New Iceberg catalog authentication properties (#1054)

Co-authored-by: Jake Cahill <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: JakeSCahill <[email protected]>
Co-authored-by: Michele Cyran <[email protected]>
Co-authored-by: Martin Schneppenheim <[email protected]>
Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>
Co-authored-by: David Yu <[email protected]>
Co-authored-by: Angela Simms <[email protected]>
Co-authored-by: Rogger Vasquez <[email protected]>
Co-authored-by: Yaniv Ben Hemo <[email protected]>
Co-authored-by: Paulo Borges <[email protected]>
Co-authored-by: Bill Chambers <[email protected]>
Co-authored-by: Stephan Dollberg <[email protected]>
Co-authored-by: Willem Kaufmann <[email protected]>
Co-authored-by: Andrew Stucki <[email protected]>
Co-authored-by: Chris Seto <[email protected]>
Co-authored-by: Suslik Da-Rete <[email protected]>

Author: 17 people

modules/manage/pages/iceberg/redpanda-topics-iceberg-snowflake-catalog.adoc

@@ -65,6 +65,7 @@ To configure your Redpanda cluster to enable Iceberg on a topic and integrate wi
 iceberg_enabled: true 
 iceberg_catalog_type: rest
 iceberg_rest_catalog_endpoint: https://<snowflake-orgname>-<open-catalog-account-name>.snowflakecomputing.com/polaris/api/catalog
+iceberg_rest_catalog_authentication_mode: oauth2
 iceberg_rest_catalog_client_id: <open-catalog-connection-client-id>
 iceberg_rest_catalog_client_secret: <open-catalog-connection-client-secret>
 iceberg_rest_catalog_prefix: <open-catalog-name>

modules/manage/partials/iceberg/use-iceberg-catalogs.adoc

@@ -20,8 +20,17 @@ To connect to a REST catalog, set the following cluster configuration properties
 
 * config_ref:iceberg_catalog_type,true,properties/cluster-properties[`iceberg_catalog_type`]: `rest`
 * config_ref:iceberg_rest_catalog_endpoint,true,properties/cluster-properties[`iceberg_rest_catalog_endpoint`]: The endpoint URL for your Iceberg catalog, which you either manage directly, or is managed by an external catalog service.
-* config_ref:iceberg_rest_catalog_client_id,true,properties/cluster-properties[`iceberg_rest_catalog_client_id`]: The ID to connect to the REST catalog.
-* config_ref:iceberg_rest_catalog_client_secret,true,properties/cluster-properties[`iceberg_rest_catalog_client_secret`]: The secret data to connect to the REST catalog.
+* config_ref:iceberg_rest_catalog_authentication_mode,true,properties/cluster-properties[`iceberg_rest_catalog_authentication_mode`]: The authentication mode to use for the REST catalog. Choose from `oauth2`, `bearer`, or `none` (default).
+** For `oauth2`, also configure the following properties:
++
+--
+* config_ref:iceberg_rest_catalog_oauth2_server_uri,true,properties/cluster-properties[`iceberg_rest_catalog_oauth2_server_uri`]: The OAuth endpoint URI used to retrieve tokens for REST catalog authentication. If left unset, the deprecated catalog endpoint `/v1/oauth/tokens` is used as the token endpoint instead. 
+* config_ref:iceberg_rest_catalog_client_id,true,properties/cluster-properties[`iceberg_rest_catalog_client_id`]: The ID used to query the OAuth token endpoint for REST catalog authentication.
+* config_ref:iceberg_rest_catalog_client_secret,true,properties/cluster-properties[`iceberg_rest_catalog_client_secret`]:  The secret used with the client ID to query the OAuth token endpoint for REST catalog authentication.
+--
+** For `bearer`, configure the config_ref:iceberg_rest_catalog_token,true,properties/cluster-properties[`iceberg_rest_catalog_token`] property with your bearer token.
++
+Redpanda uses the bearer token unconditionally and does not attempt to refresh the token. Only use the bearer authentication mode for ad hoc or testing purposes.
 
 For REST catalogs that use self-signed certificates, also configure these properties:
 
@@ -37,9 +46,10 @@ For example, if you have Redpanda cluster configuration properties set to connec
 [,yaml]
 ----
 iceberg_catalog_type: rest 
-iceberg_rest_catalog_endpoint: http://catalog-service:8181 
-iceberg_rest_catalog_client_id: <rest-connection-user>
-iceberg_rest_catalog_client_secret: <rest-connection-password>
+iceberg_rest_catalog_endpoint: http://catalog-service:8181
+iceberg_rest_catalog_authentication_mode: oauth2
+iceberg_rest_catalog_client_id: <rest-connection-id>
+iceberg_rest_catalog_client_secret: <rest-connection-secret>
 ----
 
 And you use Apache Spark as a processing engine, configured to use a catalog named `streaming`:

modules/reference/pages/properties/cluster-properties.adoc

@@ -1898,7 +1898,7 @@ The authentication mode for client requests made to the Iceberg catalog. Choose
 
 === iceberg_rest_catalog_client_id
 
-Iceberg REST catalog user ID. This ID is used to query the catalog API for the OAuth token. Required if catalog type is set to `rest`.
+The client ID used to query the REST catalog API for the OAuth token. Required if catalog type is set to `rest`.
 
 *Requires restart:* Yes
 
@@ -1918,7 +1918,7 @@ Iceberg REST catalog user ID. This ID is used to query the catalog API for the O
 
 === iceberg_rest_catalog_client_secret
 
-Secret to authenticate against Iceberg REST catalog. Required if catalog type is set to `rest` and `iceberg_rest_catalog_authentication_mode` is set to `oauth2`.
+Secret used with the client ID to query the OAuth token endpoint for Iceberg REST catalog authentication. Required if catalog type is set to `rest` and `iceberg_rest_catalog_authentication_mode` is set to `oauth2`.
 
 *Requires restart:* Yes
 
@@ -1992,7 +1992,7 @@ URL of Iceberg REST catalog endpoint.
 
 === iceberg_rest_catalog_oauth2_server_uri
 
-The OAuth URI used to retrieve access tokens for Iceberg catalog authentication. If left undefined, the deprecated Iceberg catalog endpoint `/v1/oauth/tokens` is used instead.
+The OAuth URI used to retrieve access tokens for Iceberg REST catalog authentication. If left undefined, the deprecated Iceberg catalog endpoint `/v1/oauth/tokens` is used instead.
 
 *Requires restart:* Yes