gaocho commented on issue #3742:
URL: https://github.com/apache/polaris/issues/3742#issuecomment-3887536545
@dimas-b @jbonofre
**Progress Update**
Credential Vending Issue Status
The original "AWS Access Key Id does not exist" error no longer appears.
While I cannot definitively confirm the credential vending is completely fixed
(it could resurface), the error has stopped occurring after implementing the
following configuration:
{
"properties": {
"default-base-location": "s3://iceberg/warehouse"
// NO credentials in properties
},
"storageConfigInfo": {
"storageType": "S3",
"endpoint": "my_netapp_endpoint",
"pathStyleAccess": true,
"stsUnavailable": true,
"allowedLocations": ["s3://iceberg/warehouse"]
}
}
```
**Current Status:**
- ✅ `CREATE NAMESPACE polaris.test` - **SUCCEEDS**
- ❌ `CREATE TABLE polaris.test.table1 (...)` - **FAILS with SSL handshake
error**
**Current Issue: SSL Handshake Failure**
**Error:**
```
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
Caused by: java.io.EOFException: SSL peer shut down incorrectly
What I've Verified:
-Credentials are valid
-All 7 NetApp S3 certificates imported to Java truststore
-Polaris started with explicit trustStore configuration
-SSL debug logging enabled:
java -Djavax.net.debug=ssl,handshake -jar quarkus-run.jar 2>&1 | tee
polaris-ssl-debug.log
```
**Debug Output Observations:**
From Polaris server logs during table creation attempt:
- HTTP 500 error returned to Spark: `POST
/api/catalog/v1/netapp_iceberg/namespaces/test/tables HTTP/1.1" 500`
- Multiple retry attempts (5 attempts observed), all failing with same SSL
error
- **Critical finding:** No SSL handshake debug output appears for the S3
connection, despite `-Djavax.net.debug=ssl,handshake` being set
- This suggests the AWS SDK S3 client is not using the Java SSL debug
infrastructure or trustStore configuration
**Stack trace shows:**
```
software.amazon.awssdk.core.exception.SdkClientException: Unable to execute
HTTP request: Remote host terminated the handshake
at
software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute
...
Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the
handshake
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord
...
Caused by: java.io.EOFException: SSL peer shut down incorrectly
Analysis
The issue appears to be that Polaris's AWS SDK S3 client is not respecting
the Java trustStore configuration provided via -Djavax.net.ssl.trustStore. The
namespace creation succeeds (Polaris REST API calls work fine), but when
Polaris attempts to write table metadata to NetApp S3, the AWS SDK's HTTP
client fails the SSL handshake.
Evidence:
Namespace operations work (Polaris internal database operations)
AWS CLI with same credentials and endpoint works
Java trustStore contains all necessary certificates (verified)
SSL debug output shows no certificate validation attempts for S3 connections
Error originates from AWS SDK internal HTTP pipeline, not Java's native SS
**Questions for guys:**
-Does Polaris's AWS SDK S3 client honor the JVM's -Djavax.net.ssl.trustStore
parameter?
-Is there a Polaris-specific configuration for AWS SDK SSL/TLS settings when
connecting to S3-compatible storage with custom certificates?
-Should there be additional configuration in application.properties to
configure the AWS SDK's trust manager?
**Request**
Documentation or guidance on configuring Polaris + AWS SDK for S3-compatible
storage with custom SSL certificates. This is a valid enterprise use case where
organizations use private S3-compatible storage with internal CAs.
thank you for anticipated assistance!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
