rdblue commented on issue #16471: URL: https://github.com/apache/iceberg/issues/16471#issuecomment-4503523080
I think that the scope of this issue is limited. Path-based tables are deprecated in the spec and only left in Iceberg for people who have not been able to move off of them. This also only affects FileIO for file systems that resolve these names. I'm not concerned about the point about REST catalogs backed by FS tables since FS tables are deprecated and that is actually a path to move off of them. The attacker would need to control the namespace and table name to read or drop, but be able to submit the request to a shared system using a shared identity. If the user were interacting with HDFS or the local FS directly with their own permissions, this would not be a problem because they could directly read or delete files. This also is not a problem in shared systems (like Trino) that assume the user's identity. It isn't a problem when a service identity has access only to the warehouse directory. And the attacker must have access to that shared query engine. I think there could be a deployment of a shared query engine that uses an over-privileged service identity with a FS-based catalog, so this seems valid. However, I would say that we should not prioritize updating code that is already discouraged and deprecated. This is more reason not to use FS-based catalogs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
