flyrain commented on code in PR #10256: URL: https://github.com/apache/iceberg/pull/10256#discussion_r1590182083
########## core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java: ########## @@ -215,6 +215,12 @@ public void initialize(String name, Map<String, String> unresolved) { this.paths = ResourcePaths.forCatalogProperties(mergedProps); String token = mergedProps.get(OAuth2Properties.TOKEN); + // re-resolve these variables in case they were overridden by the config endpoint + credential = mergedProps.get(OAuth2Properties.CREDENTIAL); Review Comment: It is weird to me that the client gets the credential from server's config endpoint, which doesn't need authentication. Does that mean any client can visit the REST catalog? I think we still need a client to provide its own credential. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org