adutra commented on code in PR #3750:
URL: https://github.com/apache/polaris/pull/3750#discussion_r2895132457
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java:
##########
@@ -1313,13 +1339,53 @@ private void checkAllowExternalCatalogCredentialVending(
&& !realmConfig()
.getConfig(
FeatureConfiguration.ALLOW_EXTERNAL_CATALOG_CREDENTIAL_VENDING, catalogEntity))
{
+
+ String modeDescription =
+ switch (resolvedMode) {
+ case VENDED_CREDENTIALS -> "Credential vending";
+ case REMOTE_SIGNING -> "Request signing";
+ default -> "Access delegation";
+ };
+
throw new ForbiddenException(
- "Access Delegation is not enabled for this catalog. Please consult
applicable "
+ "%s is not enabled for this external catalog. Please consult
applicable "
+ "documentation for the catalog config property '%s' to enable
this feature",
+ modeDescription,
FeatureConfiguration.ALLOW_EXTERNAL_CATALOG_CREDENTIAL_VENDING.catalogConfig());
}
}
+ /**
+ * Resolves the access delegation mode by delegating to the configured {@link
+ * AccessDelegationModeResolver}.
+ *
+ * <p>If no modes are requested, returns {@link
AccessDelegationMode#UNKNOWN} immediately.
+ * Otherwise, delegates to the resolver to determine the optimal mode based
on catalog
+ * capabilities.
+ *
+ * @param requestedModes The set of delegation modes requested by the client
+ * @return The resolved access delegation mode
+ */
+ protected AccessDelegationMode resolveAccessDelegationModes(
+ EnumSet<AccessDelegationMode> requestedModes) {
+ if (requestedModes.isEmpty()) {
+ return AccessDelegationMode.UNKNOWN;
+ }
Review Comment:
I think this should throw.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
