Dremio merge 2025 08 18 11 02 (apache#104)

* Fix Keycloak getting-started example (apache#2349)

The `polaris-setup` container was erroneously including a non-existent scope when fetching a token from Keycloak.

* fix(deps): update dependency com.nimbusds:nimbus-jose-jwt to v10.4.2 (apache#2350)

* Use PolarisTaskConstants (apache#2346)

* Add a regression test for Catalog Federation (apache#2286)

* Add a regression test for Catalog Federation

* Install jq dependency

* Fix token issues

* Update regtests/README.md

Co-authored-by: Eric Maynard <emaynard@apache.org>

* Update README.md

---------

Co-authored-by: Eric Maynard <emaynard@apache.org>

* Modularize federation (Option 2) (apache#2332)

* Modularize federation (Option 2)

* Move polaris-extensions-federation-hadoop dependency

* Change identifier to lowerCase

* Change identifiers to constants

* Replace CallContext with RealmConfig in enforceFeatureEnabledOrThrow (apache#2348)

* Replace CallContext with RealmConfig in CatalogEntity (apache#2336)

* chore(deps): update registry.access.redhat.com/ubi9/openjdk-21-runtime docker tag to v1.23-6 (apache#2353)

* fix(deps): update dependency com.gradleup.shadow:shadow-gradle-plugin to v9.0.2 (apache#2358)

* chore(deps): update postgres docker tag to v17.6 (apache#2354)

* Add integration tests with Keycloak (apache#2343)

* Fix REST responses for failed Admin operations (apache#2291)

* Fix REST responses for failed Admin operations

the `boolean` return values of many methods in `PolarisAdminService`
were often simply not getting used at all, thus the REST api returned
success in those cases even though the `PrivilegeResult` was marked
as failed.
due to this fix a silently failing test now needs to be adjusted.

we return the `PrivilegeResult` instead of a `boolean` to give the
client at least some indication of what has gone wrong on the server
side.

note that some of the other operations were throwing Expcetions already,
which are already reported back correctly to the client.

* review: use http 400 BAD_REQUEST

* Make PolarisAuthorizer RequestScoped (apache#2340)

all methods in `PolarisAuthorizer` currently have a `CallContext`
parameter.
in its only implementation only `CallContext.getRealmConfig` is getting
used.

so since `PolarisAuthorizer` cant be used outside a request, we can
simply make it request-scoped and inject the request-scoped `RealmConfig`
directly.

* fix(deps): update mockito monorepo to v5.19.0 (apache#2360)

* Fix soft-merge conflict on `main` (apache#2364)

* feat(docs): Add Getting Stated guide for MinIO (apache#2227)

* feat(docs): Add Getting Stated guide for MinIO

A simple page of step-by-step instructions for setting
up a local environment with Polaris, MinIO and Spark.

Closes apache#1530

* IntelliJ: fix project icon in IJ project list (apache#2366)

... copy source has changed

* Use asMap property helpers (apache#2347)

seems like these helpers existed for a long time but were just not
getting used consistently

* SigV4 Auth Support for Catalog Federation - Part 2: Connection Config Persistence (apache#2190)

* Add SigV4 related DPOs

* Rename UserSecretReference to SecretReference and fix some small issues

* fix(deps): update dependency software.amazon.awssdk:bom to v2.32.24 (apache#2371)

* Rat-check: exclude venv, cleanup excludes, include .svg (apache#2363)

* `.svg` files are XML files and can contain a license header
* Re-grouped the exclusion rat patterns
* Added exclude for `.venv`
* Added exclude for `.ruff_cache`

* NoSQL: Async-impls: add some safeguards + javadoc spelling

* NoSQL: spelling

* NoSQL: dependency updates

* Last merged commit: 5a7686b

---------

Co-authored-by: Alexandre Dutra <adutra@apache.org>
Co-authored-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Christopher Lambert <xn137@gmx.de>
Co-authored-by: Pooja Nilangekar <nilangekar.pooja@gmail.com>
Co-authored-by: Eric Maynard <emaynard@apache.org>
Co-authored-by: Dmitri Bourlatchkov <dmitri.bourlatchkov@gmail.com>
Co-authored-by: Rulin Xing <xjdkcsq3@gmail.com>

Author: 8 people

build.gradle.kts

@@ -50,7 +50,7 @@ if (System.getProperty("idea.sync.active").toBoolean()) {
   val icon = ideaDir.file("icon.png").asFile
   if (!icon.exists()) {
     copy {
-      from("docs/img/logos/polaris-brandmark.png")
+      from("site/static/img/logos/polaris-brandmark.png")
       into(ideaDir)
       rename { _ -> "icon.png" }
     }
@@ -60,11 +60,15 @@ if (System.getProperty("idea.sync.active").toBoolean()) {
 eclipse { project { name = ideName } }
 
 tasks.named<RatTask>("rat").configure {
-  // These are Gradle file pattern syntax
+  // Gradle
   excludes.add("**/build/**")
+  excludes.add("gradle/wrapper/gradle-wrapper*")
+  excludes.add(".gradle")
+  excludes.add("**/kotlin-compiler*")
+  excludes.add("**/build-logic/.kotlin/**")
 
-  excludes.add("docs/CNAME")
-  excludes.add("docs/index.html")
+  excludes.add("ide-name.txt")
+  excludes.add("version.txt")
 
   excludes.add("DISCLAIMER_WIP")
   excludes.add("LICENSE")
@@ -85,64 +89,61 @@ tasks.named<RatTask>("rat").configure {
   // Manifest files do not allow comments
   excludes.add("tools/version/src/jarTest/resources/META-INF/FAKE_MANIFEST.MF")
 
-  excludes.add(
-    "persistence/nosql/persistence/index/src/testFixtures/resources/org/apache/polaris/persistence/indexes/words.gz"
-  )
-
-  excludes.add("ide-name.txt")
-  excludes.add("version.txt")
+  // Git & GitHub
   excludes.add(".git")
-  excludes.add(".gradle")
-  excludes.add(".idea")
-  excludes.add(".java-version")
-  excludes.add("**/.keep")
-  excludes.add("**/poetry.lock")
-
   excludes.add(".github/pull_request_template.md")
 
-  excludes.add("spec/docs.yaml")
-  excludes.add("spec/index.yml")
+  // Misc build artifacts
+  excludes.add(".java-version")
+  excludes.add("**/.keep")
+  excludes.add("logs/**")
+  excludes.add("**/*.lock")
 
-  excludes.add("gradle/wrapper/gradle-wrapper*")
+  // Binary files
+  excludes.add(
+    "persistence/nosql/persistence/index/src/testFixtures/resources/org/apache/polaris/persistence/indexes/words.gz"
+  )
 
-  excludes.add("logs/**")
+  // Polaris service startup banner
   excludes.add("runtime/service/src/**/banner.txt")
 
+  // Web site
+  excludes.add("**/go.sum")
   excludes.add("site/node_modules/**")
   excludes.add("site/layouts/robots.txt")
   // Ignore generated stuff, when the Hugo is run w/o Docker
   excludes.add("site/public/**")
   excludes.add("site/resources/_gen/**")
   excludes.add("node_modules/**")
 
+  // Python
+  excludes.add("**/.venv/**")
   excludes.add("**/polaris-venv/**")
-
+  excludes.add("**/poetry.lock")
+  excludes.add("**/.ruff_cache/**")
+  excludes.add("**/.mypy_cache/**")
   excludes.add("**/.pytest_cache/**")
+  excludes.add("client/python/.openapi-generator/**")
+
+  // Jupyter
+  excludes.add("**/*.ipynb")
+
+  // regtests
   excludes.add("regtests/**/py.typed")
   excludes.add("regtests/**/*.ref")
   excludes.add("regtests/.env")
   excludes.add("regtests/derby.log")
   excludes.add("regtests/metastore_db/**")
-  excludes.add("client/python/.openapi-generator/**")
   excludes.add("regtests/output/**")
+  excludes.add("plugins/**/*.ref")
 
-  excludes.add("**/*.ipynb")
+  // IntelliJ
+  excludes.add(".idea")
   excludes.add("**/*.iml")
   excludes.add("**/*.iws")
 
+  // Rat can't scan binary images
   excludes.add("**/*.png")
-  excludes.add("**/*.svg")
-
-  excludes.add("**/*.lock")
-
-  excludes.add("**/*.env*")
-
-  excludes.add("**/go.sum")
-
-  excludes.add("**/kotlin-compiler*")
-  excludes.add("**/build-logic/.kotlin/**")
-
-  excludes.add("plugins/**/*.ref")
 }
 
 tasks.register<Exec>("regeneratePythonClient") {

extensions/federation/hadoop/build.gradle.kts

@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+plugins {
+  id("polaris-client")
+  alias(libs.plugins.jandex)
+}
+
+dependencies {
+  // Polaris dependencies
+  implementation(project(":polaris-core"))
+
+  implementation(platform(libs.iceberg.bom))
+  implementation("org.apache.iceberg:iceberg-api")
+  implementation("org.apache.iceberg:iceberg-core")
+  implementation("org.apache.iceberg:iceberg-common")
+
+  // Hadoop dependencies (for Hadoop catalog support)
+  implementation(libs.hadoop.common) {
+    exclude("org.slf4j", "slf4j-reload4j")
+    exclude("org.slf4j", "slf4j-log4j12")
+    exclude("ch.qos.reload4j", "reload4j")
+    exclude("log4j", "log4j")
+    exclude("org.apache.zookeeper", "zookeeper")
+    exclude("org.apache.hadoop.thirdparty", "hadoop-shaded-protobuf_3_25")
+    exclude("com.github.pjfanning", "jersey-json")
+    exclude("com.sun.jersey", "jersey-core")
+    exclude("com.sun.jersey", "jersey-server")
+    exclude("com.sun.jersey", "jersey-servlet")
+    exclude("io.dropwizard.metrics", "metrics-core")
+  }
+  implementation(libs.hadoop.client.api)
+  implementation(libs.hadoop.client.runtime)
+
+  // CDI dependencies for runtime discovery
+  implementation(libs.jakarta.enterprise.cdi.api)
+  implementation(libs.smallrye.common.annotation)
+
+  // Logging
+  implementation(libs.slf4j.api)
+}

extensions/federation/hadoop/src/main/java/org/apache/polaris/extensions/federation/hadoop/HadoopFederatedCatalogFactory.java

@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.extensions.federation.hadoop;
+
+import io.smallrye.common.annotation.Identifier;
+import jakarta.enterprise.context.ApplicationScoped;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.iceberg.catalog.Catalog;
+import org.apache.iceberg.hadoop.HadoopCatalog;
+import org.apache.polaris.core.catalog.ExternalCatalogFactory;
+import org.apache.polaris.core.connection.AuthenticationParametersDpo;
+import org.apache.polaris.core.connection.AuthenticationType;
+import org.apache.polaris.core.connection.ConnectionConfigInfoDpo;
+import org.apache.polaris.core.connection.ConnectionType;
+import org.apache.polaris.core.connection.hadoop.HadoopConnectionConfigInfoDpo;
+import org.apache.polaris.core.secrets.UserSecretsManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/** Factory class for creating a Hadoop catalog handle based on connection configuration. */
+@ApplicationScoped
+@Identifier(ConnectionType.HADOOP_FACTORY_IDENTIFIER)
+public class HadoopFederatedCatalogFactory implements ExternalCatalogFactory {
+  private static final Logger LOGGER = LoggerFactory.getLogger(HadoopFederatedCatalogFactory.class);
+
+  @Override
+  public Catalog createCatalog(
+      ConnectionConfigInfoDpo connectionConfigInfoDpo, UserSecretsManager userSecretsManager) {
+    // Currently, Polaris supports Hadoop federation only via IMPLICIT authentication.
+    // Hence, prior to initializing the configuration, ensure that the catalog uses
+    // IMPLICIT authentication.
+    AuthenticationParametersDpo authenticationParametersDpo =
+        connectionConfigInfoDpo.getAuthenticationParameters();
+    if (authenticationParametersDpo.getAuthenticationTypeCode()
+        != AuthenticationType.IMPLICIT.getCode()) {
+      throw new IllegalStateException("Hadoop federation only supports IMPLICIT authentication.");
+    }
+    Configuration conf = new Configuration();
+    String warehouse = ((HadoopConnectionConfigInfoDpo) connectionConfigInfoDpo).getWarehouse();
+    HadoopCatalog hadoopCatalog = new HadoopCatalog(conf, warehouse);
+    hadoopCatalog.initialize(
+        warehouse, connectionConfigInfoDpo.asIcebergCatalogProperties(userSecretsManager));
+    return hadoopCatalog;
+  }
+}

getting-started/assets/polaris/create-catalog.sh

@@ -23,23 +23,16 @@ apk add --no-cache jq
 
 realm=${1:-"POLARIS"}
 
-token=${2:-""}
+TOKEN=${2:-""}
 
-if [ -z "$token" ]; then
-  token=$(curl -s http://polaris:8181/api/catalog/v1/oauth/tokens \
-    --user ${CLIENT_ID}:${CLIENT_SECRET} \
-    -H "Polaris-Realm: $realm" \
-    -d grant_type=client_credentials \
-    -d scope=PRINCIPAL_ROLE:ALL | jq -r .access_token)
+BASEDIR=$(dirname $0)
 
-  if [ -z "${token}" ]; then
-    echo "Failed to obtain access token."
-    exit 1
-  fi
+if [ -z "$TOKEN" ]; then
+  source $BASEDIR/obtain-token.sh
 fi
 
 echo
-echo "Obtained access token: ${token}"
+echo "Obtained access token: ${TOKEN}"
 
 STORAGE_TYPE="FILE"
 if [ -z "${STORAGE_LOCATION}" ]; then
@@ -57,12 +50,14 @@ else
     echo "Using StorageType: $STORAGE_TYPE"
 fi
 
-STORAGE_CONFIG_INFO="{\"storageType\": \"$STORAGE_TYPE\", \"allowedLocations\": [\"$STORAGE_LOCATION\"]}"
+if [ -z "${STORAGE_CONFIG_INFO}" ]; then
+    STORAGE_CONFIG_INFO="{\"storageType\": \"$STORAGE_TYPE\", \"allowedLocations\": [\"$STORAGE_LOCATION\"]}"
 
-if [[ "$STORAGE_TYPE" == "S3" ]]; then
-    STORAGE_CONFIG_INFO=$(echo "$STORAGE_CONFIG_INFO" | jq --arg roleArn "$AWS_ROLE_ARN" '. + {roleArn: $roleArn}')
-elif [[ "$STORAGE_TYPE" == "AZURE" ]]; then
-    STORAGE_CONFIG_INFO=$(echo "$STORAGE_CONFIG_INFO" | jq --arg tenantId "$AZURE_TENANT_ID" '. + {tenantId: $tenantId}')
+    if [[ "$STORAGE_TYPE" == "S3" ]]; then
+        STORAGE_CONFIG_INFO=$(echo "$STORAGE_CONFIG_INFO" | jq --arg roleArn "$AWS_ROLE_ARN" '. + {roleArn: $roleArn}')
+    elif [[ "$STORAGE_TYPE" == "AZURE" ]]; then
+        STORAGE_CONFIG_INFO=$(echo "$STORAGE_CONFIG_INFO" | jq --arg tenantId "$AZURE_TENANT_ID" '. + {tenantId: $tenantId}')
+    fi
 fi
 
 echo
@@ -82,7 +77,7 @@ PAYLOAD='{
 
 echo $PAYLOAD
 
-curl -s -H "Authorization: Bearer ${token}" \
+curl -s -H "Authorization: Bearer ${TOKEN}" \
    -H 'Accept: application/json' \
    -H 'Content-Type: application/json' \
    -H "Polaris-Realm: $realm" \

getting-started/assets/polaris/obtain-token.sh

@@ -0,0 +1,37 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+apk add --no-cache jq
+
+realm=${1:-"POLARIS"}
+
+TOKEN=$(curl -s http://polaris:8181/api/catalog/v1/oauth/tokens \
+  --user ${CLIENT_ID}:${CLIENT_SECRET} \
+  -H "Polaris-Realm: $realm" \
+  -d grant_type=client_credentials \
+  -d scope=PRINCIPAL_ROLE:ALL | jq -r .access_token)
+
+if [ -z "${TOKEN}" ]; then
+  echo "Failed to obtain access token."
+  exit 1
+fi
+
+export TOKEN

getting-started/assets/postgres/docker-compose-postgres.yml

@@ -19,7 +19,7 @@
 
 services:
   postgres:
-    image: postgres:17.5
+    image: postgres:17.6
     ports:
       - "5432:5432"
     # set shared memory limit when using docker-compose

getting-started/keycloak/docker-compose.yml

@@ -67,13 +67,16 @@ services:
       - CLIENT_SECRET=s3cr3t
     volumes:
       - ../assets/polaris/:/polaris
-    entrypoint: |
-      /bin/sh -c "apk add --no-cache jq && \
-        chmod +x /polaris/create-catalog.sh && \
-        token=$$(curl http://keycloak:8080/realms/iceberg/protocol/openid-connect/token --user client1:s3cr3t -d 'grant_type=client_credentials' -d 'scope=catalog' | jq -r .access_token) && \
-        /polaris/create-catalog.sh realm-internal && \
-        /polaris/create-catalog.sh realm-external $$token && \
-        /polaris/create-catalog.sh realm-mixed $$token"
+    entrypoint: "/bin/sh"
+    command:
+      - "-c"
+      - >-
+        apk add --no-cache jq && 
+        chmod +x /polaris/create-catalog.sh && 
+        token=$$(curl http://keycloak:8080/realms/iceberg/protocol/openid-connect/token --user client1:s3cr3t -d 'grant_type=client_credentials' | jq -r .access_token) && 
+        /polaris/create-catalog.sh realm-internal && 
+        /polaris/create-catalog.sh realm-external $$token && 
+        /polaris/create-catalog.sh realm-mixed $$token
 
   keycloak:
     image: quay.io/keycloak/keycloak:26.3.2