Skip to content

Commit 6d7bfa5

Browse files
committed
add refresh credentials property to loadTableResult
1 parent 42225b3 commit 6d7bfa5

File tree

2 files changed

+44
-1
lines changed

2 files changed

+44
-1
lines changed

polaris-core/src/main/java/org/apache/polaris/core/rest/PolarisResourcePaths.java

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,17 @@ public String genericTables(Namespace ns) {
5757
"polaris", "v1", prefix, "namespaces", RESTUtil.encodeNamespace(ns), "generic-tables");
5858
}
5959

60+
public String credentialsPath(TableIdentifier ident) {
61+
return SLASH.join(
62+
"v1",
63+
prefix,
64+
"namespaces",
65+
RESTUtil.encodeNamespace(ident.namespace()),
66+
"tables",
67+
RESTUtil.encodeString(ident.name()),
68+
"credentials");
69+
}
70+
6071
public String genericTable(TableIdentifier ident) {
6172
return SLASH.join(
6273
"polaris",

runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java

Lines changed: 33 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@
4040
import java.util.Set;
4141
import java.util.function.Function;
4242
import org.apache.iceberg.MetadataUpdate;
43+
import org.apache.iceberg.aws.AwsClientProperties;
4344
import org.apache.iceberg.catalog.Namespace;
4445
import org.apache.iceberg.catalog.TableIdentifier;
4546
import org.apache.iceberg.exceptions.BadRequestException;
@@ -75,7 +76,9 @@
7576
import org.apache.polaris.core.persistence.resolver.ResolverFactory;
7677
import org.apache.polaris.core.persistence.resolver.ResolverStatus;
7778
import org.apache.polaris.core.rest.PolarisEndpoints;
79+
import org.apache.polaris.core.rest.PolarisResourcePaths;
7880
import org.apache.polaris.core.secrets.UserSecretsManager;
81+
import org.apache.polaris.core.storage.StorageAccessProperty;
7982
import org.apache.polaris.service.catalog.AccessDelegationMode;
8083
import org.apache.polaris.service.catalog.CatalogPrefixParser;
8184
import org.apache.polaris.service.catalog.api.IcebergRestCatalogApiService;
@@ -430,16 +433,45 @@ public Response loadTable(
430433
.loadTableIfStale(tableIdentifier, ifNoneMatch, snapshots)
431434
.orElseThrow(() -> new WebApplicationException(Response.Status.NOT_MODIFIED));
432435
} else {
433-
response =
436+
LoadTableResponse originalResponse =
434437
catalog
435438
.loadTableWithAccessDelegationIfStale(tableIdentifier, ifNoneMatch, snapshots)
436439
.orElseThrow(() -> new WebApplicationException(Response.Status.NOT_MODIFIED));
440+
441+
if (delegationModes.contains(VENDED_CREDENTIALS)) {
442+
response =
443+
injectRefreshVendedCredentialProperties(
444+
originalResponse,
445+
new PolarisResourcePaths(prefix).credentialsPath(tableIdentifier));
446+
} else {
447+
response = originalResponse;
448+
}
437449
}
438450

439451
return tryInsertETagHeader(Response.ok(response), response, namespace, table).build();
440452
});
441453
}
442454

455+
private LoadTableResponse injectRefreshVendedCredentialProperties(
456+
LoadTableResponse originalResponse, String credentialsEndpoint) {
457+
LoadTableResponse.Builder loadResponseBuilder =
458+
LoadTableResponse.builder().withTableMetadata(originalResponse.tableMetadata());
459+
loadResponseBuilder.addAllConfig(originalResponse.config());
460+
loadResponseBuilder.addAllCredentials(originalResponse.credentials());
461+
loadResponseBuilder.addConfig(
462+
AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT, credentialsEndpoint);
463+
// Only enable credential refresh for currently supported credential types
464+
if (originalResponse.credentials().stream()
465+
.anyMatch(
466+
credential ->
467+
credential
468+
.config()
469+
.containsKey(StorageAccessProperty.AWS_SECRET_KEY.getPropertyName()))) {
470+
loadResponseBuilder.addConfig(AwsClientProperties.REFRESH_CREDENTIALS_ENABLED, "true");
471+
}
472+
return loadResponseBuilder.build();
473+
}
474+
443475
@Override
444476
public Response tableExists(
445477
String prefix,

0 commit comments

Comments
 (0)