Re: [PR] OpenAPI: Standardize credentials in loadTable/loadView responses [iceberg]

[via GitHub]

nastra commented on code in PR #10722:
URL: https://github.com/apache/iceberg/pull/10722#discussion_r1775515425


##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3103,6 +3103,95 @@ components:
         uuid:
           type: string
 
+    ADLSCredential:
+      type: object
+      allOf:
+        - $ref: '#/components/schemas/Credential'
+      required:
+        - type
+        - sas-token
+        - expires-at-ms
+      properties:
+        type:
+          type: string
+          enum: [ "adls" ]
+        prefix:
+          type: string
+          description: Indicates a storage location prefix where the 
credential is relevant. Clients should choose the most
+            specific prefix if several credentials of the same type are 
available.
+        sas-token:
+          type: string
+        expires-at-ms:
+          type: integer
+          format: int64
+          description: The epoch millis since 1970-01-01T00:00:00Z at which 
the given token expires
+
+
+    GCSCredential:
+      type: object
+      allOf:
+        - $ref: '#/components/schemas/Credential'
+      required:
+        - type
+        - token
+        - expires-at-ms
+      properties:
+        type:
+          type: string
+          enum: [ "gcs" ]
+        prefix:
+          type: string
+          description: Indicates a storage location prefix where the 
credential is relevant. Clients should choose the most
+            specific prefix if several credentials of the same type are 
available.
+        token:
+          type: string
+        expires-at-ms:
+          type: integer
+          format: int64
+          description: The epoch millis since 1970-01-01T00:00:00Z at which 
the given token expires
+
+    S3Credential:
+      type: object
+      allOf:
+        - $ref: '#/components/schemas/Credential'
+      required:
+        - type
+        - access-key-id
+        - secret-access-key
+        - session-token

Review Comment:
   Yes we require those specifically to make the credentials temporary and not 
accidentally leak non-expiring credentials (see also 
https://docs.google.com/document/d/1lySd_5hMZNtISLKsOvAq7xiNzdXU6TAoHF_yrOXWQvM/edit#heading=h.hs6r9d26w1y2
 where this is mentioned)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org