snazy
diff --git a/‎.github/workflows/helm.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/helm.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎build.gradle.kts‎
Lines changed: 1 addition & 0 deletions b/‎build.gradle.kts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎client/python/cli/command/__init__.py‎
Lines changed: 1 addition & 0 deletions b/‎client/python/cli/command/__init__.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎client/python/cli/command/catalogs.py‎
Lines changed: 12 additions & 11 deletions b/‎client/python/cli/command/catalogs.py‎
Lines changed: 12 additions & 11 deletions
diff --git a/‎client/python/cli/constants.py‎
Lines changed: 3 additions & 1 deletion b/‎client/python/cli/constants.py‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎client/python/cli/options/option_tree.py‎
Lines changed: 1 addition & 0 deletions b/‎client/python/cli/options/option_tree.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/federation/hadoop/src/main/java/org/apache/polaris/extensions/federation/hadoop/HadoopFederatedCatalogFactory.java‎
Lines changed: 9 additions & 0 deletions b/‎extensions/federation/hadoop/src/main/java/org/apache/polaris/extensions/federation/hadoop/HadoopFederatedCatalogFactory.java‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎extensions/federation/hive/README.md‎
Lines changed: 31 additions & 0 deletions b/‎extensions/federation/hive/README.md‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎extensions/federation/hive/build.gradle.kts‎
Lines changed: 65 additions & 0 deletions b/‎extensions/federation/hive/build.gradle.kts‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎extensions/federation/hive/src/main/java/org/apache/polaris/extensions/federation/hive/HiveFederatedCatalogFactory.java‎
Lines changed: 83 additions & 0 deletions b/‎extensions/federation/hive/src/main/java/org/apache/polaris/extensions/federation/hive/HiveFederatedCatalogFactory.java‎
Lines changed: 83 additions & 0 deletions
@@ -50,7 +50,7 @@ jobs:
           distribution: 'temurin'
 
       - name: Set up Helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
         with:
           version: 'v3.16.0'
 
 
@@ -109,6 +109,7 @@ tasks.named<RatTask>("rat").configure {
 
   // Web site
   excludes.add("**/go.sum")
+  excludes.add("site/.user-settings")
   excludes.add("site/node_modules/**")
   excludes.add("site/layouts/robots.txt")
   // Ignore generated stuff, when the Hugo is run w/o Docker
 
@@ -66,6 +66,7 @@ def options_get(key, f=lambda x: x):
                 iceberg_remote_catalog_name=options_get(Arguments.ICEBERG_REMOTE_CATALOG_NAME),
                 remove_properties=[] if remove_properties is None else remove_properties,
                 endpoint=options_get(Arguments.ENDPOINT),
+                endpoint_internal=options_get(Arguments.ENDPOINT_INTERNAL),
                 sts_endpoint=options_get(Arguments.STS_ENDPOINT),
                 path_style_access=options_get(Arguments.PATH_STYLE_ACCESS),
                 catalog_connection_type=options_get(Arguments.CATALOG_CONNECTION_TYPE),
 
@@ -65,6 +65,7 @@ class CatalogsCommand(Command):
     hadoop_warehouse: str
     iceberg_remote_catalog_name: str
     endpoint: str
+    endpoint_internal: str
     sts_endpoint: str
     path_style_access: bool
     catalog_connection_type: str
@@ -121,18 +122,17 @@ def validate(self):
                                 f" {Argument.to_flag_name(Arguments.CATALOG_SERVICE_IDENTITY_IAM_ARN)}")
 
         if self.storage_type == StorageType.S3.value:
-            if not self.role_arn:
-                raise Exception(
-                    f"Missing required argument for storage type 's3':"
-                    f" {Argument.to_flag_name(Arguments.ROLE_ARN)}"
-                )
             if self._has_azure_storage_info() or self._has_gcs_storage_info():
                 raise Exception(
-                    f"Storage type 's3' supports the storage credentials"
+                    f"Storage type 's3' supports the options"
                     f" {Argument.to_flag_name(Arguments.ROLE_ARN)},"
                     f" {Argument.to_flag_name(Arguments.REGION)},"
-                    f" {Argument.to_flag_name(Arguments.EXTERNAL_ID)}, and"
-                    f" {Argument.to_flag_name(Arguments.USER_ARN)}"
+                    f" {Argument.to_flag_name(Arguments.EXTERNAL_ID)},"
+                    f" {Argument.to_flag_name(Arguments.USER_ARN)},"
+                    f" {Argument.to_flag_name(Arguments.ENDPOINT)},"
+                    f" {Argument.to_flag_name(Arguments.ENDPOINT_INTERNAL)},"
+                    f" {Argument.to_flag_name(Arguments.STS_ENDPOINT)}, and"
+                    f" {Argument.to_flag_name(Arguments.PATH_STYLE_ACCESS)}"
                 )
         elif self.storage_type == StorageType.AZURE.value:
             if not self.tenant_id:
@@ -142,7 +142,7 @@ def validate(self):
                 )
             if self._has_aws_storage_info() or self._has_gcs_storage_info():
                 raise Exception(
-                    "Storage type 'azure' supports the storage credentials"
+                    "Storage type 'azure' supports the options"
                     f" {Argument.to_flag_name(Arguments.TENANT_ID)},"
                     f" {Argument.to_flag_name(Arguments.MULTI_TENANT_APP_NAME)}, and"
                     f" {Argument.to_flag_name(Arguments.CONSENT_URL)}"
@@ -160,11 +160,11 @@ def validate(self):
                 or self._has_gcs_storage_info()
             ):
                 raise Exception(
-                    "Storage type 'file' does not support any storage credentials"
+                    "Storage type 'file' does not support any additional options"
                 )
 
     def _has_aws_storage_info(self):
-        return self.role_arn or self.external_id or self.user_arn or self.region or self.endpoint or self.sts_endpoint or self.path_style_access
+        return self.role_arn or self.external_id or self.user_arn or self.region or self.endpoint or self.endpoint_internal or self.sts_endpoint or self.path_style_access
 
     def _has_azure_storage_info(self):
         return self.tenant_id or self.multi_tenant_app_name or self.consent_url
@@ -183,6 +183,7 @@ def _build_storage_config_info(self):
                 user_arn=self.user_arn,
                 region=self.region,
                 endpoint=self.endpoint,
+                endpoint_internal=self.endpoint_internal,
                 sts_endpoint=self.sts_endpoint,
                 path_style_access=self.path_style_access,
             )
 
@@ -168,6 +168,7 @@ class Arguments:
     HADOOP_WAREHOUSE = "hadoop_warehouse"
     ICEBERG_REMOTE_CATALOG_NAME = "iceberg_remote_catalog_name"
     ENDPOINT = "endpoint"
+    ENDPOINT_INTERNAL = "endpoint_internal"
     STS_ENDPOINT = "sts_endpoint"
     PATH_STYLE_ACCESS = "path_style_access"
     CATALOG_CONNECTION_TYPE = "catalog_connection_type"
@@ -223,11 +224,12 @@ class Create:
                 "Multiple locations can be provided by specifying this option more than once."
             )
 
-            ROLE_ARN = "(Required for S3) A role ARN to use when connecting to S3"
+            ROLE_ARN = "(Only for S3) A role ARN to use when connecting to S3"
             EXTERNAL_ID = "(Only for S3) The external ID to use when connecting to S3"
             REGION = "(Only for S3) The region to use when connecting to S3"
             USER_ARN = "(Only for S3) A user ARN to use when connecting to S3"
             ENDPOINT = "(Only for S3) The S3 endpoint to use when connecting to S3"
+            ENDPOINT_INTERNAL = "(Only for S3) The S3 endpoint used by Polaris to use when connecting to S3, if different from the one that clients use"
             STS_ENDPOINT = (
                 "(Only for S3) The STS endpoint to use when connecting to STS"
             )
 
@@ -117,6 +117,7 @@ def get_tree() -> List[Option]:
                              choices=[st.value for st in StorageType]),
                     Argument(Arguments.DEFAULT_BASE_LOCATION, str, Hints.Catalogs.Create.DEFAULT_BASE_LOCATION),
                     Argument(Arguments.ENDPOINT, str, Hints.Catalogs.Create.ENDPOINT),
+                    Argument(Arguments.ENDPOINT_INTERNAL, str, Hints.Catalogs.Create.ENDPOINT_INTERNAL),
                     Argument(Arguments.STS_ENDPOINT, str, Hints.Catalogs.Create.STS_ENDPOINT),
                     Argument(Arguments.PATH_STYLE_ACCESS, bool, Hints.Catalogs.Create.PATH_STYLE_ACCESS),
                     Argument(Arguments.ALLOWED_LOCATION, str, Hints.Catalogs.Create.ALLOWED_LOCATION,
 
@@ -24,6 +24,7 @@
 import org.apache.iceberg.catalog.Catalog;
 import org.apache.iceberg.hadoop.HadoopCatalog;
 import org.apache.polaris.core.catalog.ExternalCatalogFactory;
+import org.apache.polaris.core.catalog.GenericTableCatalog;
 import org.apache.polaris.core.connection.AuthenticationParametersDpo;
 import org.apache.polaris.core.connection.AuthenticationType;
 import org.apache.polaris.core.connection.ConnectionConfigInfoDpo;
@@ -58,4 +59,12 @@ public Catalog createCatalog(
         warehouse, connectionConfigInfoDpo.asIcebergCatalogProperties(userSecretsManager));
     return hadoopCatalog;
   }
+
+  @Override
+  public GenericTableCatalog createGenericCatalog(
+      ConnectionConfigInfoDpo connectionConfig, UserSecretsManager userSecretsManager) {
+    // TODO implement
+    throw new UnsupportedOperationException(
+        "Generic table federation to this catalog is not supported.");
+  }
 }
@@ -0,0 +1,31 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+ 
+   http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+### Using the `HiveFederatedCatalogFactory`
+
+This `HiveFederatedCatalogFactory` module is an independent compilation unit and will be built into the Polaris binary only when the following flag is set in the gradle.properties file:
+```
+NonRESTCatalogs=HIVE,<alternates>
+```
+
+The other option is to pass it as an argument to the gradle JVM as follows: 
+```
+./gradlew build -DNonRESTCatalogs=HIVE
+```
+
+Without this flag, the Hive factory won't be compiled into Polaris and therefore Polaris will not load the class at runtime, throwing an unsupported exception for federated catalog calls.
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+plugins {
+  id("polaris-client")
+  alias(libs.plugins.jandex)
+}
+
+dependencies {
+  // Polaris dependencies
+  implementation(project(":polaris-core"))
+
+  implementation(platform(libs.iceberg.bom))
+  implementation("org.apache.iceberg:iceberg-api")
+  implementation("org.apache.iceberg:iceberg-core")
+  implementation("org.apache.iceberg:iceberg-common")
+  // Use iceberg-hive-metastore but exclude conflicting hive dependencies
+  implementation("org.apache.iceberg:iceberg-hive-metastore") { exclude(group = "org.apache.hive") }
+  // Add our own Hive 4.1.0 dependencies
+  implementation(libs.hive.metastore) {
+    exclude("org.slf4j", "slf4j-reload4j")
+    exclude("org.slf4j", "slf4j-log4j12")
+    exclude("ch.qos.reload4j", "reload4j")
+    exclude("log4j", "log4j")
+    exclude("org.apache.zookeeper", "zookeeper")
+  }
+
+  // Hadoop dependencies
+  implementation(libs.hadoop.common) {
+    exclude("org.slf4j", "slf4j-reload4j")
+    exclude("org.slf4j", "slf4j-log4j12")
+    exclude("ch.qos.reload4j", "reload4j")
+    exclude("log4j", "log4j")
+    exclude("org.apache.zookeeper", "zookeeper")
+    exclude("org.apache.hadoop.thirdparty", "hadoop-shaded-protobuf_3_25")
+    exclude("com.github.pjfanning", "jersey-json")
+    exclude("com.sun.jersey", "jersey-core")
+    exclude("com.sun.jersey", "jersey-server")
+    exclude("com.sun.jersey", "jersey-servlet")
+    exclude("io.dropwizard.metrics", "metrics-core")
+  }
+
+  // CDI dependencies for runtime discovery
+  implementation(libs.jakarta.enterprise.cdi.api)
+  implementation(libs.smallrye.common.annotation)
+
+  // Logging
+  implementation(libs.slf4j.api)
+}
@@ -0,0 +1,83 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.extensions.federation.hive;
+
+import io.smallrye.common.annotation.Identifier;
+import jakarta.enterprise.context.ApplicationScoped;
+import org.apache.iceberg.catalog.Catalog;
+import org.apache.iceberg.hive.HiveCatalog;
+import org.apache.polaris.core.catalog.ExternalCatalogFactory;
+import org.apache.polaris.core.catalog.GenericTableCatalog;
+import org.apache.polaris.core.connection.AuthenticationParametersDpo;
+import org.apache.polaris.core.connection.AuthenticationType;
+import org.apache.polaris.core.connection.ConnectionConfigInfoDpo;
+import org.apache.polaris.core.connection.ConnectionType;
+import org.apache.polaris.core.connection.hive.HiveConnectionConfigInfoDpo;
+import org.apache.polaris.core.secrets.UserSecretsManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/** Factory class for creating a Hive catalog handle based on connection configuration. */
+@ApplicationScoped
+@Identifier(ConnectionType.HIVE_FACTORY_IDENTIFIER)
+public class HiveFederatedCatalogFactory implements ExternalCatalogFactory {
+  private static final Logger LOGGER = LoggerFactory.getLogger(HiveFederatedCatalogFactory.class);
+
+  @Override
+  public Catalog createCatalog(
+      ConnectionConfigInfoDpo connectionConfigInfoDpo, UserSecretsManager userSecretsManager) {
+    // Currently, Polaris supports Hive federation only via IMPLICIT authentication.
+    // Hence, prior to initializing the configuration, ensure that the catalog uses
+    // IMPLICIT authentication.
+    AuthenticationParametersDpo authenticationParametersDpo =
+        connectionConfigInfoDpo.getAuthenticationParameters();
+    if (authenticationParametersDpo.getAuthenticationTypeCode()
+        != AuthenticationType.IMPLICIT.getCode()) {
+      throw new IllegalStateException("Hive federation only supports IMPLICIT authentication.");
+    }
+    String warehouse = ((HiveConnectionConfigInfoDpo) connectionConfigInfoDpo).getWarehouse();
+    // Unlike Hadoop, HiveCatalog does not require us to create a Configuration object, the iceberg
+    // rest library find the default configuration by reading hive-site.xml in the classpath
+    // (including HADOOP_CONF_DIR classpath).
+
+    // TODO: In the future, we could support multiple HiveCatalog instances based on polaris/catalog
+    // properties.
+    // A brief set of setps involved (and the options):
+    // 1. Create a configuration without default properties.
+    //  `Configuration conf = new Configuration(boolean loadDefaults=false);`
+    // 2a. Specify the hive-site.xml file path in the configuration.
+    //  `conf.addResource(new Path(hiveSiteXmlPath));`
+    // 2b. Specify individual properties in the configuration.
+    //  `conf.set(property, value);`
+    // Polaris could support federating to multiple LDAP based Hive metastores. Multiple
+    // Kerberos instances are not suitable because Kerberos ties a single identity to the server.
+    HiveCatalog hiveCatalog = new HiveCatalog();
+    hiveCatalog.initialize(
+        warehouse, connectionConfigInfoDpo.asIcebergCatalogProperties(userSecretsManager));
+    return hiveCatalog;
+  }
+
+  @Override
+  public GenericTableCatalog createGenericCatalog(
+      ConnectionConfigInfoDpo connectionConfig, UserSecretsManager userSecretsManager) {
+    // TODO implement
+    throw new UnsupportedOperationException(
+        "Generic table federation to this catalog is not supported.");
+  }
+}