Support vended credentials beyond loadTable

Author: shyiko

ice-rest-catalog/src/main/java/com/altinity/ice/rest/catalog/Main.java

@@ -30,8 +30,10 @@
 import com.altinity.ice.rest.catalog.internal.rest.RESTCatalogAdapter;
 import com.altinity.ice.rest.catalog.internal.rest.RESTCatalogAuthorizationHandler;
 import com.altinity.ice.rest.catalog.internal.rest.RESTCatalogHandler;
-import com.altinity.ice.rest.catalog.internal.rest.RESTCatalogMiddlewareTableAWCredentials;
+import com.altinity.ice.rest.catalog.internal.rest.RESTCatalogMiddlewareConfig;
+import com.altinity.ice.rest.catalog.internal.rest.RESTCatalogMiddlewareCredentials;
 import com.altinity.ice.rest.catalog.internal.rest.RESTCatalogMiddlewareTableConfig;
+import com.altinity.ice.rest.catalog.internal.rest.RESTCatalogMiddlewareTableCredentials;
 import com.altinity.ice.rest.catalog.internal.rest.RESTCatalogServlet;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.net.HostAndPort;
@@ -49,6 +51,7 @@
 import org.apache.iceberg.CatalogUtil;
 import org.apache.iceberg.aws.s3.S3FileIOProperties;
 import org.apache.iceberg.catalog.Catalog;
+import org.apache.iceberg.relocated.com.google.common.base.Function;
 import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
@@ -235,6 +238,10 @@ private static Server createBaseServer(
       mux.insertHandler(createAuthorizationHandler(config.bearerTokens(), config));
 
       restCatalogAdapter = new RESTCatalogAdapter(catalog);
+      var globalConfig = config.toIcebergConfigDefaults();
+      if (!globalConfig.isEmpty()) {
+        restCatalogAdapter = new RESTCatalogMiddlewareConfig(restCatalogAdapter, globalConfig);
+      }
       var loadTableConfig = config.toIcebergLoadTableConfig();
       if (!loadTableConfig.isEmpty()) {
         restCatalogAdapter =
@@ -244,12 +251,17 @@ private static Server createBaseServer(
       if (awsAuth) {
         Map<String, AwsCredentialsProvider> awsCredentialsProviders =
             createAwsCredentialsProviders(config.bearerTokens(), config, icebergConfig);
+        Function<String, AwsCredentialsProvider> auth = awsCredentialsProviders::get;
         restCatalogAdapter =
-            new RESTCatalogMiddlewareTableAWCredentials(
-                restCatalogAdapter, awsCredentialsProviders::get);
+            new RESTCatalogMiddlewareTableCredentials(
+                new RESTCatalogMiddlewareCredentials(restCatalogAdapter, auth), auth);
       }
     } else {
       restCatalogAdapter = new RESTCatalogAdapter(catalog);
+      var globalConfig = config.toIcebergConfigDefaults();
+      if (!globalConfig.isEmpty()) {
+        restCatalogAdapter = new RESTCatalogMiddlewareConfig(restCatalogAdapter, globalConfig);
+      }
       var loadTableConfig = config.toIcebergLoadTableConfig();
       if (!loadTableConfig.isEmpty()) {
         restCatalogAdapter =
@@ -258,9 +270,10 @@ private static Server createBaseServer(
 
       if (awsAuth) {
         DefaultCredentialsProvider awsCredentialsProvider = DefaultCredentialsProvider.create();
+        Function<String, AwsCredentialsProvider> auth = uid -> awsCredentialsProvider;
         restCatalogAdapter =
-            new RESTCatalogMiddlewareTableAWCredentials(
-                restCatalogAdapter, uid -> awsCredentialsProvider);
+            new RESTCatalogMiddlewareTableCredentials(
+                new RESTCatalogMiddlewareCredentials(restCatalogAdapter, auth), auth);
       }
     }
 

ice-rest-catalog/src/main/java/com/altinity/ice/rest/catalog/internal/config/Config.java

@@ -182,6 +182,18 @@ public static Config load(String configFile) throws IOException {
   }
 
   public Map<String, String> toIcebergLoadTableConfig() {
+    var m = toIcebergConfigDefaults();
+    for (Map.Entry<String, String> e : loadTableProperties.entrySet()) {
+      if (e.getValue() != null) {
+        m.put(e.getKey(), e.getValue());
+      } else {
+        m.remove(e.getKey());
+      }
+    }
+    return m;
+  }
+
+  public Map<String, String> toIcebergConfigDefaults() {
     var m = new HashMap<String, String>();
     String iceIODefault = "ice.io.default.";
     if (s3 != null) {
@@ -199,13 +211,6 @@ public Map<String, String> toIcebergLoadTableConfig() {
       String region = warehouse.split(":")[3];
       m.putIfAbsent(iceIODefault + AwsClientProperties.CLIENT_REGION, region);
     }
-    for (Map.Entry<String, String> e : loadTableProperties.entrySet()) {
-      if (e.getValue() != null) {
-        m.put(e.getKey(), e.getValue());
-      } else {
-        m.remove(e.getKey());
-      }
-    }
     return m;
   }
 

ice-rest-catalog/src/main/java/com/altinity/ice/rest/catalog/internal/rest/RESTCatalogMiddlewareConfig.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2025 Altinity Inc and/or its affiliates. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ */
+package com.altinity.ice.rest.catalog.internal.rest;
+
+import com.altinity.ice.rest.catalog.internal.auth.Session;
+import java.util.Map;
+import org.apache.iceberg.rest.RESTResponse;
+import org.apache.iceberg.rest.responses.ConfigResponse;
+
+public class RESTCatalogMiddlewareConfig extends RESTCatalogMiddleware {
+
+  private final Map<String, String> defaults;
+
+  public RESTCatalogMiddlewareConfig(RESTCatalogHandler next, Map<String, String> defaults) {
+    super(next);
+    this.defaults = defaults;
+  }
+
+  @Override
+  public <T extends RESTResponse> T handle(
+      Session session,
+      Route route,
+      Map<String, String> vars,
+      Object requestBody,
+      Class<T> responseType) {
+    T restResponse = this.next.handle(session, route, vars, requestBody, responseType);
+    if (restResponse instanceof ConfigResponse configResponse) {
+      Map<String, String> config = configResponse.defaults();
+      for (var e : defaults.entrySet()) {
+        config.putIfAbsent(e.getKey(), e.getValue());
+      }
+    }
+    return restResponse;
+  }
+}

ice-rest-catalog/src/main/java/com/altinity/ice/rest/catalog/internal/rest/RESTCatalogMiddlewareCredentials.java

@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2025 Altinity Inc and/or its affiliates. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ */
+package com.altinity.ice.rest.catalog.internal.rest;
+
+import com.altinity.ice.rest.catalog.internal.auth.Session;
+import java.util.HashMap;
+import java.util.Map;
+import javax.annotation.Nullable;
+import org.apache.iceberg.aws.s3.S3FileIOProperties;
+import org.apache.iceberg.relocated.com.google.common.base.Function;
+import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
+import org.apache.iceberg.rest.RESTResponse;
+import org.apache.iceberg.rest.credentials.ImmutableCredential;
+import org.apache.iceberg.rest.responses.ImmutableLoadCredentialsResponse;
+import org.apache.iceberg.rest.responses.LoadCredentialsResponse;
+import software.amazon.awssdk.auth.credentials.AwsCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.identity.spi.AwsSessionCredentialsIdentity;
+
+public class RESTCatalogMiddlewareCredentials extends RESTCatalogMiddleware {
+
+  private static final ImmutableLoadCredentialsResponse EMPTY_RESPONSE =
+      ImmutableLoadCredentialsResponse.builder().build();
+  private final Function<String, AwsCredentialsProvider> awsCredentialsProvider;
+
+  public RESTCatalogMiddlewareCredentials(
+      RESTCatalogHandler next,
+      @Nullable Function<String, AwsCredentialsProvider> awsCredentialsProvider) {
+    super(next);
+    this.awsCredentialsProvider = awsCredentialsProvider;
+  }
+
+  @Override
+  public <T extends RESTResponse> T handle(
+      Session session,
+      Route route,
+      Map<String, String> vars,
+      Object requestBody,
+      Class<T> responseType) {
+    if (route == Route.CREDENTIALS) {
+      LoadCredentialsResponse res;
+      if (awsCredentialsProvider != null) {
+        Map<String, String> config = new HashMap<>();
+        applyCredentials(session, config);
+        res =
+            ImmutableLoadCredentialsResponse.builder()
+                .addCredentials(
+                    ImmutableCredential.builder().prefix("s3").putAllConfig(config).build())
+                .build();
+      } else {
+        res = EMPTY_RESPONSE;
+      }
+      return responseType.cast(res);
+    }
+    return next.handle(session, route, vars, requestBody, responseType);
+  }
+
+  private void applyCredentials(Session session, Map<String, String> config) {
+    String providerLookupKey = null;
+    if (session != null) {
+      providerLookupKey = session.uid();
+    }
+    AwsCredentialsProvider credentialsProvider = awsCredentialsProvider.apply(providerLookupKey);
+    Preconditions.checkState(credentialsProvider != null); // null here means misconfiguration
+    AwsCredentials awsCredentials = credentialsProvider.resolveCredentials();
+    config.put(S3FileIOProperties.ACCESS_KEY_ID, awsCredentials.accessKeyId());
+    config.put(S3FileIOProperties.SECRET_ACCESS_KEY, awsCredentials.secretAccessKey());
+    if (awsCredentials instanceof AwsSessionCredentialsIdentity awsSessionCredentials) {
+      config.put(S3FileIOProperties.SESSION_TOKEN, awsSessionCredentials.sessionToken());
+      // S3FileIOProperties.SESSION_TOKEN_EXPIRES_AT_MS
+      awsSessionCredentials
+          .expirationTime()
+          .ifPresent(
+              exp ->
+                  config.put("s3.session-token-expires-at-ms", String.valueOf(exp.toEpochMilli())));
+    }
+  }
+}

…CatalogMiddlewareTableAWCredentials.java …STCatalogMiddlewareTableCredentials.javaice-rest-catalog/src/main/java/com/altinity/ice/rest/catalog/internal/rest/RESTCatalogMiddlewareTableAWCredentials.java renamed to ice-rest-catalog/src/main/java/com/altinity/ice/rest/catalog/internal/rest/RESTCatalogMiddlewareTableCredentials.java ice-rest-catalog/src/main/java/com/altinity/ice/rest/catalog/internal/rest/RESTCatalogMiddlewareTableAWCredentials.java renamed to ice-rest-catalog/src/main/java/com/altinity/ice/rest/catalog/internal/rest/RESTCatalogMiddlewareTableCredentials.java

@@ -20,11 +20,11 @@
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
 import software.amazon.awssdk.identity.spi.AwsSessionCredentialsIdentity;
 
-public class RESTCatalogMiddlewareTableAWCredentials extends RESTCatalogMiddleware {
+public class RESTCatalogMiddlewareTableCredentials extends RESTCatalogMiddleware {
 
   private final Function<String, AwsCredentialsProvider> awsCredentialsProvider;
 
-  public RESTCatalogMiddlewareTableAWCredentials(
+  public RESTCatalogMiddlewareTableCredentials(
       RESTCatalogHandler next, Function<String, AwsCredentialsProvider> awsCredentialsProvider) {
     super(next);
     this.awsCredentialsProvider = awsCredentialsProvider;
@@ -55,10 +55,17 @@ private void applyCredentials(Session session, Map<String, String> tableConfig)
     AwsCredentials awsCredentials = credentialsProvider.resolveCredentials();
     tableConfig.put(S3FileIOProperties.ACCESS_KEY_ID, awsCredentials.accessKeyId());
     tableConfig.put(S3FileIOProperties.SECRET_ACCESS_KEY, awsCredentials.secretAccessKey());
-    if (awsCredentials instanceof AwsSessionCredentialsIdentity) {
-      tableConfig.put(
-          S3FileIOProperties.SESSION_TOKEN,
-          ((AwsSessionCredentialsIdentity) awsCredentials).sessionToken());
+    if (awsCredentials instanceof AwsSessionCredentialsIdentity awsSessionCredentials) {
+      tableConfig.put(S3FileIOProperties.SESSION_TOKEN, awsSessionCredentials.sessionToken());
+      if (awsSessionCredentials.expirationTime().isPresent()) {
+        // S3FileIOProperties.SESSION_TOKEN_EXPIRES_AT_MS
+        awsSessionCredentials
+            .expirationTime()
+            .ifPresent(
+                exp ->
+                    tableConfig.put(
+                        "s3.session-token-expires-at-ms", String.valueOf(exp.toEpochMilli())));
+      }
     }
   }
 }

ice-rest-catalog/src/main/java/com/altinity/ice/rest/catalog/internal/rest/Route.java

@@ -40,6 +40,7 @@
 import org.apache.iceberg.rest.responses.GetNamespaceResponse;
 import org.apache.iceberg.rest.responses.ListNamespacesResponse;
 import org.apache.iceberg.rest.responses.ListTablesResponse;
+import org.apache.iceberg.rest.responses.LoadCredentialsResponse;
 import org.apache.iceberg.rest.responses.LoadTableResponse;
 import org.apache.iceberg.rest.responses.LoadViewResponse;
 import org.apache.iceberg.rest.responses.OAuthTokenResponse;
@@ -48,6 +49,7 @@
 
 public enum Route {
   TOKENS(HTTPRequest.HTTPMethod.POST, "v1/oauth/tokens", null, OAuthTokenResponse.class),
+  CREDENTIALS(HTTPRequest.HTTPMethod.GET, "v1/credentials", null, LoadCredentialsResponse.class),
   CONFIG(HTTPRequest.HTTPMethod.GET, "v1/config", null, ConfigResponse.class),
   LIST_NAMESPACES(
       HTTPRequest.HTTPMethod.GET, ResourcePaths.V1_NAMESPACES, null, ListNamespacesResponse.class),

ice/src/main/java/com/altinity/ice/cli/Main.java

@@ -157,6 +157,11 @@ void createTable(
               names = {"-p"},
               description = "Create table if not exists")
           boolean createTableIfNotExists,
+      @CommandLine.Option(
+              names = "--use-vended-credentials",
+              description =
+                  "Use vended credentials to access input files (instead of credentials from execution environment)")
+          boolean useVendedCredentials,
       @CommandLine.Option(names = {"--s3-region"}) String s3Region,
       @CommandLine.Option(
               names = {"--s3-no-sign-request"},
@@ -203,6 +208,7 @@ void createTable(
           schemaFile,
           location,
           createTableIfNotExists,
+          useVendedCredentials,
           s3NoSignRequest,
           partitions,
           sortOrders);
@@ -269,10 +275,10 @@ void insert(
                   "Add files to catalog without copying them even if files are in different location(s) from table (implies --no-copy)")
           boolean forceNoCopy,
       @CommandLine.Option(
-              names = "--force-table-auth",
+              names = {"--use-vended-credentials", "--force-table-auth" /* deprecated */},
               description =
                   "Use table credentials to access input files (instead of credentials from execution environment)")
-          boolean forceTableAuth,
+          boolean useVendedCredentials,
       @CommandLine.Option(names = {"--s3-region"}) String s3Region,
       @CommandLine.Option(
               names = {"--s3-no-sign-request"},
@@ -377,6 +383,7 @@ void insert(
             dataFiles[0],
             null,
             createTableIfNotExists,
+            useVendedCredentials,
             s3NoSignRequest,
             partitions,
             sortOrders);
@@ -390,7 +397,7 @@ void insert(
               .noCommit(noCommit)
               .noCopy(noCopy)
               .forceNoCopy(forceNoCopy)
-              .forceTableAuth(forceTableAuth)
+              .useVendedCredentials(useVendedCredentials)
               .s3NoSignRequest(s3NoSignRequest)
               .s3CopyObject(s3CopyObject)
               .s3MultipartUploadThreadCount(s3MultipartUploadThreadCount)