[PR] Improve Access Delegation Mode Selection Algorithm [polaris]

Thu, 12 Feb 2026 06:58:09 -0800 


iting0321 opened a new pull request, #3750:
URL: https://github.com/apache/polaris/pull/3750

   ## **Summary**
   This PR introduces an improved algorithm for selecting the optimal 
`AccessDelegationMode` when clients request both `VENDED_CREDENTIALS` and 
`REMOTE_SIGNING`. The new implementation considers actual catalog capabilities 
(STS availability) rather than using simple heuristics.
   
   ## **Problem**
   Previously, when a client requested both `VENDED_CREDENTIALS` and 
`REMOTE_SIGNING` modes via the `X-Iceberg-Access-Delegation` header, Polaris 
would always prefer `VENDED_CREDENTIALS`. 
   However, this could lead to failures when:
   
   - STS is unavailable for the catalog's storage configuration
   - Credential subscoping is disabled via 
SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION configuration
   
   In these cases, `REMOTE_SIGNING` would be the better choice, but the 
original algorithm had no way to make this determination.
   
   ## **Solution**
   Introduced `AccessDelegationModeResolver` - a dedicated component that 
intelligently selects the optimal access delegation mode based on:
   
   - Client request - The modes specified in `X-Iceberg-Access-Delegation` 
header
   - STS availability - Checks 
`AwsStorageConfigurationInfo.getStsUnavailable()` flag
   - Credential subscoping configuration - Respects 
`SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION` setting
   
   ## **How to Test**
   ```
   ./gradlew :polaris-runtime-service:test --tests 
"AccessDelegationModeResolverTest"
   ```
   ## **Related Issues**
    #3090 - Improve access delegation mode selection algorithm
   
   ## Checklist
   - [x] ๐Ÿ›ก๏ธ Don't disclose security issues! (contact [email protected])
   - [x] ๐Ÿ”— Clearly explained why the changes are needed, or linked related 
issues: Fixes #3090 
   - [x] ๐Ÿงช Added/updated tests with good coverage, or manually tested (and 
explained how) - Added `AccessDelegationModeResolverTest` with 15 unit tests
   - [x] ๐Ÿ’ก Added comments for complex logic
   - [ ] ๐Ÿงพ Updated `CHANGELOG.md` (if needed)
   - [ ] ๐Ÿ“š Updated documentation in `site/content/in-dev/unreleased` (if needed)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to