Implement GenericTableCatalogAdapter #1264
Conversation
eric-maynard
requested review from
adutra,
ashvina,
dennishuo,
dimas-b,
jackye1995,
jbonofre,
vvcephei,
collado-mike and
snazy
as code owners
eric-maynard
requested review from
RussellSpitzer,
takidau,
MonkeyCanCode,
flyrain and
ebyhr
as code owners
| /** Initialize the catalog once authorized. Called after all `authorize...` methods. */ | ||
| protected abstract void initializeCatalog(); | ||
|
|
||
| protected void authorizeBasicNamespaceOperationOrThrow( |
There was a problem hiding this comment.
Below is all directly copy/paste from IcebergCatalogHandlerWrapper
...mon/src/main/java/org/apache/polaris/service/catalog/generic/GenericTableCatalogAdapter.java
Show resolved
Hide resolved
...mon/src/main/java/org/apache/polaris/service/catalog/generic/GenericTableCatalogAdapter.java
Show resolved
Hide resolved
.../main/java/org/apache/polaris/service/catalog/generic/GenericTableCatalogHandlerWrapper.java
Outdated
Show resolved
Hide resolved
...ce/common/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandlerWrapper.java
Outdated
Show resolved
Hide resolved
...ce/common/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandlerWrapper.java
Outdated
Show resolved
Hide resolved
...ce/common/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandlerWrapper.java
Outdated
Show resolved
Hide resolved
.../main/java/org/apache/polaris/service/catalog/generic/GenericTableCatalogHandlerWrapper.java
Outdated
Show resolved
Hide resolved
| TABLE_READ_PROPERTIES(15, PolarisEntityType.TABLE_LIKE, PolarisEntitySubType.ICEBERG_TABLE), | ||
| TABLE_READ_PROPERTIES( | ||
| 15, | ||
| PolarisEntityType.TABLE_LIKE, |
There was a problem hiding this comment.
Do you know what READ_PROPERTIES privilege means here? does it mean we if there is not read properties privilege, the load table response will not have any properties show up in the property fields ? if that is the case, we probably need to make sure we respect that for generic table also.
There was a problem hiding this comment.
Yes that's right, the privilege we require for loadGenericTable requires this
| TABLE_WRITE_PROPERTIES( | ||
| 18, | ||
| PolarisEntityType.TABLE_LIKE, | ||
| List.of(PolarisEntitySubType.ICEBERG_TABLE, PolarisEntitySubType.GENERIC_TABLE), |
There was a problem hiding this comment.
I don't think we are providing that capabilities to generic tables today. we can probably still keep it here for consistency, but will have no effect.
There was a problem hiding this comment.
Can we remove it in that case? We can always add it back once we need it.
There was a problem hiding this comment.
I think it makes sense to be clear about how we expect these privileges to relate to the new entity type; if we add generic tables to some but not others it sort of implies that we only expect those privileges to be related to generic tables.
There was a problem hiding this comment.
Think a bit more. It should be required for credential vending in the future with these privileges. I still don't think it's necessary to add now, but I'm fine to add them.
| @@ -162,7 +208,7 @@ public enum PolarisPrivilege { | |||
| private final PolarisEntityType securableType; | |||
|
|
|||
| // the subtype of the securable for this privilege | |||
| private final PolarisEntitySubType securableSubType; | |||
| private final List<PolarisEntitySubType> securableSubTypes; | |||
There was a problem hiding this comment.
I would expect that we will need to update somewhere for the authentication implementation to make sure it an understand the list of subtypes now, but didn't see it, did I miss it somewhere? I am also fine that we do the actual privilege in a separate PR.
There was a problem hiding this comment.
It looks like this check is not actually enforced since no test changes were needed
There was a problem hiding this comment.
I double checked how authorizeOrThrow is implemented https://github.com/apache/polaris/blob/main/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java#L510, it seems that is just checking if the user role have the corresponding privilege attached for a given op, it doesn't really check if the target matches the privilege definition, so the definition seems really just an definition, and not used anywhere
There was a problem hiding this comment.
If it is not used, is it OK to remove to reduce the complexity? Or do we foresee any near-term requirement?
There was a problem hiding this comment.
Yun expressed a concern about us not updating these types in a previous PR and I think it's still valid. Even if the securableSubType is not enforced, we should probably update it to reflect how we want these grants to be used. Otherwise, we could just yank securableSubType out of the current code altogether.
There was a problem hiding this comment.
I think for definition clearness and completeness, the definition extension is needed here. The entity type and subtype used in the privilege here today seems really just a definition purpose to me (none of them seems used for validation), for that purpose, i think make sure it have a complete subtype list necessary.
...ce/common/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandlerWrapper.java
Outdated
Show resolved
Hide resolved
| @@ -162,7 +208,7 @@ public enum PolarisPrivilege { | |||
| private final PolarisEntityType securableType; | |||
|
|
|||
| // the subtype of the securable for this privilege | |||
| private final PolarisEntitySubType securableSubType; | |||
| private final List<PolarisEntitySubType> securableSubTypes; | |||
There was a problem hiding this comment.
I double checked how authorizeOrThrow is implemented https://github.com/apache/polaris/blob/main/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java#L510, it seems that is just checking if the user role have the corresponding privilege attached for a given op, it doesn't really check if the target matches the privilege definition, so the definition seems really just an definition, and not used anywhere
|
|
||
| public LoadGenericTableResponse createGenericTable( | ||
| TableIdentifier identifier, String format, String doc, Map<String, String> properties) { | ||
| PolarisAuthorizableOperation op = PolarisAuthorizableOperation.CREATE_TABLE_DIRECT; |
There was a problem hiding this comment.
nit: I want to double check if we will also need to support the CREATE_TABLE_DIRECT_WITH_WRITE_DELEGATION mode ? if yes, we can do it in the follow up PR, it doesn't need to block the current PR.
However, i see it is called WRITE_DELEGATION, I assume it is only needed by Iceberg since iceberg have the metadata write, want to double check this.
There was a problem hiding this comment.
Currently, no. We don't have credential vending or write delegation for generic tables.
| public void enforceGenericTablesEnabledOrThrow() { | ||
| boolean enabled = | ||
| callContext | ||
| .getPolarisCallContext() |
There was a problem hiding this comment.
nit: this seems can be done with the following call directly
FeatureConfiguration.loadConfig(FeatureConfiguration.ENABLE_GENERIC_TABLES);
There was a problem hiding this comment.
Yeah I am trying to minimize new usage of that method because we are intending to remove the ThreadLocal-based CallContext check that method relies on soon.
| @@ -52,6 +53,11 @@ public String getFormat() { | |||
| return getInternalPropertiesAsMap().get(GenericTableEntity.FORMAT_KEY); | |||
| } | |||
|
|
|||
| @JsonIgnore | |||
| public String getDoc() { | |||
There was a problem hiding this comment.
[Non-blocking question] Just to confirm my understanding, we reserve "properties" for generic table's location, connection info, etc, so we put other information like format and doc in the internalProperties? Do we have any convention like things in the internal properties should not expose to users?
There was a problem hiding this comment.
That's right, internalProperties and properties work that way right now. This is specifically relevant when we need to build the properties map in the response
| * @param cleanupAction | ||
| * @param principalName | ||
| */ | ||
| private void doTestSufficientPrivilegeSets( |
There was a problem hiding this comment.
These helpers seems identical/similar to ones in IcebergCatalogHandlerWrapperAuthzTest. Probably in a follow-up PR, shall we consider extracting these to testBase or some util classes?
There was a problem hiding this comment.
Totally agree. Actually, I want to refactor the Generic table & Iceberg table catalogs & handlers as well as the tests to see if we can find more common code. But for now, I just kept it totally isolated to make the PR mostly additive.
There was a problem hiding this comment.
Thanks @eric-maynard for working on this. Left some comments.
| @@ -183,4 +183,11 @@ protected FeatureConfiguration( | |||
| "How many times to retry refreshing metadata when the previous error was retryable") | |||
| .defaultValue(2) | |||
| .buildFeatureConfiguration(); | |||
|
|
|||
| public static final FeatureConfiguration<Boolean> ENABLE_GENERIC_TABLES = | |||
There was a problem hiding this comment.
Minor Question: how do we configure this? Do we just put the key in the file application.properties like this?
ENABLE_GENERIC_TABLES=true
There was a problem hiding this comment.
The syntax is a little different, but basically yeah. It will be similar to existing configs, so:
polaris.features.defaults."ENABLE_GENERIC_TABLES"=false
There was a problem hiding this comment.
I think we will need a doc for this config. Not a blocker though.
There was a problem hiding this comment.
The config descriptions are meant to be self-describing, but I really want us to auto-generate some docs based on these. I think we've talked about this for a while but not sure if anyone is working on it yet
| PolarisConfiguration.<Boolean>builder() | ||
| .key("ENABLE_GENERIC_TABLES") | ||
| .description("If true, the generic-tables endpoints are enabled") | ||
| .defaultValue(false) |
There was a problem hiding this comment.
I guess we want it to be enabled by default. Do we?
There was a problem hiding this comment.
I think we want to keep this as false until the whole feature finish development. Once all server change is done, @eric-maynard will have a PR to switch it to true.
There was a problem hiding this comment.
Right now the REST API is not wired up, so I think it's okay to keep it flagged off for the time being. Once the series of PR is finished and the feature is "complete" we should enable by default
There was a problem hiding this comment.
My understanding is that we will enable by default when all the relevant code parts are ready. The same shall apply for policy endpoints
| TABLE_WRITE_PROPERTIES( | ||
| 18, | ||
| PolarisEntityType.TABLE_LIKE, | ||
| List.of(PolarisEntitySubType.ICEBERG_TABLE, PolarisEntitySubType.GENERIC_TABLE), |
There was a problem hiding this comment.
Can we remove it in that case? We can always add it back once we need it.
| TABLE_READ_DATA( | ||
| 20, | ||
| PolarisEntityType.TABLE_LIKE, | ||
| List.of(PolarisEntitySubType.ICEBERG_TABLE, PolarisEntitySubType.GENERIC_TABLE), |
There was a problem hiding this comment.
Same here, do we need this privilege for Generic table?
There was a problem hiding this comment.
+1, this is similar to above
| @@ -35,6 +35,7 @@ | |||
| public class GenericTableEntity extends TableLikeEntity { | |||
|
|
|||
| public static final String FORMAT_KEY = "format"; | |||
| public static final String DOC_KEY = "doc"; | |||
There was a problem hiding this comment.
Not a blocker: either doc or description is fine to me. I like description a bit more, it is more commonly used.
There was a problem hiding this comment.
The spec calls this field doc, otherwise I agree
There was a problem hiding this comment.
The "doc" is used as the API field, to keep things consistent, how about let's just keep it as doc. I was using doc since it was some term used in iceberg https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml#L2079. i was originally intended to use name "comment", it was a more commonly used name in other table catalog like unity and gravitino
| @@ -162,7 +208,7 @@ public enum PolarisPrivilege { | |||
| private final PolarisEntityType securableType; | |||
|
|
|||
| // the subtype of the securable for this privilege | |||
| private final PolarisEntitySubType securableSubType; | |||
| private final List<PolarisEntitySubType> securableSubTypes; | |||
There was a problem hiding this comment.
If it is not used, is it OK to remove to reduce the complexity? Or do we foresee any near-term requirement?
| * request is actually forwarded to a catalog. Child types must implement `initializeCatalog` which | ||
| * will be called after a successful authorization. | ||
| */ | ||
| public abstract class CatalogHandlerWrapper { |
There was a problem hiding this comment.
It's great we abstract the common logic out. Looks like all methods here are related to authorization, and none of these methods are inheritable in subclasses. I think we should avoid inheritance if it is not necessary as it implies more tightly couple relation than combination. Can we create a dedicated class for these authz methods, a class potentially named like CatalogAuthorizer or CommonCatalogAuthorizer. For these two subclasses, they can create the object in the constructor like this
CatalogAuthorizer catalogAuthorizer = new CatalogAuthorizer(callContext, entityManager, catalogName, authenticatedPrincipal, securityContext, authorizer);
Caller will do
catalogAuthorizer.authorizeBasicNamespaceOperationOrThrow();
There was a problem hiding this comment.
The reason that a shared type is needed is because these methods are all very impure; they modify class members like resolutionManifest so we need the catalogs to be child types. I want to keep this PR focused on the new feature and would prefer to avoid refactoring these key methods here.
In the end, I think we can probably find more shared code across the two wrappers that's not exclusive to auth. We should refactor both this and the catalogs later. But this is the minimum set of shared methods I could immediately find
There was a problem hiding this comment.
That is a good point, I think a CatalogAuthorizer might make more sense to me, we can eventually move all authorization methods to that class.
There was a problem hiding this comment.
I am find with doing followup refactoring also.
There was a problem hiding this comment.
Unfortunately, we can't change the inheritance that without a significant refactor which I think is not in scope here.
We could definitely rename this interface to something like vague like SupportsAuthorizationAndResolution, but if the plan is to eventually move more shared logic into this type like I said then I think the current name probably best represents that intent.
There was a problem hiding this comment.
Oh, sorry if i am introducing more confusion here, i don't think i am suggesting to change this base class to CatalogAuthorizer, i believe this class does more than just authorization, there is also catalog initialization. So i was just thinking to have a new member to this new class CatalogAuthorizer.
However, i recall now those authorization methods actually calls initCatalog to initialize catalog, for example: https://github.com/apache/polaris/blob/main/service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandlerWrapper.java#L240 which might be hard to separate from that base class with the current implementation. in fact, those function name is misleading because it does more than just authorization.
I agree with @eric-maynard that refactor those out will need more work.
There was a problem hiding this comment.
That's an interesting founding. Why do we initialize the catalog every time we've done an authZ operation?
There was a problem hiding this comment.
What i recall when I was trying that out is that initialize the BaseCatalog requires resolutionManifest to be initialized, for example it tries to look into the raw leaf entity here https://github.com/apache/polaris/blob/main/service/common/src/main/java/org/apache/polaris/service/context/PolarisCallContextCatalogFactory.java#L75.
For some reason the resolutionManifest is initialized during the auth function, potentially because of the resolve call here https://github.com/apache/polaris/blob/main/service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandlerWrapper.java#L228. otherwise, it will get null. @eric-maynard might have more context for this.
There was a problem hiding this comment.
Yeah that is exactly right @gh-yzou, the idea is that the resolutionManifest can depend on the access you have, and we don't want to resolve anything before checking that the principal is actually authorized to see it
There was a problem hiding this comment.
SGTM. It's not a blocker for this PR anyways.
...ce/common/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandlerWrapper.java
Outdated
Show resolved
Hide resolved
| import org.apache.polaris.service.types.ListGenericTablesResponse; | ||
| import org.apache.polaris.service.types.LoadGenericTableResponse; | ||
|
|
||
| public class GenericTableCatalogHandlerWrapper extends CatalogHandlerWrapper { |
There was a problem hiding this comment.
Do we need a CatalogHandlerWrapper class for generic table? Iceberg table needs it as it invokes a class from the Iceberg lib named CatalogHandler. There is no counterpart for generic table. Can we remove this class and move logic here to GenericTableCatalogAdapter?
There was a problem hiding this comment.
We need some place to put the auth logic and to map between the internal Polaris types and the response types... I think following the Iceberg model makes sense for now so we can keep both of the adapters relatively lightweight and focused on REST concerns.
There was a problem hiding this comment.
The handlerWrapper class are mainly responsible for two things:
- operation authentication
- talk to the corresponding catalog, and construct the response.
We stayed with this to make the responsibility of each layer more clear and consistent. I guess the fact that we call it a wrapper is confusing, i think it would be more clear if we remove Wrapper from the name. The IcebergCatalog wrapper also does more things than just a handler wrapper.
There was a problem hiding this comment.
Oh, good point Yun. Do you think GenericTableCatalogHandler is a better name?
There was a problem hiding this comment.
That name sounds good to me, maybe let's just rename those class to GenericTableCatalogHandler, CatalogHandler, and IcebergCatalogHandler to be consistent. cc @flyrain WDYT?
There was a problem hiding this comment.
I think the layers SGTM. I'd also propose names like IcebergCatalogService and GenericTableCatalogService to indicate that these classes are starting point of the service layer.
GenericTableCatalogAdapter would be better named like GenericTableCatalogApiAdapter so that it's easier to understand that the class is to adapt APIs.
There was a problem hiding this comment.
Sounds good, I will change these. Currently the way the names work at the service layer is that IcebergCatalogAdapter implements IcebergRestCatalogApiService. I guess the idea was that it is an adapter between the Polaris REST endpoints and the Iceberg APIs
There was a problem hiding this comment.
SG. I'm also OK with two options:
option 1, if we rename GenericTableCatalogAdapter to GenericTableCatalogService or xxxApiService, so that we get rid of the concept of adapter, it becomes the entry point of the service layer.
option 2, keep the concept of adapter, and consider it's a bridge between the API layer and service layer.
There was a problem hiding this comment.
The next PR is supposed to implement the service, so I'll spend some time thinking about the nomenclature there. The main thing I care about is keeping these types consistent with the existing Iceberg types. My current understanding matches your option (2), where adapter means like adapter between the Iceberg/Polaris REST layer and the APIs
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
github-project-automation
bot
moved this from Ready to merge
to Done
in Basic Kanban Board
* Generify MetaStoreManagerFactory.getOrCreateSessionSupplier (apache#1173) No functional change. * Adjust the type parameter to the Persistence supplier to cover all possible implementation types. * Remove unnecessary fields from IcebergCatalogAdapter * Adjust types at call sites of `getOrCreateSessionSupplier`. * [Enhancement] Refactor Cleanup Task Handler (apache#516) * refactor cleanup task handler * format * make base class abstract * make cleanup task record * simplify logger * update test after merge * update task handler register after merge * fix test error after merge * refine call context and ut after merge * fix ci error (apache#1174) * main: Update dependency org.junit:junit-bom to v5.12.1 (apache#1177) * Publish 0.9.0 documentation (apache#1175) * main: Update dependency gradle to v8.13 (apache#1063) * main: Update dependency gradle to v8.13 * Adopt build-scripts to Gradle changes See https://docs.gradle.org/8.13/userguide/upgrading_version_8.html#changes_to_jvmtestsuite --------- Co-authored-by: Robert Stupp <snazy@snazy.de> * Remove jetbrains-annotations (apache#1176) The main intention of this change is to avoid confusion between Jetbrains' `@NotNull` and Jakarta's `@Nonnull` (the latter is standard in the Polaris codebase). As a side effect `@Contract` is no longer available. However, its value is realised only in tools that support it and Polaris builds do not rely on it for producing artifacts. For a human being the value of `@Contract` appears to be negligible compared to javadoc. Therefore, in the interest of keeping annotation dependencies concise, `@Contract` lines are removed. Jetbrains' `@VisibleForTesting` is converted to the same annotation from Guava (which is also standard in the Polaris codebase). * main: Update dependency com.google.cloud:google-cloud-storage-bom to v2.50.0 (apache#1178) * Isolate Persistence objects in different threads. (apache#1166) * Simplify PolarisGrantManager (apache#1171) * Simplify PolarisGrantManager Previously strongly typed methods redirected to typeless lookup methods, while implementations had only the typeless variant. This change reverts the redirects from strongly typed methods to existing typeless methods in implementations. As a result it is possible to simplify the interface by removing typeless lookup methods. Existing call sites all have strongly typed parameters available and use the typed lookup methods now. For context: This refactoring seems valuable by itself, but it is also needed for the upcoming NoSQL implementations for reasons similar to apache#1112 * main: Update dependency com.github.spotbugs:spotbugs-annotations to v4.9.3 (apache#1180) * main: Update mockito monorepo to v5.16.1 (apache#1182) * main: Update dependency software.amazon.awssdk:bom to v2.31.1 (apache#1188) * Remove extra run in dockerfile (apache#1185) * Policy Store: Add PolicyEntity and PolicyTypes (apache#1133) * Fix spark download and add check/cleanup (apache#1184) * Update EclipseLink doc to 4.0 (apache#1198) * Sync psql persistence (apache#1187) * sync persistence config when using Postgres * sync persistence config when using Postgres * sync persistence config when using Postgres * Revert change for 0.9.0 * Renovate: Group all Quarkus dependencies (apache#1206) Quarkus-platform releases happen some time after the "actual" Quarkus release, which causes "broken" CI for Renovate PRs against for example the Quarkus Gradle plugin. This change groups all Quarkus dependencies together to consistently bump all Quarkus-platform dependencies at once. * The ASF Infra deployed a new parser, that requires a fix on our .asf.yaml (apache#1209) * Let 'spotless' run on all java source directories (apache#1205) Only runs on 'main', 'test', 'testFixtures', but not on others like 'intTest'. This change fixes this. * commit (apache#1201) * Move Polaris client into root dir (apache#1172) * Move python client into root dir * Fix paths for regtests * Fix path for notebooks and docs * Change the path within container for consistency * Add License Header * Fix the copy folder cmd to restore the original regtests layout * Rearrange dir layout inside docker * Rename classes in transactional persistence package (apache#1197) * Refactors to support generic tables (apache#1147) * rename polarisbasecatalog * move catalog files * more renames; introduce class * add basic create/load methods * some refactoring * test stable * small rename * rename per review * bump id * move a file * autolint * rebase * autolint * changes per review * autolint * rename * autolint * fix merge conflict * main: Update dependency ch.qos.logback:logback-classic to v1.5.18 (apache#1196) * main: Update Quarkus Platform and Group (apache#1212) * main: Update dependency boto3 to v1.37.16 (apache#1093) * Use 'en-us' in all `Dockerfile`s and Gradle `Test` tasks (apache#1214) Fixes apache#885 Supersedes apache#886 * main: Update dependency com.google.guava:guava to v33.4.5-jre (apache#1218) * IcebergCatalogAdapter: close underlying catalog consistently (apache#1224) With the revert of #b84f4624db8d0bd5b8920b0df719bcc15666008f by #ccf25df7b055e9d232b88a3f6fe8b4e0a2ab035a, we lost an extra benefit that was included in that change: a fix for the fact that IcebergCatalogHandlerWrapper does not always close its underlying `Catalog`, thus relying on `CallContext` to play the role of the "sweep vehicle" and close everything that was left unclosed at the end of the request processing. This PR re-applies that fix again. * Add BOM (Bill of Materials) (apache#1216) Fixes apache#788 * Fix CI build after polaris.io (apache#1232) * Add Apache Polaris Community Meeting from March 20, 2025 (apache#1234) * Simplify `polaris` client script (apache#1220) Address [SC2164](https://github.com/koalaman/shellcheck/wiki/SC2164), [SC2098](https://github.com/koalaman/shellcheck/wiki/SC2098), [SC2086](https://github.com/koalaman/shellcheck/wiki/SC2086) Co-authored-by: Alexandre Dutra <adutra@users.noreply.github.com> * Move polaris-admin-tool tests to separate package (apache#1227) ... and make the PG test-resource non-global. * Let `PurgeCommand` inspect the results (apache#1226) * Add type and converters for `MemorySize` (apache#1230) The type allows human friendly memory size specifications like `32k` or `64M`, including support for smallrye-config and Jackson. * Retire `polaris-reg-test` script (apache#1219) * Nit: add misc-types to bom (apache#1241) * JWTBroker: fix refresh token logic (apache#1242) * Fix overzealous check in the Polaris CLI (apache#1237) * fix * adjust * revert * main: Update dependency software.amazon.awssdk:bom to v2.31.6 (apache#1245) * main: Update dependency boto3 to v1.37.18 (apache#1244) * Add zip+tar to publishable artifacts and add a `run.sh` script (apache#1082) Adds the tar+zip distribution archives as publishable artifacts to Maven publication. Also updates polaris-quarkus-admin to build as a "fast-jar" instead of an "uber-jar". * Build: Add `pom.xml`, `pom.properties` and LICENSE+NOTICE to release jars (apache#1036) Adds convenient, but not strictly necessary information to each generated "main" jar. This includes `pom.properties` and `pom.xml` files where Maven places those, in `META-INF/maven/group-id/artifact-id/`. Also adds the `NOTICE` and `LICENSE` files in `META-INF`, which makes it easier for license scanners. * Doc: catalog bootstrap steps for helm deployment (apache#1243) * main: Update actions/setup-python digest to 8d9ed9a (apache#1249) * main: Update dependency com.google.guava:guava to v33.4.6-jre (apache#1251) * main: Update actions/stale digest to ba23c1c (apache#1250) * Core: Add data compaction policy content parser and validator (apache#1238) * main: Update gradle/actions digest to 06832c7 (apache#1255) * Admin tool: fix Dockerfile.jvm (apache#1256) * Implement GenericTableCatalog (apache#1231) * add missing apis * more tests, fixes * clean up drop * autolint * changes per review * revert iceberg messages to comply with oss tests * another revert * more iceberg catalog changes * autolint * wip * refactor to subtype * autolint * rebase * add another assert * autolint * add another best effort check * autolint * reduce metastore trips * autolint * API Spec: Add ConnectionConfigInfo to ExternalCatalog (apache#1026) * API Spec: Add ConnectionConfigInfo to ExternalCatalog Remove the currently unused remoteUrl field from the top-level ExternalCatalog into the ConnectionConfigInfo as "uri" instead for better consistency; remote catalogs in the future may be defined by arbitrary URIs that are not, for example, http(s) URLs. This is just the spec definition for now, so it's not yet wired into the internal entity layer or persistence objects. Allow extensibility of different connection types in the future even if we start with only an ICEBERG_REST type. Similarly, provide extensibility for different authn mechanisms to use with the connection. * Implement service interfaces for policies & generic tables (apache#1263) * ready * autolint * main: Update registry.access.redhat.com/ubi9/openjdk-21-runtime Docker tag to v1.22-1 (apache#1268) * main: Update dependency io.smallrye.common:smallrye-common-annotation to v2.11.0 (apache#1267) * main: Update dependency io.smallrye.config:smallrye-config-core to v3.12.4 (apache#1266) * Add openApiGenerate task as dependency for processResources (apache#1259) * Core: Add policy content and validator for more maintenance policies (apache#1261) * Better error message when sibling resolution fails (apache#1253) * better error * autolint * better message * Add CLI dependency update option (apache#1222) * PySpark Reg Test Updates (apache#1262) * PySpark Reg Test Updates * Nits --------- Co-authored-by: Travis Bowen <travis.bowen@snowflake.com> * Update .asf.yaml adding dismiss_stale_reviews to true and require_last_push_approval to false (apache#1265) * main: Update dependency software.amazon.awssdk:bom to v2.31.11 (apache#1279) * main: Update dependency boto3 to v1.37.23 (apache#1278) * main: Update dependency com.azure:azure-sdk-bom to v1.2.33 (apache#1275) * Update team (apache#1282) * Vend Azure credentials compatible with Iceberg 1.7 (apache#1252) * update * autolint * fix * autolint * clean up * autolint * test * autolint * paranoid check * typofix * Add a note about nit/minor comments (apache#1280) * Upgrade Iceberg to 1.8.1 (apache#1126) * Policy Store: PolicyMappingRecord with Persistence Impl (apache#1104) * Spark: Setup repository code structure and build (apache#1190) * Added freshness aware table loading using metadata file location for ETag (apache#1037) * Pulled in iceberg 1.8.0 spec changes for freshness aware table loading and added feature to Polaris * Changed etag support to use entityId:version tuple * fixed getresponse call * Changed etagged response to record and gave default implementation to ETaggableEntity * Made iceberg rest spec docs clearer * Added HTTP Compliant ETag and IfNoneMatch representations and separated persistence from etag logic * Changed ETag to be a record and improved semantics of IfNoneMatch * Fixed semantics of if none match * Removed ETag representation, consolidated in IfNoneMatch * fixed if none match parsing * Added table entity retrieval method to table operations * removed accidental commit of pycache folders * Fixed formatting * Changed to use metadata location hash * Ran formatting * use sha256 * Moved out ETag functions to utility class and removed ETaggedLoadTableResponse * Addressed comments * Fixed IcebergTableLikeEntity package rename * main: Update dependency io.opentelemetry.semconv:opentelemetry-semconv to v1.31.0 (apache#1288) * Update LICENSE and NOTICE in the distributions (admin and server) (apache#1258) * Gradle/Quarkus: make imageBuild task depend on jandex (apache#1290) * Core: Clarify the atomicity of BasePersistence methods (apache#1274) * Implement GenericTableCatalogAdapter (apache#1264) * rebase * more fixes * autolint * working on tests * stable test * autolint * polish * changes per review * some changes per review * grants * autolint * changes per review * changes per review * typofix * Improve code-containment and efficiency of etag-aware loading (apache#1296) * Improve code-containment and efficiency of etag-aware loading -Make the hash generation resilient against null metadataLocation -Use getResolvedPath instead of getPassthroughResolvedPath to avoid redundant persistence round-trip -Only try to calculate the etag for comparison against ifNoneMatch if the ifNoneMatch is actually provided * Add strict null-checking at callsites to generateETag, disallow passing null to generator * Add TODO to refactor shared logic for etag generation * Core: Add Endpoints and resource paths for Generic Table (apache#1286) * main: Update dependency com.nimbusds:nimbus-jose-jwt to v10.1 (apache#1299) * [JDBC] Part1 : ADD SQL script for Polaris setup (apache#1276) * main: Update registry.access.redhat.com/ubi9/openjdk-21-runtime Docker tag to v1.22-1.1743605859 (apache#1300) * done (apache#1297) * Add Polaris Community Meeting for April 3, 2025 (apache#1304) * Use config-file to define errorprone rule (apache#1233) Also enabled a couple more simple rules, and adding suppressions/fixes for/to the code. The two rules `EqualsGetClass` and `UnusedMethod`, which I think are useful, are not enabled yet, because that would mean actual code changes, which I do not want to do in this PR. The rule `PatternMatchingInstanceof`, introduced in apache#393, is disabled in this PR. It does not work before errorrpone 2.37.0 (via apache#1213) - requires additional changes to enable the rule (see apache#1215). * Add Yun as a contributor (apache#1310) * Refactor CatalogHandler to comply with ErrorProne rules (apache#1312) Fix the CI error after apache#1233 * Implement PolicyCatalog Stage 1: CRUD + ListPolicies (apache#1294) * main: Update dependency io.opentelemetry:opentelemetry-bom to v1.49.0 (apache#1316) * main: Update docker.io/jaegertracing/all-in-one Docker tag to v1.68.0 (apache#1317) * main: Update dependency boto3 to v1.37.28 (apache#1328) * main: Update dependency software.amazon.awssdk:bom to v2.31.16 (apache#1329) * Make `BasePolaritsMetaStoreManagerTest` and `(Base)ResolverTest` reusable (apache#1308) Moves the test cases into the `Base*` classes and make sure the classes can be reused by other persistence implementations. * main: Update dependency io.opentelemetry.semconv:opentelemetry-semconv to v1.32.0 (apache#1293) * main: Update mockito monorepo to v5.17.0 (apache#1311) * PySpark Update AWS Region (apache#1302) Co-authored-by: Travis Bowen <travis.bowen@snowflake.com> * main: Update dependency com.nimbusds:nimbus-jose-jwt to v10.2 (apache#1334) * main: Update dependency com.diffplug.spotless:spotless-plugin-gradle to v7.0.3 (apache#1335) * Maven publication: Produce correct `<scm><tag>` in `pom.xml` (apache#1330) `project.scm.tag` in a Maven pom is intended to refer to the SCM (Git) tag. We currently publish `main`, which is incorrect. This change omits the SCM tag for snapshot builds, but emits the Git tag for releases. * Remove `@StaticInitSafe` annotation (apache#1331) There was an issue around mapped configurations having the `@StaticInitSafe` annotation that led to _two_ instances (a "static" one and a "somewhet application-scoped" one) - this was fixed in Quarkus 3.21. One bug in smallrye-config is fixed for Quarkus > 3.21.0, another issue however remains. Since `@StaticInitSafe` annotated configs seem to cause some weird issues, it seems legit to remote that annotation altogether. This approach was [taken in Nessie](projectnessie/nessie#10606) as well. Investigations (via practical experiments) have proven that there's no measurable impact (runtime + heap) when doing this - and that's also been confirmed by Quarkus + Smallrye-config maintainers. Hence this change remotes that annotation from the code base. * Build/Release: Add a "generate digest" task and use for source tarball and Quarkus distributables (apache#1271) * Ensure that digest and signature are generated for both Polaris-Server and admin tar/zip distribution * Move "generate digest" functionality to a Gradle task * main: Update dependency com.google.errorprone:error_prone_core to v2.37.0 (apache#1213) * main: Update Quarkus Platform and Group to v3.21.1 (apache#1291) * main: Update dependency io.netty:netty-codec-http2 to v4.2.0.Final (apache#1301) * Remove unnecessary `clean` and `--no-build-cache` from Gradle invocations (apache#1338) `quarkusAppPartsBuild --rerun` is the right way to force a Docker image build. * Generalize bootstrapping in servers (apache#1313) * Remove `instanceof` checks from `QuarkusProducers`. * Remove the now unused `onStartup` method from `InMemoryPolarisMetaStoreManagerFactory`. * Instead, call the good old `bootstrapRealms` method from `QuarkusProducers`. * Add new config property to control which MetaStore types are bootstrapped automatically (defaults to `in-memory` as before). * There is no bootstrap behaviour change in this PR, only refactorings to simplify code. * Add info log message to indicate when a realm is bootstrapped in runtime using preset credentials. Future enhancements may include pulling preset credentials from a secret manager like Vault for bootstrapping (s discussed in comments on apache#1228). * main: Update actions/stale digest to 816d9db (apache#1341) * main: Update dependency com.adobe.testing:s3mock-testcontainers to v4 (apache#1342) * main: Update dependency org.eclipse.persistence:eclipselink to v4.0.6 (apache#1343) * main: Update dependency io.quarkus to v3.21.2 (apache#1344) * main: Update dependency com.google.guava:guava to v33.4.7-jre (apache#1340) Co-authored-by: Robert Stupp <snazy@snazy.de> * Spark: Add Namespaces and View support for SparkCatalog (apache#1332) * Demote technical log messages to DEBUG in PolarisCallContextCatalogFactory (apache#1346) These messages appear to be logging low-level technical details about what is going on in the factory and are not likely to be of interest to most users on a daily basis. * Core/Service: Implement PolicyCatalog Stage 2: detach/attach/getApplicablePolicies (apache#1314) * Spec: Add 'inherited' and 'namespace' Fields to GetApplicablePolicies API Response (apache#1277) * Properly track bootstrappedRealms in InMemoryPolarisMetaStoreManagerFactory (apache#1352) Fixes apache#1351 * Implement GenericTableCatalogAdapter; admin-related fixes (apache#1298) * initial commit: * debugging * some polish * autolint * spec change * bugfix * bugfix * various fixes * another missing admin location * autolint * false by default * fixes per review * autolint * more fixes * DRY * revert small change for a better error * integration test * extra test * autolint * stable * wip * rework subtypes a bit * stable again * autolint * apply new lint rule * errorprone again * adjustments per review * update golden files * add another test * clean up logic in PolarisAdminService * autolint * more fixes per review * format * Update versions in distribution LICENSE and NOTICE (apache#1350) * Spark: Add CreateTable and LoadTable implementation for SparkCatalog (apache#1303) * Add a weigher to the EntityCache based on approximate entity size (apache#490) * initial commit * autolint * resolve conflicts * autolint * pull main * Add multiplier * account for name, too * adjust multiplier * add config * autolint * remove old cast * more tests, fixes per review * add precise weight test * autolint * populate credentials field for loadTableResponse (apache#1225) * populate credentials field for loadTableResponse * spotless * spotless * remove unused hashset * fix merge * fix empty credential case * spotlessApply --------- Co-authored-by: David Lu <dalu@hubspot.com> * main: Update dependency io.smallrye.common:smallrye-common-annotation to v2.12.0 (apache#1355) * Build: Avoid adding duplicated projects for Intelij IDE usage (apache#1333) * main: Update dependency org.junit:junit-bom to v5.12.2 (apache#1354) * main: Update dependency org.apache.commons:commons-text to v1.13.1 (apache#1358) * main: Update dependency boto3 to v1.37.33 (apache#1360) * main: Update dependency software.amazon.awssdk:bom to v2.31.21 (apache#1361) * main: Update dependency io.micrometer:micrometer-bom to v1.14.6 (apache#1362) * main: Update dependency com.google.guava:guava to v33.4.8-jre (apache#1366) * Update LICENSE/NOTICE with latest versions (apache#1364) * Use "clean" LICENSE and NOTICE in published jar artifacts (apache#1292) * main: Update dependency io.projectreactor.netty:reactor-netty-http to v1.2.5 (apache#1372) * Add `Varint` type for variable-length integer encoding (apache#1229) * main: Update docker.io/prom/prometheus Docker tag to v3.3.0 (apache#1375) * Set version to 0.10.0-beta in prepaaration for the next release (apache#1370) * Update the link to OpenAPI in the documentation (apache#1379) * Integration test for Spark Client (apache#1349) * add integration test * add change * add comments * rebase main * update class comments * add base integration * clean up comments * main: Update dependency net.ltgt.gradle:gradle-errorprone-plugin to v4.2.0 (apache#1392) * Add generic table documentations (apache#1374) * add generic table documentation (incomplete) * fix table and spacing * remove documentation in client api since there is no implementation yet * remove spacing * minor fix - proof read * review fix, wording * add generic table documentation (incomplete) * fix table and spacing * remove documentation in client api since there is no implementation yet * remove spacing * minor fix - proof read * review fix, wording * proof read - punctuation fix * change table privilege reference * Unblock test `listNamespacesWithEmptyNamespace` (apache#1289) * Unblock test `listNamespacesWithEmptyNamespace` * Use `containsExactly` to simplify the test * Fix empty namespace behavior * Address comments * Block dropping empty namespace * Improve error messages * Revamp the Quick Start page (apache#1367) * First Draft with AWS * try again * try again * try again * try again * try again * try now * should work * AWS First Draft Complete * ensure file changed * Azure First Draft Complete * Azure First Draft, pt. 2 * Azure Completed * GCP First Draft * GCP Verified * File structure fixed * Remove Trino-specific tutorial * Restructured Quick Start * Addresses minor comments from @eric-maynard * Added reference to Deploying Polaris in Production * Fix MD Link Checker --------- Co-authored-by: Adnan Hemani <adnan.hemani@snowflake.com> * Update README with links to new Quickstart experience (apache#1393) * Update the StorageConfiguration to invoke singleton client objects, a… (apache#1386) * Update the StorageConfiguration to invoke singleton client objects, and add a test * Fix formatting * using guava suppliers * Add aws region * Cleanup and mock test * Spark: Add rest table operations (drop, list, purge and rename etc) for Spark Client (apache#1368) * Initial MVP implementation of Catalog Federation to remote Iceberg REST Catalogs (apache#1305) * Initial prototype of catalog federation just passing special properties into internal properties. Make Resolver federation-aware to properly handle "best-effort" resolution of passthrough facade entities. Targets will automatically reflect the longest-path that we happen to have stored locally and resolve grants against that path (including the degenerate case where the longest-path is just the catalog itself). This provides Catalog-level RBAC for passthrough federation. Sketch out persistence-layer flow for how connection secrets might be pushed down into a secrets-management layer. * Defined internal representation classes for connection config * Construct and initialize federated iceberg catalog based on connection config * Apply the same spec renames to the internal ConnectionConfiguration representations. * Manually pick @XJDKC fixes for integration tests and omittign secrets in response objects * Fix internal connection structs with updated naming from spec PR * Push CreateCatalogRequest down to PolarisAdminService::createCatalog just like UpdateCatalogRequest in updateCatalog. This is needed if we're going to make PolarisAdminService handle secrets management without ever putting the secrets into a CatalogEntity. * Add new interface UserSecretsManager along with a default implementation The default UnsafeInMemorySecretsManager just uses an inmemory ConcurrentHashMap to store secrets, but structurally illustrates the full flow of intended implementations. For mutual protection against a compromise of a secret store or the core persistence store, the default implementation demonstrates storing only an encrypted secret in the secret store, and a one-time-pad key in the returned referencePayload; other implementations using standard crypto protocols may choose to instead only utilize the remote secret store as the encryption keystore while storing the ciphertext in the referencePayload (e.g. using a KMS engine with Vault vs using a KV engine). Additionally, it demonstrates the use of an integrity check by storing a basic hashCode in the referencePayload as well. * Wire in UserSecretsManager to createCatalog and federated Iceberg API handlers Update the internal DPOs corresponding to the various ConnectionConfigInfo API objects to no longer contain any possible fields for inline secrets, instead holding the JSON-serializable UserSecretReference corresponding to external/offloaded secrets. CreateCatalog for federated catalogs containing secrets will now first extract UserSecretReferences from the CreateCatalogRequest, and the CatalogEntity will populate the DPOs corresponding to ConnectionConfigInfos in a secondary pass by pulling out the relevant extracted UserSecretReferences. For federated catalog requests, when reconstituting the actual sensitive secret configs, the UserSecretsManager will be used to obtain the secrets by using the stored UserSecretReferences. Remove vestigial internal properties from earlier prototypes. * Since we already use commons-codec DigestUtils.sha256Hex, use that for the hash in UnsafeInMemorySecretsManager just for consistency and to illustrate a typical scenario using a cryptographic hash. * Rename the persistence-objects corresponding to API model objects with a new naming convention that just takes the API model object name and appends "Dpo" as a suffix; * Use UserSecretsManagerFactory to Produce the UserSecretsManager (apache#1) * Move PolarisAuthenticationParameters to a top-level property according to the latest spec * Create a Factory for UserSecretsManager * Fix a typo in UnsafeInMemorySecretsManagerFactory * Gate all federation logic behind a new FeatureConfiguration - ENABLE_CATALOG_FEDERATION * Also rename some variables and method names to be consistent with prior rename to ConnectionConfigInfoDpo * Change ConnectionType and AuthenticationType to be stored as int codes in persistence objects. Address PR feedback for various nits and javadoc comments. * Add javadoc comment to IcebergCatalogPropertiesProvider * Add some constraints on the expected format of the URN in UserSecretReference and placeholders for next steps where we'd provide a ResolvingUserSecretsManager for example if the runtime ever needs to delegate to two different implementations of UserSecretsManager for different entities. Reduce the `forEntity` argument to just PolarisEntityCore to make it more clear that the implementation is supposed to extract the necessary identifier info from forEntity for backend cleanup and tracking purposes. --------- Co-authored-by: Rulin Xing <rulin.xing+oss@snowflake.com> Co-authored-by: Rulin Xing <xjdkcsq3@gmail.com> * Add Adnan and Neelesh to collaborators list (apache#1396) * Replace authentication filters with Quarkus Security (apache#1373) * Implement PolicyCatalogHandler and Add Policy Privileges Stage 1: CRUD + ListPolicies (apache#1357) * Add PolicyCatalogHandler and tests * Fix style * Address review comments * Address review comments 2 * fix nit * Remove CallContext.getAuthenticatedPrincipal() (apache#1400) * main: Update dependency info.picocli:picocli-codegen to v4.7.7 (apache#1408) * main: Update dependency com.google.errorprone:error_prone_core to v2.38.0 (apache#1404) * Add Polaris Community Meeting 2025-04-17 (apache#1409) * main: Update dependency boto3 to v1.37.37 (apache#1412) * EclipseLink: add PrimaryKey to policy mapping records JPA model (apache#1403) * Re-instate dependencies between Docker Compose services (apache#1407) * Do not rotate bootstrapped root credentials (apache#1414) * Add Getting Started Button to the Apache Polaris Webshite Homepage (apache#1406) * Core: change to return ApplicablePolicies (apache#1415) * Rename the Snapshot Retention policy (apache#1284) * Rename the Snapshot Retention policy * Resolve comments * Resolve comments --------- Co-authored-by: Yufei Gu <yufei.apache.org> * main: Update dependency com.adobe.testing:s3mock-testcontainers to v4.1.0 (apache#1419) * rename snapshotRetention to snashotExpiry (apache#1420) * main: Update registry.access.redhat.com/ubi9/openjdk-21-runtime Docker tag to v1.22-1.1744796716 (apache#1394) * main: Update dependency software.amazon.awssdk:bom to v2.31.26 (apache#1413) * main: Update dependency com.adobe.testing:s3mock-testcontainers to v4.1.1 (apache#1425) * Fix releaseEmailTemplate task (apache#1384) * Update distributions LICENSE and NOTICE with AWS SDK 2.31.26 update (apache#1423) * Support snapshots=refs (apache#1405) * initial commit * autolint * small revert * rebase * autolint * simpler * autolint * tests * autolint * stable * fix leak * ready for review * improved test * autolint * logic flip again * Update service/common/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java Co-authored-by: Alexandre Dutra <adutra@users.noreply.github.com> * Update integration-tests/src/main/java/org/apache/polaris/service/it/env/CatalogApi.java Co-authored-by: Alexandre Dutra <adutra@users.noreply.github.com> * adjustments for committed suggestions * autolint --------- Co-authored-by: Alexandre Dutra <adutra@users.noreply.github.com> * Remove activatedPrincipalRoles property from AuthenticatedPolarisPrincipal (apache#1410) This seems to be a leftover from when ActiveRolesProvider was introduced. The setter was still used, but the getter wasn't, which hints at the fact that this property can be safely removed. As a bonus, AuthenticatedPolarisPrincipal now becomes immutable, which is imho a very good thing. * Implement PolicyCatalogHandler and Add Policy Privileges Stage 2: AttachPolicy + DetachPolicy (apache#1416) * add auth test for attach/detach * apply formatter * refactor authorizePolicyAttachmentOperation * address comment * better naming * Ship eclipselink and PostgreSQL JDBC driver by default in Polaris distribution (apache#1411) * Fix Connection Config DPOs (apache#1422) * Fix connection config dpos * Run spotlessApply * Doc: Fix the issue that html tags are not working in Hugo (apache#1382) * Implement PolicyCatalogHandler Stage 3: GetApplicablePolicies (apache#1421) * [JDBC] Part2: Add Relational JDBC module (apache#1287) * Bump version to 0.11.0-beta-incubating-SNAPSHOT (apache#1429) * Make entity lookups by id honor the specified entity type (apache#1401) * Make entity lookups by id honor the specified entity type All implementations of `TransactionalPersistence.lookupEntityInCurrentTxn()` are currently ignoring the `typeCode` parameter completely and could potentially return an entity of the wrong type. This can become very concerning during authentication, since a principal lookup could return some entity that is not a principal, and that would be considered a successful authentication. * review * Remove "test" Authenticator (apache#1399) * Propagate SQLException as "caused by" (apache#1430) * Remove logging for DbOps (apache#1433) * Spark: Add regtests for Spark client to test built jars (apache#1402) * main: Update dependency com.google.cloud:google-cloud-storage-bom to v2.51.0 (apache#1436) * main: Update dependency org.testcontainers:testcontainers-bom to v1.21.0 (apache#1437) * main: Update actions/setup-python digest to a26af69 (apache#1440) * Spark-IT: use correct configurations (apache#1444) ... do not let Spark leak into Quarkus * PolarisRestCatalogIntegrationTest: Always purge generic tables (apache#1443) * Add missing Postgresql dependency (apache#1447) * Add Request Timeouts (apache#1431) * add timeout * add iceberg exception mapping * dont use quarkus bom, disable timeout * nits * Fix sparks sql regtests with up to date config (apache#1454) * Refactor BasePolarisTableOperations & BasePolarisViewOperations (apache#1426) * initial copy paste * Reorder * view copy paste * fixes, polish * stable * yank * CODE_COPIED_TO_POLARIS comments * autolint * update license * typofix * update comments * autolint * Use .sha512 extension instead of -sha512 (apache#1449) * main: Update dependency org.eclipse.microprofile.fault-tolerance:microprofile-fault-tolerance-api to v4.1.2 (apache#1451) * Doc: Update Local Root Principal Credentials in Quickstart (apache#1452) * Update the Getting Started Workflow with each Cloud Provider's Blob Storage (apache#1435) * AWS First Draft * Debug * revert typo * Add JQ to docker runtime * Debug, pt2 * debug * debug * Allow Instance Profile Roles * change random suffix * change instance profile to regular IAM roles * AWS Final Draft * Azure First Draft * debug * Azure First Draft * debug * typo * GCP First Try * GCP Complete * GCP Final * add all jars to Spark * refactor * Implement PolicyCatalogAdapter (apache#1438) * Generic Table/Policy Store: Move feature config check to Adapter and some small refactoring (apache#1465) * update refs (apache#1464) * [JDBC] Part3: Plumb JDBC module to Quarkus (apache#1371) * Allow BasePolarisTableOperations to skip refreshing metadata after a commit (apache#1456) * initial commit * fix another test * changes per comments * visibility * changes per review * autolint * oops * main: Update dependency com.fasterxml.jackson:jackson-bom to v2.19.0 (apache#1455) * Doc: Added set custom credentials instruction in README (apache#1461) * Doc: Add policy documentation (apache#1460) * main: Update dependency software.amazon.awssdk:bom to v2.31.30 (apache#1475) * main: Update dependency gradle to v8.14 (apache#1459) * main: Update dependency gradle to v8.14 * fix PR --------- Co-authored-by: Robert Stupp <snazy@snazy.de> * Remove unused class TokenInfoExchangeResponse (apache#1479) This is an oversight from apache#1399. * Upgrade Polaris to Iceberg 1.9.0 (apache#1309) * Doc: Update on access-control policy docs (apache#1472) * main: Update Quarkus Platform and Group (apache#1381) * Added link to the Spark-Jupyter Notebook Getting Started from the main Getting Started Page (apache#1453) * Added link to the Spark-Jupyter Notebook Getting Started from the main Quickstart page * Typo Co-authored-by: Eric Maynard <emaynard@apache.org> * Suggestions as per @eric-maynard's review * Fix Typo --------- Co-authored-by: Eric Maynard <emaynard@apache.org> * [JDBC] Support Policy (apache#1468) * Refactor EntityCache into an interface (apache#1193) * Refactor EntityCache to an interface * fix * spotless * Remove unused PolarisCredentialVendor.validateAccessToLocations() (apache#1480) * Remove unused PolarisCredentialVendor.validateAccessToLocations() * review: remove ValidateAccessResult and comments * Policy Store: Check whether Policy is in use before dropping and support `detach-all` flag (apache#1467) * fix error (apache#1492) * Ensure writeToPolicyMappingRecord update existing record if primary key equals in EclipseLink Persistence Impl (apache#1469) * update PolicyMappingRecord if not exists * update test * add TODO * Eliminate getCurrentContext() call in PolarisAuthorizerImpl (apache#1494) * Add getting-started for Polaris Spark Client with Delta tables (apache#1488) * Fix: Pull Postgres image automatically (apache#1495) * Fix Outdated Information and add Information regarding `docker compose down` to Quickstart (apache#1497) * Fix Outdated Information and Add Information regarding docker compose down to Quickstart * Revision 2 * Remove shutdown from README * typo * Upgrade Iceberg REST Spec to match Iceberg 1.8 (apache#1283) * prep for review * reset * more changes * fixes * github action change * another build change * try api revert * re-all * custom type mappings, rebuild * autolint * polish * yank custom types * update * autolint * wip * Revert build changes * example * autolint * Fix FileIOExceptionsTest to conform to new Iceberg 1.8 API (apache#1501) It looks like after apache#1283, this test no longer compiles as the Iceberg API has changed. I'm not sure how this wasn't caught by CI on that PR itself. * JDBC: Optimize writeEntity calls (apache#1496) * Remove transaction from atomic writes * remove if-else * main: Update registry.access.redhat.com/ubi9/openjdk-21-runtime Docker tag to v1.22-1.1745840590 (apache#1499) * Support for external identity providers (apache#1397) * JDBC: create objects without reflection (apache#1434) * Include quarkus-container-image and README in the binary distributions (apache#1493) * Site: Fix Management and Catalog Spec links (apache#1507) * Lazy iteration over JDBC ResultSet (apache#1487) * refactor * autolint * polish * autolint * changes per review * autolint * unwrapping caller * changes per review * Update distributions LICENSE and NOTICE with artifacts and versions sync (apache#1509) * Avoid using deprecated `NestedField.of()` (apache#1514) * Fix compile warning: unknown enum constant Id.NAME (apache#1513) * Doc: Add getting started with JDBC source (apache#1470) * Site: Add Polaris Spark client webpage under unreleased (apache#1503) * fix merge error * retrigger test * Fix test failure (apache#1541) * mitigate .snyk issue * revert file in this pr * add .snyk file * retrigger * move snyk file * retrigger * resolve conflict * retrigger * Revert "resolve conflict" This reverts commit 5d6427150cab67aad7a4eca37142e87316f514fc. * repick the change --------- Co-authored-by: Dmitri Bourlatchkov <dmitri.bourlatchkov@dremio.com> Co-authored-by: danielhumanmod <danieltu.life@gmail.com> Co-authored-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: JB Onofré <jbonofre@apache.org> Co-authored-by: Robert Stupp <snazy@snazy.de> Co-authored-by: MonkeyCanCode <yongzheng0809@gmail.com> Co-authored-by: Honah (Jonas) J. <honahx@apache.org> Co-authored-by: Eric Maynard <eric.maynard+oss@snowflake.com> Co-authored-by: Liam Bao <90495036+liamzwbao@users.noreply.github.com> Co-authored-by: Yufei Gu <yufei@apache.org> Co-authored-by: Alexandre Dutra <adutra@users.noreply.github.com> Co-authored-by: Dennis Huo <7410123+dennishuo@users.noreply.github.com> Co-authored-by: Travis Bowen <122238243+travis-bowen@users.noreply.github.com> Co-authored-by: Travis Bowen <travis.bowen@snowflake.com> Co-authored-by: gh-yzou <167037035+gh-yzou@users.noreply.github.com> Co-authored-by: Mansehaj Singh <msehajs@gmail.com> Co-authored-by: Prashant Singh <35593236+singhpk234@users.noreply.github.com> Co-authored-by: Juichang Lu <wolflex888@gmail.com> Co-authored-by: David Lu <dalu@hubspot.com> Co-authored-by: gfakbar20 <gfakbar20@gmail.com> Co-authored-by: Adnan Hemani <adnan.h@berkeley.edu> Co-authored-by: Adnan Hemani <adnan.hemani@snowflake.com> Co-authored-by: Neelesh Salian <nssalian@users.noreply.github.com> Co-authored-by: Rulin Xing <rulin.xing+oss@snowflake.com> Co-authored-by: Rulin Xing <xjdkcsq3@gmail.com> Co-authored-by: fabio-rizzo-01 <fabio.rizzocascio@jpmorgan.com> Co-authored-by: Pierre Laporte <pierre@pingtimeout.fr> Co-authored-by: Richard Liu <35082658+RichardLiu2001@users.noreply.github.com> Co-authored-by: Michael Collado <40346148+collado-mike@users.noreply.github.com> Co-authored-by: Owen Lin (You-Cheng Lin) <106612301+owenowenisme@users.noreply.github.com> Co-authored-by: Eric Maynard <emaynard@apache.org> Co-authored-by: Andrew Guterman <andrew.guterman1@gmail.com>
This implements
GenericTableCatalogAdapter&GenericTableCatalogHandlerWrapperon top ofGenericTableCatalogto provide auth for generic tables and the necessary abstractions to wire everything up to the REST endpoints. I've also introduced a config to optionally disable generic table functionality here in preparation for this, and done some refactoring to improve code re-use across the generic & Iceberg table code paths.