c-thiel opened a new issue, #14100: URL: https://github.com/apache/iceberg/issues/14100
### Apache Iceberg version 1.10.0 (latest release) ### Query engine Spark ### Please describe the bug 🐞 When using remote signing with two REST Catalogs, they usually use different S3 remote signing URLs. However currently in Iceberg, we initialize a static HTTP Client including the base_url of the signer: https://github.com/apache/iceberg/blob/4816bf3b5ad68f1c9c2f98c55b56956e9449f178/aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java#L142-L146 When querying the first table of a second catalog, the base URL of the first Catalog is still present in the HTTP Client, so a remote signing requests sends Credentials from the second Catalog to the first - leaking Credentials. This also results in an error: ``` Caused by: org.apache.iceberg.exceptions.NotAuthorizedException: Not authorized: at org.apache.iceberg.rest.ErrorHandlers$DefaultErrorHandler.accept(ErrorHandlers.java:234) at org.apache.iceberg.rest.ErrorHandlers$DefaultErrorHandler.accept(ErrorHandlers.java:212) at org.apache.iceberg.rest.HTTPClient.throwFailure(HTTPClient.java:215) at org.apache.iceberg.rest.HTTPClient.execute(HTTPClient.java:299) at org.apache.iceberg.rest.BaseHTTPClient.post(BaseHTTPClient.java:100) at org.apache.iceberg.aws.s3.signer.S3V4RestSignerClient.sign(S3V4RestSignerClient.java:256) at software.amazon.awssdk.core.internal.http.pipeline.stages.SigningStage.lambda$signRequest$4(SigningStage.java:154) at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:63) at software.amazon.awssdk.core.internal.http.pipeline.stages.SigningStage.signRequest(SigningStage.java:153) ``` ### Willingness to contribute - [ ] I can contribute a fix for this bug independently - [ ] I would be willing to contribute a fix for this bug with guidance from the Iceberg community - [ ] I cannot contribute a fix for this bug at this time -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
