fix conflict

Author: MonkeyCanCode

.github/workflows/stale.yml

@@ -22,7 +22,7 @@ jobs:
   stale:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008
         with:
           days-before-close: 5
           days-before-stale: 30

.gitignore

@@ -64,7 +64,7 @@ gradle/wrapper/gradle-wrapper-*.sha256
 .env
 
 # IntelliJ
-/.idea
+.idea/
 *.iml
 *.ipr
 *.iws
@@ -100,3 +100,9 @@ hs_err_pid*
 
 # macOS
 *.DS_Store
+
+# vscode
+.vscode/
+
+# Python Virtual Env
+.venv

CHANGELOG.md

@@ -32,13 +32,13 @@ request adding CHANGELOG notes for breaking (!) changes and possibly other secti
 ### Upgrade Notes
 
 - Amazon RDS plugin enabled, this allows polaris to connect to AWS Aurora PostgreSQL using IAM authentication.
-- The EclipseLink Persistence implementation has been deprecated since 1.0.0 and will be completely removed
-  in 1.3.0 or in 2.0.0 (whichever happens earlier).
 
 ### Breaking Changes
 
 ### New Features
 
+- Added a finer grained authorization model for UpdateTable requests. Existing privileges continue to work for granting UpdateTable, such as `TABLE_WRITE_PROPERTIES`.
+  However, you can now instead grant privileges just for specific operations, such as `TABLE_ADD_SNAPSHOT`
 - Added a Management API endpoint to reset principal credentials, controlled by the `ENABLE_CREDENTIAL_RESET` (default: true) feature flag.
 - The `ENABLE_SUB_CATALOG_RBAC_FOR_FEDERATED_CATALOGS` was added to support sub-catalog (initially namespace and table) RBAC for federated catalogs.
   The setting can be configured on a per-catalog basis by setting the catalog property: `polaris.config.enable-sub-catalog-rbac-for-federated-catalogs`.
@@ -53,6 +53,11 @@ request adding CHANGELOG notes for breaking (!) changes and possibly other secti
 ### Deprecations
 
 * The property `polaris.active-roles-provider.type` is deprecated and has no effect anymore.
+- The EclipseLink Persistence implementation has been deprecated since 1.0.0 and will be completely removed
+  in 1.3.0 or in 2.0.0 (whichever happens earlier).
+- The legacy management endpoints at `/metrics` and `/healthcheck` have been deprecated in 1.2.0 and will be
+  completely removed in 1.3.0 or in 2.0.0 (whichever happens earlier). Please use the standard management
+  endpoints at `/q/metrics` and `/q/health` instead.
 
 ### Fixes
 

build-logic/src/main/kotlin/Utilities.kt

@@ -14,11 +14,6 @@
  * limitations under the License.
  */
 
-import java.io.File
-import java.io.FileOutputStream
-import java.nio.file.attribute.FileTime
-import java.util.zip.ZipFile
-import java.util.zip.ZipOutputStream
 import org.gradle.api.Project
 import org.gradle.process.JavaForkOptions
 
@@ -66,41 +61,3 @@ fun JavaForkOptions.addSparkJvmOptions() {
         "-Djdk.reflect.useDirectMethodHandle=false",
       )
 }
-
-/**
- * Rewrites the given ZIP file.
- *
- * The timestamps of all entries are set to `1980-02-01 00:00`, zip entries appear in a
- * deterministic order.
- */
-fun makeZipReproducible(source: File) {
-  val t = FileTime.fromMillis(318211200_000) // 1980-02-01 00:00 GMT
-
-  val outFile = File(source.absolutePath + ".tmp.out")
-
-  val names = mutableListOf<String>()
-  ZipFile(source).use { zip -> zip.stream().forEach { e -> names.add(e.name) } }
-  names.sort()
-
-  ZipOutputStream(FileOutputStream(outFile)).use { dst ->
-    ZipFile(source).use { zip ->
-      names.forEach { n ->
-        val e = zip.getEntry(n)
-        zip.getInputStream(e).use { src ->
-          e.setCreationTime(t)
-          e.setLastAccessTime(t)
-          e.setLastModifiedTime(t)
-          dst.putNextEntry(e)
-          src.copyTo(dst)
-          dst.closeEntry()
-          src.close()
-        }
-      }
-    }
-  }
-
-  val origFile = File(source.absolutePath + ".tmp.orig")
-  source.renameTo(origFile)
-  outFile.renameTo(source)
-  origFile.delete()
-}

build-logic/src/main/kotlin/polaris-java.gradle.kts

@@ -18,10 +18,12 @@
  */
 
 import java.util.Properties
+import kotlin.jvm.java
 import net.ltgt.gradle.errorprone.CheckSeverity
 import net.ltgt.gradle.errorprone.errorprone
 import org.gradle.api.tasks.compile.JavaCompile
 import org.gradle.api.tasks.testing.Test
+import org.gradle.kotlin.dsl.assign
 import org.gradle.kotlin.dsl.named
 import org.kordamp.gradle.plugin.jandex.JandexExtension
 import org.kordamp.gradle.plugin.jandex.JandexPlugin
@@ -254,20 +256,34 @@ configurations.all {
     }
 }
 
-if (plugins.hasPlugin("io.quarkus")) {
-  tasks.named("quarkusBuild") {
-    actions.addLast {
-      listOf(
-          "quarkus-app/quarkus-run.jar",
-          "quarkus-app/quarkus/generated-bytecode.jar",
-          "quarkus-app/quarkus/transformed-bytecode.jar",
-        )
-        .forEach { name ->
-          val file = project.layout.buildDirectory.get().file(name).asFile
-          if (file.exists()) {
-            makeZipReproducible(file)
-          }
-        }
-    }
-  }
+gradle.sharedServices.registerIfAbsent(
+  "intTestParallelismConstraint",
+  TestingParallelismHelper::class.java,
+) {
+  val intTestParallelism =
+    Integer.getInteger(
+      "polaris.intTestParallelism",
+      (Runtime.getRuntime().availableProcessors() / 4).coerceAtLeast(1),
+    )
+  maxParallelUsages = intTestParallelism
+}
+
+gradle.sharedServices.registerIfAbsent(
+  "testParallelismConstraint",
+  TestingParallelismHelper::class.java,
+) {
+  val testParallelism =
+    Integer.getInteger(
+      "polaris.testParallelism",
+      (Runtime.getRuntime().availableProcessors() / 2).coerceAtLeast(1),
+    )
+  maxParallelUsages = testParallelism
+}
+
+abstract class TestingParallelismHelper : BuildService<BuildServiceParameters.None>
+
+tasks.withType<Test>().configureEach {
+  val constraintName =
+    if ("test" == name) "testParallelismConstraint" else "intTestParallelismConstraint"
+  usesService(gradle.sharedServices.registrations.named(constraintName).get().service)
 }

build-logic/src/main/kotlin/polaris-runtime.gradle.kts

@@ -95,3 +95,26 @@ tasks.named("javadoc") { dependsOn("jandex") }
 tasks.named("quarkusDependenciesBuild") { dependsOn("jandex") }
 
 tasks.named("imageBuild") { dependsOn("jandex") }
+
+tasks.withType(Test::class.java).configureEach {
+  // Gradle's Jacoco plugin doesn't work well with Quarkus's test coverage
+  extensions.configure(JacocoTaskExtension::class) { isEnabled = false }
+
+  // Quarkus tests run "in isolated class loaders", which means that class-statically active
+  // resources pile up used JVM, as those classes cannot be GC'd.
+  // Examples of those statically held active resources are:
+  // - Iceberg's worker pools (thread pools, executors, etc.)
+  // - Hadoop's stats-cleaner (org.apache.hadoop.fs.FileSystem.Statistics.STATS_DATA_CLEANER)
+  // - Guava's 'MoreExecutors' (via Iceberg `ThreadPools`)`
+  // Forcing a new JVM after each test class works around this issue.
+  forkEvery = 1
+
+  maxParallelForks = 1
+
+  // enlarge the max heap size to avoid out of memory error
+  maxHeapSize = "4g"
+
+  // Silence the 'OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader
+  // classes because bootstrap classpath has been appended' warning from OpenJDK.
+  jvmArgs("-Xshare:off")
+}

client/python/cli/api_client_builder.py

@@ -0,0 +1,188 @@
+#
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+#
+import json
+import os
+from argparse import Namespace
+from functools import cached_property
+from typing import Optional, Dict
+
+from cli.constants import (
+  CONFIG_FILE,
+  CLIENT_PROFILE_ENV,
+  CLIENT_ID_ENV,
+  CLIENT_SECRET_ENV,
+  REALM_ENV,
+  HEADER_ENV,
+  Arguments,
+  DEFAULT_HOSTNAME,
+  DEFAULT_PORT
+)
+from cli.options.option_tree import Argument
+from polaris.management import ApiClient, Configuration
+
+
+def _load_profiles() -> Dict[str, str]:
+    if not os.path.exists(CONFIG_FILE):
+        return {}
+    with open(CONFIG_FILE, "r") as f:
+        return json.load(f)
+
+
+class BuilderConfig:
+    def __init__(self, options: Namespace):
+        self.options = options
+        self.proxy = options.proxy
+        self.access_token = options.access_token
+
+    @cached_property
+    def profile(self) -> Dict[str, str]:
+        profile = {}
+        client_profile = self.options.profile or os.getenv(CLIENT_PROFILE_ENV)
+        if client_profile:
+            profiles = _load_profiles()
+            profile = profiles.get(client_profile)
+            if not profile:
+                raise Exception(f"Polaris profile {client_profile} not found")
+        return profile
+
+    @cached_property
+    def base_url(self) -> str:
+        if self.options.base_url:
+            if self.options.host is not None or self.options.port is not None:
+                raise Exception(
+                    f"Please provide either {Argument.to_flag_name(Arguments.BASE_URL)} or"
+                    f" {Argument.to_flag_name(Arguments.HOST)} &"
+                    f" {Argument.to_flag_name(Arguments.PORT)}, but not both"
+                )
+            return self.options.base_url
+
+        host = self.options.host or self.profile.get(Arguments.HOST) or DEFAULT_HOSTNAME
+        port = self.options.port or self.profile.get(Arguments.PORT) or DEFAULT_PORT
+        return f"http://{host}:{port}"
+
+    @cached_property
+    def management_url(self) -> str:
+        return f"{self.base_url}/api/management/v1"
+
+    @cached_property
+    def catalog_url(self) -> str:
+        return f"{self.base_url}/api/catalog/v1"
+
+    @cached_property
+    def client_id(self) -> Optional[str]:
+        return (
+                self.options.client_id
+                or os.getenv(CLIENT_ID_ENV)
+                or self.profile.get(Arguments.CLIENT_ID)
+        )
+
+    @cached_property
+    def client_secret(self) -> Optional[str]:
+        return (
+                self.options.client_secret
+                or os.getenv(CLIENT_SECRET_ENV)
+                or self.profile.get(Arguments.CLIENT_SECRET)
+        )
+
+    @cached_property
+    def realm(self) -> Optional[str]:
+        realms = (
+                self.options.realm
+                or os.getenv(REALM_ENV)
+                or self.profile.get(Arguments.REALM)
+        )
+        return realms
+
+    @cached_property
+    def header(self) -> Optional[str]:
+        return (
+                self.options.header
+                or os.getenv(HEADER_ENV)
+                or self.profile.get(Arguments.HEADER)
+        )
+
+
+class ApiClientBuilder:
+    def __init__(self, options: Namespace, *, direct_authentication: bool = False):
+        self.conf = BuilderConfig(options)
+        self.direct_auth_enabled = direct_authentication
+
+    def _get_token(self):
+        header_params = {"Content-Type": "application/x-www-form-urlencoded"}
+        if self.conf.header and self.conf.realm:
+            header_params[self.conf.header] = self.conf.realm
+
+        conf = Configuration(host=self.conf.management_url)
+        conf.proxy = self.conf.proxy
+        api_client = ApiClient(conf)
+        response = api_client.call_api(
+            "POST",
+            f"{self.conf.catalog_url}/oauth/tokens",
+            header_params=header_params,
+            post_params={
+                "grant_type": "client_credentials",
+                "client_id": self.conf.client_id,
+                "client_secret": self.conf.client_secret,
+                "scope": "PRINCIPAL_ROLE:ALL",
+            },
+        ).response.data
+        if "access_token" not in json.loads(response):
+            raise Exception("Failed to get access token")
+        return json.loads(response)["access_token"]
+
+    def _build(self) -> ApiClient:
+        has_access_token = self.conf.access_token is not None
+        has_client_secret = self.conf.client_id is not None and self.conf.client_secret is not None
+        if has_access_token and (self.conf.client_id or self.conf.client_secret):
+            raise Exception(
+                f"Please provide credentials via either {Argument.to_flag_name(Arguments.CLIENT_ID)} &"
+                f" {Argument.to_flag_name(Arguments.CLIENT_SECRET)} or"
+                f" {Argument.to_flag_name(Arguments.ACCESS_TOKEN)}, but not both"
+            )
+        if not has_access_token and not has_client_secret:
+            raise Exception(
+                f"Please provide credentials via either {Argument.to_flag_name(Arguments.CLIENT_ID)} &"
+                f" {Argument.to_flag_name(Arguments.CLIENT_SECRET)} or"
+                f" {Argument.to_flag_name(Arguments.ACCESS_TOKEN)}."
+                f" Alternatively, you may set the environment variables {CLIENT_ID_ENV} &"
+                f" {CLIENT_SECRET_ENV}."
+            )
+
+        config = Configuration(host=self.conf.management_url)
+        config.proxy = self.conf.proxy
+        if has_access_token:
+            config.access_token = self.conf.access_token
+        elif has_client_secret:
+            config.username = self.conf.client_id
+            config.password = self.conf.client_secret
+
+        if not has_access_token and not self.direct_auth_enabled:
+            config.username = None
+            config.password = None
+            config.access_token = self._get_token()
+
+        client_params = {}
+        if self.conf.realm and self.conf.header:
+            client_params["header_name"] = self.conf.header
+            client_params["header_value"] = self.conf.realm
+
+        return ApiClient(config, **client_params)
+
+    def get_api_client(self) -> ApiClient:
+        return self._build()