snazy commented on code in PR #10722:
URL: https://github.com/apache/iceberg/pull/10722#discussion_r1755464604
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3103,6 +3103,81 @@ components:
uuid:
type: string
+ ADLSCredentials:
+ type: object
+ allOf:
+ - $ref: '#/components/schemas/Credentials'
+ required:
+ - type
+ properties:
+ type:
+ type: string
+ enum: [ "adls" ]
+ account-name:
+ type: string
+ account-key:
+ type: string
+ sas-token:
+ type: string
+ expires-at-ms:
+ type: integer
+ format: int64
+
+ GCSCredentials:
+ type: object
+ allOf:
+ - $ref: '#/components/schemas/Credentials'
+ required:
+ - type
+ - token
+ - expires-at-ms
+ properties:
+ type:
+ type: string
+ enum: [ "gcs" ]
+ token:
+ type: string
+ expires-at-ms:
+ type: integer
+ format: int64
+
+ S3Credentials:
+ type: object
+ allOf:
+ - $ref: '#/components/schemas/Credentials'
+ required:
Review Comment:
Despite the [other comment
below](https://github.com/apache/iceberg/pull/10722/files#r1755423596) - the
region should be the same as the one for the S3FileIO configuration?
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3129,6 +3204,11 @@ components:
- `s3.secret-access-key`: secret for credentials that provide access
to data in S3
- `s3.session-token`: if present, this value should be used for as
the session token
- `s3.remote-signing-enabled`: if `true` remote signing should be
performed as described in the `s3-signer-open-api.yaml` specification
+
+ ## Credentials
+
+ Credentials for ADLS / GCS / S3 are provided through the `credentials`
field. Clients should first check whether the
Review Comment:
Good point!
Obtaining credentials every time a table's loaded is often just overhead.
Just inspecting table-metadata contents doesn't need any object-store
credentials.
Also if there's finally a way to refresh credentials, the lifetime of those
can be shortened.
There's a lot of room for improvement here
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3129,6 +3204,11 @@ components:
- `s3.secret-access-key`: secret for credentials that provide access
to data in S3
- `s3.session-token`: if present, this value should be used for as
the session token
- `s3.remote-signing-enabled`: if `true` remote signing should be
performed as described in the `s3-signer-open-api.yaml` specification
+
+ ## Credentials
+
+ Credentials for ADLS / GCS / S3 are provided through the `credentials`
field. Clients should first check whether the
+ respective credentials exist in the `credentials` field before
checking the `config` for credentials.
Review Comment:
A valid point. However, that could not just span e.g. 2 S3 buckets in the
same object store, but across different object stores - even two S3 - one on
Minio and one on Ceph - or GCS and S3 or....
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -2747,6 +2747,54 @@ components:
uuid:
type: string
+ AzureCredentials:
+ type: object
+ properties:
+ account-name:
+ type: string
+ account-key:
+ type: string
+ token:
+ type: string
+
+ AwsCredentials:
+ type: object
+ required:
Review Comment:
The session-token is part of the vended credentials - omitting it can mean
that the credentials are incomplete and in turn not accepted.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
