sunyuhan1998 opened a new pull request, #10895: URL: https://github.com/apache/gravitino/pull/10895
### What changes were proposed in this pull request? Add temporary credential vending support to the Lance REST Server's `describeTable` API, enabling clients to receive short-lived storage credentials instead of relying on long-term access keys. Key changes: 1. **`CredentialPropertyUtils`** — Add Lance-specific credential property transformation: convert `S3TokenCredential`, `GCSTokenCredential`, and `S3SecretKeyCredential` into Lance `storage_options` format (`aws_access_key_id`, `aws_secret_access_key`, `aws_session_token`, `expires_at_millis`). 2. **`GravitinoLanceTableOps.describeTable()`** — Integrate with `CatalogCredentialManager` to generate per-request temporary credentials based on the caller's privilege level (READ or WRITE). Merge vended credentials into `DescribeTableResponse.storageOptions`. 3. **`LanceTableOperations` (REST layer)** — Accept `vendCredentials` flag from `DescribeTableRequest`, determine caller privilege via `MetadataAuthzHelper`, and pass it down to the ops layer. 4. **Tests** — Unit tests for credential transformation, ops layer credential merging, REST layer vending flag handling, and end-to-end IT with `LanceDummyCredentialProvider` via Java SPI. ### Why are the changes needed? Currently the Lance REST Server returns static storage configuration without generating temporary credentials. When Lance clients access table data on S3/GCS, they need long-term access keys embedded in catalog properties, which poses a security risk. This aligns with the credential vending pattern already used by the Iceberg REST Server. Fix: #9087 **Note:** This PR depends on #10445 (Lance namespace upgrade to v0.4.5). The first 3 commits belong to that work; please focus review on the last commit. ### Does this PR introduce _any_ user-facing change? No. Credential vending is opt-in via the `credential-providers` catalog property and the `vendCredentials` request flag. Existing behavior is preserved when these are not configured. ### How was this patch tested? - Unit tests: `TestCredentialPropertiesUtils`, `TestGravitinoLanceTableOpsCredentialVending`, `TestLanceNamespaceOperations` (vend credentials tests) - IT: `LanceRESTServiceIT.testDescribeTableWithCredentialVending` using `LanceDummyCredentialProvider` via SPI -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
