Re: [PR] REST: Auto Refresh Creds for long running tasks [iceberg]

Mon, 04 Aug 2025 03:59:41 -0700 


nastra commented on code in PR #13716:
URL: https://github.com/apache/iceberg/pull/13716#discussion_r2251137978


##########
core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java:
##########
@@ -992,6 +992,38 @@ private FileIO newFileIO(
     }
   }
 
+  private FileIO tableFileIO(
+      SessionContext context,
+      TableIdentifier identifier,
+      Map<String, String> config,
+      List<Credential> storageCredentials) {
+    // Check if either credential refresh is enabled from either client side 
or server side.
+    // TODO: convert this to constants.
+    boolean s3RefreshEnabled =
+        PropertyUtil.propertyAsBoolean(config, 
"client.refresh-credentials-enabled", false)
+            || PropertyUtil.propertyAsBoolean(
+                properties(), "client.refresh-credentials-enabled", false);
+    boolean adlsRefreshEnabled =
+        PropertyUtil.propertyAsBoolean(config, 
"adls.refresh-credentials-enabled", false)
+            || PropertyUtil.propertyAsBoolean(
+                properties(), "adls.refresh-credentials-enabled", false);
+
+    // Inject the credentials refresh endpoint if, refresh is configured.
+    // This is done because the server would not know the complete URI of the 
refresh endpoint.

Review Comment:
   why would the server not know the URI to refresh credentials for a given 
table? 
   When the server returns the table during a table load, it already knows 
which table this is about and can therefore properly tell the client whether 
this table uses vended creds and whether those vended creds should be 
refreshable via a particular endpoint. The server can then either construct 
what you currently have in `tableCredentials(..)` or return a different 
endpoint.
   
   The main point here is that only the server knows/controls what kind of 
credentials to use for a particular table and how/whether to refresh them.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to