ChangxingJiang opened a new issue, #2746:
URL: https://github.com/apache/iceberg-python/issues/2746
### Apache Iceberg version
0.10.0 (latest release)
### Please describe the bug 🐞
# Problem
When using PyIceberg to connect to the Iceberg REST Catalog maintained by
LakeKeeper, a persistent 403 error occurs, with the following error message:
```python
Traceback (most recent call last):
File
"/home/*/miniconda3/envs/test/lib/python3.10/site-packages/s3fs/core.py", line
114, in _error_wrapper
return await func(*args, **kwargs)
File
"/home/*/miniconda3/envs/test/lib/python3.10/site-packages/aiobotocore/context.py",
line 36, in wrapper
return await func(*args, **kwargs)
File
"/home/*/miniconda3/envs/test/lib/python3.10/site-packages/aiobotocore/client.py",
line 424, in _make_api_call
raise error_class(parsed_resonse, operation_name)
botocore.exceptions.ClientError: An error occurred (403) when calling the
HeadObject operation: Forbidden
......
```
When requesting an S3-compatible object storage, the Virtual-Hosted-Style
URL format is used, whereas the logs from PyIceberg show paths in Path-Style
format. This inconsistency between the two path styles results in mismatched V4
signatures, which in turn causes V4 signature verification to fail with a 403
Forbidden error.
In LakeKeeper, signature generation defaults to the "Auto" mode, which
determines the signature style based on the provided URL.
# Expect
If I enable Virtual-Hosted-Style, then the signature should also be
generated using the Virtual-Hosted-Style format.
# Reproduce
- Use LakeKeeper as REST catalog, create warehouse with:
- Disable path style access
- Remote signing URL style: Auto
- Use KeyCloak to OAuth2
```python
catalog = load_catalog(
type="rest",
uri="http://localhost:8181/catalog";,
warehouse="iceberg",
credential=f"{CLIENT_ID}:{CLIENT_SECRET}",
scope="lakekeeper",
**{
"oauth2-server-uri":
"http://172.20.*.*:*/realms/master/protocol/openid-connect/token";,
"s3.force-virtual-addressing": "true",
"s3.path-style-access": "false"
}
)
```
### Willingness to contribute
- [ ] I can contribute a fix for this bug independently
- [x] I would be willing to contribute a fix for this bug with guidance from
the Iceberg community
- [ ] I cannot contribute a fix for this bug at this time
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
