Re: [PR] Always propagate non-credential properties from AccessConfig to clients [polaris]

Fri, 19 Sep 2025 14:29:30 -0700 


flyrain commented on code in PR #2615:
URL: https://github.com/apache/polaris/pull/2615#discussion_r2364508032


##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java:
##########
@@ -794,10 +794,6 @@ private LoadTableResponse.Builder 
buildLoadTableResponseWithDelegationCredential
     LoadTableResponse.Builder responseBuilder =

Review Comment:
   It's a bit clutter that this method return a builder, so that caller need to 
invoke `build()`. The code would be cleaner if it returns a 
`LoadTableResponse`. Not a blocker though.



##########
runtime/service/src/intTest/java/org/apache/polaris/service/it/RestCatalogMinIOSpecialIT.java:
##########
@@ -266,23 +287,45 @@ public LoadTableResponse doTestCreateTable(RESTCatalog 
restCatalog) throws IOExc
     assertThat(response.contentLength()).isGreaterThan(0);
 
     LoadTableResponse loadTableResponse =
-        catalogApi.loadTableWithAccessDelegation(catalogName, id, "ALL");
-    assertThat(loadTableResponse.config())
-        .containsKey("s3.endpoint")
-        .containsEntry(
-            AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT,
-            "v1/" + catalogName + "/namespaces/test-ns/tables/t1/credentials");
+        catalogApi.loadTable(
+            catalogName,
+            id,
+            "ALL",
+            dm.map(v -> Map.of("X-Iceberg-Access-Delegation", 
v.protocolValue())).orElse(Map.of()));
+
+    assertThat(loadTableResponse.config()).containsKey(ENDPOINT);
+
+    if (dm.map(VENDED_CREDENTIALS::equals).orElse(false)) {
+      assertThat(loadTableResponse.config())
+          .containsEntry(
+              REFRESH_CREDENTIALS_ENDPOINT,
+              "v1/" + catalogName + 
"/namespaces/test-ns/tables/t1/credentials");
+      assertThat(loadTableResponse.credentials()).hasSize(1);
+    } else {
+      
assertThat(loadTableResponse.config()).doesNotContainKey(SECRET_ACCESS_KEY);
+      assertThat(loadTableResponse.config()).doesNotContainKey(ACCESS_KEY_ID);
+      
assertThat(loadTableResponse.config()).doesNotContainKey(REFRESH_CREDENTIALS_ENDPOINT);
+      assertThat(loadTableResponse.credentials()).isEmpty();
+    }

Review Comment:
   Can we move the validation logic to the caller(line 238)? I think it makes 
more sense to validate them, as the `AccessDelegationMode` is one of the test 
parameter. 
   Also I think we need to validate the ENDPOINT in case `AccessDelegationMode` 
is `VENDED_CREDENTIALS`. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to