[I] Polaris returns Access Denied error instead of 404 for a missing metadata file [polaris]

[via GitHub]

fivetran-ashokborra opened a new issue, #1380:
URL: https://github.com/apache/polaris/issues/1380

   ### Describe the bug
   
   **Bug:** 
   Polaris returns Access Denied error instead of 404 for a missing metadata 
file
   
   **Error log:**
   ```
   "logger":"org.apache.polaris.service.catalog.BasePolarisCatalog",
   "message":"Access Denied or Forbidden error: User: 
arn:aws:sts::{account}:assumed-role/{role}/PolarisAwsCredentialsStorageIntegration
 is not authorized to perform: s3:ListBucket on resource: 
\"arn:aws:s3:::{bucket}\" because no session policy allows the s3:ListBucket 
action (Service: S3, Status Code: 403, Request ID: W6Q2D563ETEKR6XZ, Extended 
Request ID: 
Izq3QS7eZmGjhjfyoxJWMHeCgrFvUlpZjj73JYMO8i/qnKw6CjOaPVgOWVLFr/JsToTeTxO0YaM=)"
   
   ```
   
   
   ### To Reproduce
   
   1. Create a catalog, namespace and table 
   2. Insert some data in the table
   3. Go to the table's path in S3 and delete the latest metadata file 
referenced by the table 
   
   Catalog details: 
   ```
   {
       "type": "INTERNAL",
       "type": "INTERNAL",
       "name": "test_catalog",
       "properties": {
           "default-base-location": "s3://ashok-test-local"
       },
       "createTimestamp": 1744800339841,
       "lastUpdateTimestamp": 1744800339841,
       "entityVersion": 1,
       "storageConfigInfo": {
           "storageType": "S3",
           "roleArn": "arn:aws:iam::{account}:role/{bucket}",
           "externalId": "test_id",
           "userArn": null,
           "storageType": "S3",
           "allowedLocations": [
               "s3://ashok-test-local"
           ]
       }
   }
   ```
   
   Note: The role had ListBucket permission on the entire bucket, attached IAM 
policy below
   
   ```
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "AllowAll",
               "Effect": "Allow",
               "Action": [
                   "s3:*"
               ],
               "Resource": [
                   "arn:aws:s3:::{bucket}/*",
                   "arn:aws:s3:::{bucket}"
               ]
           }
       ]
   }
   ```
   
   ### Actual Behavior
   
   Throws 403 error instead of 404 for the missing metadata file 
   
   ### Expected Behavior
   
   Should return 404 error with the missing file location
   
   ### Additional context
   
   Same test case in the context of Azure returns 404 
   
   
`"logger":"org.apache.polaris.service.exception.IcebergExceptionMapper","message":"Unhandled
 exception returning 
INTERNAL_SERVER_ERROR","exception":"com.azure.storage.blob.models.BlobStorageException:
 Status code 404, \"<?xml version=\"1.0\" 
encoding=\"utf-8\"?><Error><Code>BlobNotFound</Code><Message>The specified blob 
does not 
exist.\nRequestId:0e14b080-f01e-0066-1bb2-ae9d8f000000\nTime:2025-04-16T09:36:06.9902103Z</Message></Error>\"\n\tat
 
java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:733)\n\tat
 
com.azure.core.implementation.MethodHandleReflectiveInvoker.invokeStatic(MethodHandleReflectiveInvoker.java:26)\n\tat
 
com.azure.core.implementation.http.rest.ResponseExceptionConstructorCache.invoke(ResponseExceptionConstructorCache.java:53)\n\tat
 
com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException(RestProxyBase.java:407)\n\tat
 
com.azure.core.implementation.http.rest.AsyncRestProxy.lambda$ensureExpectedStatus$1(AsyncRes
 tProxy.java:135)\n\tat `
   
   ### System information
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org