adutra commented on issue #10537: URL: https://github.com/apache/iceberg/issues/10537#issuecomment-2847060907
Hi @flyrain , indeed I think we just closed M3 with 1.9.0 (Auth Manager API). Depending on what we consider a "reference implementation", M4 could be achieved by the work that Dremio just open-sourced: https://github.com/dremio/iceberg-auth-manager – as it aims at complying with @c-thiel [document](https://docs.google.com/document/d/1buW9PCNoHPeP7Br5_vZRTU-_3TExwLx6bs075gi94xc/edit?tab=t.0). As for M5 (removing the token endpoint), I understand the practical aspect for tests, but I think it's relatively easy nowadays to test a protected resource during integration tests with frameworks like Spring Boot or Quarkus. On the other hand, I think there is value in removing the endpoint eventually as I believe it will trigger a virtuous cycle of increased awareness among catalog vendors of the security aspects of a catalog offering (be it managed or on-prem). The separation of concerns between Authorization and Resource servers will certainly bring its share of new challenges (e.g. how to properly create table sessions if the catalog server cannot vend OAuth tokens?) – but solving those challenges goes imho in the good direction: that of increased security. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
