用于存放后续创建的 Iceberg 表数据。
+
+```bash
+# 创建 S3 存储桶
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# 验证存储桶创建成功
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 创建访问对象存储的 IAM Role
+
+为了实现安全的凭证管理,我们需要创建一个 IAM 角色供 Lakekeeper 通过 STS AssumeRole
机制使用。这个设计遵循了最小权限原则和职责分离的安全最佳实践。
+
+1. 创建信任策略文件
+
+ 创建 `lakekeeper-trust-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > 注意:请将 YOUR\_ACCOUNT\_ID 替换为您的实际 AWS 账户 ID,可通过 `aws sts
get-caller-identity --query Account --output text` 获取。将 YOUR\_USER 替换为实际的 IAM
用户名。
+
+2. 创建 IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. 附加 S3 访问权限策略
+
+ 创建 `lakekeeper-s3-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ 附加策略到角色:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. 为用户授予 AssumeRole 权限
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. 验证创建结果
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # 验证 AssumeRole 是否可用
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper 部署与 Warehouse 创建
+
+环境准备就绪后,我们开始部署 Lakekeeper 服务并配置 Warehouse。
+
+### 2.1 使用 Docker Compose 部署 Lakekeeper
+
+创建 `docker-compose.yml` 文件:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - RUST_LOG=info
+ command: ["migrate"]
+ depends_on:
+ db:
+ condition: service_healthy
+
+ lakekeeper:
+ image: quay.io/lakekeeper/catalog:latest-main
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
Review Comment:
The encryption key "CHANGE_ME_TO_A_LONG_RANDOM_SECRET" is duplicated on line
184. This creates a security risk if users copy-paste the configuration without
changing both values. Consider adding a note that emphasizes both occurrences
must use the same value and must be changed from the default.
##########
i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "集成 Lakekeeper",
+ "language": "zh-CN"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) 是一个基于 Rust 实现的开源 Apache Iceberg REST
Catalog 服务。它提供了轻量级、高性能的元数据管理服务,支持多种存储后端,包括 AWS S3、阿里云 OSS、MinIO 等。
+
+本文将详细介绍如何将 Apache Doris 与 Lakekeeper 进行集成,实现对 Iceberg
数据的高效查询与管理。我们将一步步带你完成从环境准备到最终查询的全过程。
+
+**通过本文档,你将可以快速了解:**
+
+* **AWS 环境准备**:如何在 AWS 中创建并配置 S3 存储桶,以及为 Lakekeeper 准备必须的 IAM 角色和策略,使得
Lakekeeper 能够访问 S3,并能向 Doris 下发访问凭证。
+
+* **Lakekeeper 部署与配置**:如何使用 Docker Compose 部署 Lakekeeper 服务,并在 Lakekeeper 中创建
Project 和 Warehouse,为 Doris 提供元数据访问端点。
+
+* **Doris 连接 Lakekeeper**:演示两种核心的底层存储访问方式:
+
+ 1. Doris 直接使用静态 AK/SK 访问对象存储
+ 2. 由 Lakekeeper 发放临时 AK/SK(凭证发放机制,Credential Vending)
+
+## 1. AWS 环境准备
+
+在开始之前,我们需要在 AWS 上准备好 S3 存储桶和相应的 IAM 角色,这是 Lakekeeper 管理数据和 Doris 访问数据的基础。
+
+### 1.1 创建 S3 存储桶
+
+首先,我们创建一个名为 `lakekeeper-doris-demo` 的 S3 Bucket,用于存放后续创建的 Iceberg 表数据。
+
+```bash
+# 创建 S3 存储桶
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# 验证存储桶创建成功
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 创建访问对象存储的 IAM Role
+
+为了实现安全的凭证管理,我们需要创建一个 IAM 角色供 Lakekeeper 通过 STS AssumeRole
机制使用。这个设计遵循了最小权限原则和职责分离的安全最佳实践。
+
+1. 创建信任策略文件
+
+ 创建 `lakekeeper-trust-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > 注意:请将 YOUR\_ACCOUNT\_ID 替换为您的实际 AWS 账户 ID,可通过 `aws sts
get-caller-identity --query Account --output text` 获取。将 YOUR\_USER 替换为实际的 IAM
用户名。
+
+2. 创建 IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. 附加 S3 访问权限策略
+
+ 创建 `lakekeeper-s3-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ 附加策略到角色:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. 为用户授予 AssumeRole 权限
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. 验证创建结果
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # 验证 AssumeRole 是否可用
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper 部署与 Warehouse 创建
+
+环境准备就绪后,我们开始部署 Lakekeeper 服务并配置 Warehouse。
+
+### 2.1 使用 Docker Compose 部署 Lakekeeper
+
+创建 `docker-compose.yml` 文件:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - RUST_LOG=info
+ command: ["migrate"]
+ depends_on:
+ db:
+ condition: service_healthy
+
+ lakekeeper:
+ image: quay.io/lakekeeper/catalog:latest-main
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - LAKEKEEPER__BASE_URI=http://YOUR_HOST_IP:8181
+ - LAKEKEEPER__ENABLE_DEFAULT_PROJECT=true
+ - RUST_LOG=info
+ command: ["serve"]
+ ports:
+ - "8181:8181"
+ depends_on:
+ migrate:
+ condition: service_completed_successfully
+ db:
+ condition: service_healthy
+
+volumes:
+ pgdata:
+```
+
+**关键配置参数:**
+
+| 参数 | 说明 |
+| --- | --- |
+| `LAKEKEEPER__PG_ENCRYPTION_KEY` | 当使用默认的 Postgres secret backend 时,用于加密存储在
Postgres 中的敏感信息。需要设置为足够长的随机字符串。 |
+| `LAKEKEEPER__BASE_URI` | Lakekeeper 服务的基础 URI。请将 `YOUR_HOST_IP` 替换为实际的主机 IP
地址。 |
+| `LAKEKEEPER__ENABLE_DEFAULT_PROJECT` | 设置为 `true` 时启用默认项目功能。 |
+
+启动 Lakekeeper:
+
+```bash
+docker compose up -d
+```
+
+启动后,可以访问以下端点:
+
+* Swagger UI:`http://YOUR_HOST_IP:8181/swagger-ui/`
+* Web UI:`http://YOUR_HOST_IP:8181/ui`
+
+### 2.2 创建 Project 和 Warehouse
+
+1. 创建 Project
+
+ ```bash
+ curl -i -X POST "http://localhost:8181/management/v1/project"; \
+ -H "Content-Type: application/json" \
+ --data '{"project-name":"default"}'
+ ```
+
+ 验证:
+
+ ```bash
+ curl -s "http://localhost:8181/management/v1/project-list";
+ ```
+
+ 记录返回结果中的 `project-id`,后续步骤中将用作 `PROJECT_ID`。
+
+2. 创建 Warehouse(静态凭证模式)
+
+ 创建 warehouse 配置文件 `create-warehouse-static.json`:
+
+ ```bash
+ cat > create-warehouse-static.json <<'JSON'
+ {
+ "warehouse-name": "lakekeeper-warehouse",
+ "storage-profile": {
+ "type": "s3",
+ "bucket": "lakekeeper-doris-demo",
+ "key-prefix": "warehouse",
+ "region": "us-east-1",
+ "endpoint": "https://s3.us-east-1.amazonaws.com";,
+ "sts-enabled": false,
+ "flavor": "aws"
+ },
+ "storage-credential": {
+ "type": "s3",
+ "credential-type": "access-key",
+ "aws-access-key-id": "YOUR_ACCESS_KEY",
+ "aws-secret-access-key": "YOUR_SECRET_KEY"
+ }
Review Comment:
The documentation includes examples with hardcoded AWS credentials
(YOUR_ACCESS_KEY, YOUR_SECRET_KEY) in the JSON configuration files. While these
are placeholders, consider adding a security warning that these credentials
should never be committed to version control and should be managed through
secure secret management systems in production environments.
##########
i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "集成 Lakekeeper",
+ "language": "zh-CN"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) 是一个基于 Rust 实现的开源 Apache Iceberg REST
Catalog 服务。它提供了轻量级、高性能的元数据管理服务,支持多种存储后端,包括 AWS S3、阿里云 OSS、MinIO 等。
+
+本文将详细介绍如何将 Apache Doris 与 Lakekeeper 进行集成,实现对 Iceberg
数据的高效查询与管理。我们将一步步带你完成从环境准备到最终查询的全过程。
+
+**通过本文档,你将可以快速了解:**
+
+* **AWS 环境准备**:如何在 AWS 中创建并配置 S3 存储桶,以及为 Lakekeeper 准备必须的 IAM 角色和策略,使得
Lakekeeper 能够访问 S3,并能向 Doris 下发访问凭证。
+
+* **Lakekeeper 部署与配置**:如何使用 Docker Compose 部署 Lakekeeper 服务,并在 Lakekeeper 中创建
Project 和 Warehouse,为 Doris 提供元数据访问端点。
+
+* **Doris 连接 Lakekeeper**:演示两种核心的底层存储访问方式:
+
+ 1. Doris 直接使用静态 AK/SK 访问对象存储
+ 2. 由 Lakekeeper 发放临时 AK/SK(凭证发放机制,Credential Vending)
+
+## 1. AWS 环境准备
+
+在开始之前,我们需要在 AWS 上准备好 S3 存储桶和相应的 IAM 角色,这是 Lakekeeper 管理数据和 Doris 访问数据的基础。
+
+### 1.1 创建 S3 存储桶
+
+首先,我们创建一个名为 `lakekeeper-doris-demo` 的 S3 Bucket,用于存放后续创建的 Iceberg 表数据。
+
+```bash
+# 创建 S3 存储桶
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# 验证存储桶创建成功
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 创建访问对象存储的 IAM Role
+
+为了实现安全的凭证管理,我们需要创建一个 IAM 角色供 Lakekeeper 通过 STS AssumeRole
机制使用。这个设计遵循了最小权限原则和职责分离的安全最佳实践。
+
+1. 创建信任策略文件
+
+ 创建 `lakekeeper-trust-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > 注意:请将 YOUR\_ACCOUNT\_ID 替换为您的实际 AWS 账户 ID,可通过 `aws sts
get-caller-identity --query Account --output text` 获取。将 YOUR\_USER 替换为实际的 IAM
用户名。
+
+2. 创建 IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. 附加 S3 访问权限策略
+
+ 创建 `lakekeeper-s3-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ 附加策略到角色:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. 为用户授予 AssumeRole 权限
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. 验证创建结果
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # 验证 AssumeRole 是否可用
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper 部署与 Warehouse 创建
+
+环境准备就绪后,我们开始部署 Lakekeeper 服务并配置 Warehouse。
+
+### 2.1 使用 Docker Compose 部署 Lakekeeper
+
+创建 `docker-compose.yml` 文件:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - RUST_LOG=info
+ command: ["migrate"]
+ depends_on:
+ db:
+ condition: service_healthy
+
+ lakekeeper:
+ image: quay.io/lakekeeper/catalog:latest-main
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
+ - LAKEKEEPER__BASE_URI=http://YOUR_HOST_IP:8181
+ - LAKEKEEPER__ENABLE_DEFAULT_PROJECT=true
+ - RUST_LOG=info
+ command: ["serve"]
+ ports:
+ - "8181:8181"
+ depends_on:
+ migrate:
+ condition: service_completed_successfully
+ db:
+ condition: service_healthy
+
+volumes:
+ pgdata:
+```
+
+**关键配置参数:**
+
+| 参数 | 说明 |
+| --- | --- |
+| `LAKEKEEPER__PG_ENCRYPTION_KEY` | 当使用默认的 Postgres secret backend 时,用于加密存储在
Postgres 中的敏感信息。需要设置为足够长的随机字符串。 |
+| `LAKEKEEPER__BASE_URI` | Lakekeeper 服务的基础 URI。请将 `YOUR_HOST_IP` 替换为实际的主机 IP
地址。 |
+| `LAKEKEEPER__ENABLE_DEFAULT_PROJECT` | 设置为 `true` 时启用默认项目功能。 |
+
+启动 Lakekeeper:
+
+```bash
+docker compose up -d
+```
+
+启动后,可以访问以下端点:
+
+* Swagger UI:`http://YOUR_HOST_IP:8181/swagger-ui/`
+* Web UI:`http://YOUR_HOST_IP:8181/ui`
+
+### 2.2 创建 Project 和 Warehouse
+
+1. 创建 Project
+
+ ```bash
+ curl -i -X POST "http://localhost:8181/management/v1/project"; \
+ -H "Content-Type: application/json" \
+ --data '{"project-name":"default"}'
+ ```
+
+ 验证:
+
+ ```bash
+ curl -s "http://localhost:8181/management/v1/project-list";
+ ```
+
+ 记录返回结果中的 `project-id`,后续步骤中将用作 `PROJECT_ID`。
+
+2. 创建 Warehouse(静态凭证模式)
+
+ 创建 warehouse 配置文件 `create-warehouse-static.json`:
+
+ ```bash
+ cat > create-warehouse-static.json <<'JSON'
+ {
+ "warehouse-name": "lakekeeper-warehouse",
+ "storage-profile": {
+ "type": "s3",
+ "bucket": "lakekeeper-doris-demo",
+ "key-prefix": "warehouse",
+ "region": "us-east-1",
+ "endpoint": "https://s3.us-east-1.amazonaws.com";,
+ "sts-enabled": false,
+ "flavor": "aws"
+ },
+ "storage-credential": {
+ "type": "s3",
+ "credential-type": "access-key",
+ "aws-access-key-id": "YOUR_ACCESS_KEY",
+ "aws-secret-access-key": "YOUR_SECRET_KEY"
+ }
Review Comment:
The documentation includes examples with hardcoded AWS credentials
(YOUR_ACCESS_KEY, YOUR_SECRET_KEY) in the JSON configuration files. While these
are placeholders, consider adding a security warning that these credentials
should never be committed to version control and should be managed through
secure secret management systems in production environments.
##########
docs/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "Integration with Lakekeeper",
+ "language": "en"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) is an open-source Apache Iceberg REST
Catalog implementation written in Rust. It provides a lightweight,
high-performance metadata management service that supports multiple storage
backends including AWS S3, Alibaba Cloud OSS, and MinIO.
+
+This article will guide you through integrating Apache Doris with Lakekeeper
to achieve efficient querying and management of Iceberg data. We will take you
through the entire process from environment preparation to final querying step
by step.
+
+**Through this document, you will learn:**
+
+* **AWS Environment Preparation**: How to create and configure S3 storage
buckets in AWS, and prepare necessary IAM roles and policies for Lakekeeper,
enabling Lakekeeper to access S3 and distribute access credentials to Doris.
+
+* **Lakekeeper Deployment and Configuration**: How to deploy Lakekeeper
service using Docker Compose, and create Project and Warehouse in Lakekeeper to
provide metadata access endpoints for Doris.
+
+* **Doris Connection to Lakekeeper**: Demonstrates two core underlying storage
access methods:
+
+ 1. Doris directly using static AK/SK to access object storage
+ 2. Temporary AK/SK issued by Lakekeeper (Credential Vending mechanism)
+
+## 1. AWS Environment Preparation
+
+Before we begin, we need to prepare S3 storage buckets and corresponding IAM
roles on AWS, which forms the foundation for Lakekeeper to manage data and
Doris to access data.
+
+### 1.1 Create S3 Storage Bucket
+
+First, we create an S3 Bucket named `lakekeeper-doris-demo` to store Iceberg
table data that will be created later.
+
+```bash
+# Create S3 storage bucket
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# Verify bucket creation success
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 Create IAM Role for Object Storage Access
+
+To implement secure credential management, we need to create an IAM role for
Lakekeeper to use through the STS AssumeRole mechanism. This design follows the
security best practices of least privilege principle and separation of duties.
+
+1. Create trust policy file
+
+ Create `lakekeeper-trust-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > Note: Please replace YOUR\_ACCOUNT\_ID with your actual AWS Account ID,
which can be obtained via `aws sts get-caller-identity --query Account --output
text`. Replace YOUR\_USER with the actual IAM username.
+
+2. Create IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. Attach S3 access permission policy
+
+ Create `lakekeeper-s3-policy.json` file:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ Attach the policy to the role:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. Grant AssumeRole permission to the user
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. Verify creation results
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # Verify AssumeRole is available
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper Deployment and Warehouse Creation
+
+After environment preparation is complete, we begin deploying the Lakekeeper
service and configuring the Warehouse.
+
+### 2.1 Deploy Lakekeeper Using Docker Compose
+
+Create a `docker-compose.yml` file:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
Review Comment:
The placeholder value "CHANGE_ME_TO_A_LONG_RANDOM_SECRET" appears in the
example configuration. While this is clearly marked as a placeholder, consider
adding a warning comment or note immediately after this code block to emphasize
that this value MUST be changed before production use, as it's a
security-sensitive encryption key.
##########
i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/best-practices/doris-lakekeeper.md:
##########
@@ -0,0 +1,412 @@
+---
+{
+ "title": "集成 Lakekeeper",
+ "language": "zh-CN"
+}
+---
+
+[Lakekeeper](https://lakekeeper.io/) 是一个基于 Rust 实现的开源 Apache Iceberg REST
Catalog 服务。它提供了轻量级、高性能的元数据管理服务,支持多种存储后端,包括 AWS S3、阿里云 OSS、MinIO 等。
+
+本文将详细介绍如何将 Apache Doris 与 Lakekeeper 进行集成,实现对 Iceberg
数据的高效查询与管理。我们将一步步带你完成从环境准备到最终查询的全过程。
+
+**通过本文档,你将可以快速了解:**
+
+* **AWS 环境准备**:如何在 AWS 中创建并配置 S3 存储桶,以及为 Lakekeeper 准备必须的 IAM 角色和策略,使得
Lakekeeper 能够访问 S3,并能向 Doris 下发访问凭证。
+
+* **Lakekeeper 部署与配置**:如何使用 Docker Compose 部署 Lakekeeper 服务,并在 Lakekeeper 中创建
Project 和 Warehouse,为 Doris 提供元数据访问端点。
+
+* **Doris 连接 Lakekeeper**:演示两种核心的底层存储访问方式:
+
+ 1. Doris 直接使用静态 AK/SK 访问对象存储
+ 2. 由 Lakekeeper 发放临时 AK/SK(凭证发放机制,Credential Vending)
+
+## 1. AWS 环境准备
+
+在开始之前,我们需要在 AWS 上准备好 S3 存储桶和相应的 IAM 角色,这是 Lakekeeper 管理数据和 Doris 访问数据的基础。
+
+### 1.1 创建 S3 存储桶
+
+首先,我们创建一个名为 `lakekeeper-doris-demo` 的 S3 Bucket,用于存放后续创建的 Iceberg 表数据。
+
+```bash
+# 创建 S3 存储桶
+aws s3 mb s3://lakekeeper-doris-demo --region us-east-1
+# 验证存储桶创建成功
+aws s3 ls | grep lakekeeper-doris-demo
+```
+
+### 1.2 创建访问对象存储的 IAM Role
+
+为了实现安全的凭证管理,我们需要创建一个 IAM 角色供 Lakekeeper 通过 STS AssumeRole
机制使用。这个设计遵循了最小权限原则和职责分离的安全最佳实践。
+
+1. 创建信任策略文件
+
+ 创建 `lakekeeper-trust-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-trust-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
+ }
+ EOF
+ ```
+
+ > 注意:请将 YOUR\_ACCOUNT\_ID 替换为您的实际 AWS 账户 ID,可通过 `aws sts
get-caller-identity --query Account --output text` 获取。将 YOUR\_USER 替换为实际的 IAM
用户名。
+
+2. 创建 IAM Role
+
+ ```bash
+ aws iam create-role \
+ --role-name lakekeeper-sts-role \
+ --assume-role-policy-document file://lakekeeper-trust-policy.json \
+ --description "IAM Role for Lakekeeper to access S3 storage"
+ ```
+
+3. 附加 S3 访问权限策略
+
+ 创建 `lakekeeper-s3-policy.json` 文件:
+
+ ```bash
+ cat > lakekeeper-s3-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::lakekeeper-doris-demo",
+ "arn:aws:s3:::lakekeeper-doris-demo/*"
+ ]
+ }]
+ }
+ EOF
+ ```
+
+ 附加策略到角色:
+
+ ```bash
+ aws iam put-role-policy \
+ --role-name lakekeeper-sts-role \
+ --policy-name lakekeeper-s3-access \
+ --policy-document file://lakekeeper-s3-policy.json
+ ```
+
+4. 为用户授予 AssumeRole 权限
+
+ ```bash
+ cat > user-assume-policy.json << 'EOF'
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role"
+ }]
+ }
+ EOF
+
+ aws iam put-user-policy \
+ --user-name YOUR_USER \
+ --policy-name allow-assume-lakekeeper-role \
+ --policy-document file://user-assume-policy.json
+ ```
+
+5. 验证创建结果
+
+ ```bash
+ aws iam get-role --role-name lakekeeper-sts-role
+ aws iam list-role-policies --role-name lakekeeper-sts-role
+
+ # 验证 AssumeRole 是否可用
+ aws sts assume-role \
+ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/lakekeeper-sts-role \
+ --role-session-name lakekeeper-test
+ ```
+
+## 2. Lakekeeper 部署与 Warehouse 创建
+
+环境准备就绪后,我们开始部署 Lakekeeper 服务并配置 Warehouse。
+
+### 2.1 使用 Docker Compose 部署 Lakekeeper
+
+创建 `docker-compose.yml` 文件:
+
+```yaml
+services:
+ db:
+ image: postgres:17
+ environment:
+ POSTGRES_PASSWORD: postgres
+ volumes:
+ - pgdata:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres -p 5432 -d postgres"]
+ interval: 2s
+ timeout: 10s
+ retries: 10
+
+ migrate:
+ image: quay.io/lakekeeper/catalog:latest-main
+ restart: "no"
+ environment:
+ -
LAKEKEEPER__PG_DATABASE_URL_READ=postgresql://postgres:postgres@db:5432/postgres
+ -
LAKEKEEPER__PG_DATABASE_URL_WRITE=postgresql://postgres:postgres@db:5432/postgres
+ - LAKEKEEPER__PG_ENCRYPTION_KEY=CHANGE_ME_TO_A_LONG_RANDOM_SECRET
Review Comment:
The placeholder value "CHANGE_ME_TO_A_LONG_RANDOM_SECRET" appears in the
example configuration. While this is clearly marked as a placeholder, consider
adding a warning comment or note immediately after this code block to emphasize
that this value MUST be changed before production use, as it's a
security-sensitive encryption key.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
