diff --git a/modules/manage/pages/iceberg/redpanda-topics-iceberg-snowflake-catalog.adoc b/modules/manage/pages/iceberg/redpanda-topics-iceberg-snowflake-catalog.adoc index 165fa662bd..f78e751996 100644 --- a/modules/manage/pages/iceberg/redpanda-topics-iceberg-snowflake-catalog.adoc +++ b/modules/manage/pages/iceberg/redpanda-topics-iceberg-snowflake-catalog.adoc @@ -65,6 +65,7 @@ To configure your Redpanda cluster to enable Iceberg on a topic and integrate wi iceberg_enabled: true iceberg_catalog_type: rest iceberg_rest_catalog_endpoint: https://-.snowflakecomputing.com/polaris/api/catalog +iceberg_rest_catalog_authentication_mode: oauth2 iceberg_rest_catalog_client_id: iceberg_rest_catalog_client_secret: iceberg_rest_catalog_prefix: diff --git a/modules/manage/partials/iceberg/use-iceberg-catalogs.adoc b/modules/manage/partials/iceberg/use-iceberg-catalogs.adoc index 6434c68bc7..1b2a7080f5 100644 --- a/modules/manage/partials/iceberg/use-iceberg-catalogs.adoc +++ b/modules/manage/partials/iceberg/use-iceberg-catalogs.adoc @@ -20,8 +20,17 @@ To connect to a REST catalog, set the following cluster configuration properties * config_ref:iceberg_catalog_type,true,properties/cluster-properties[`iceberg_catalog_type`]: `rest` * config_ref:iceberg_rest_catalog_endpoint,true,properties/cluster-properties[`iceberg_rest_catalog_endpoint`]: The endpoint URL for your Iceberg catalog, which you either manage directly, or is managed by an external catalog service. -* config_ref:iceberg_rest_catalog_client_id,true,properties/cluster-properties[`iceberg_rest_catalog_client_id`]: The ID to connect to the REST catalog. -* config_ref:iceberg_rest_catalog_client_secret,true,properties/cluster-properties[`iceberg_rest_catalog_client_secret`]: The secret data to connect to the REST catalog. +* config_ref:iceberg_rest_catalog_authentication_mode,true,properties/cluster-properties[`iceberg_rest_catalog_authentication_mode`]: The authentication mode to use for the REST catalog. Choose from `oauth2`, `bearer`, or `none` (default). +** For `oauth2`, also configure the following properties: ++ +-- +* config_ref:iceberg_rest_catalog_oauth2_server_uri,true,properties/cluster-properties[`iceberg_rest_catalog_oauth2_server_uri`]: The OAuth endpoint URI used to retrieve tokens for REST catalog authentication. If left unset, the deprecated catalog endpoint `/v1/oauth/tokens` is used as the token endpoint instead. +* config_ref:iceberg_rest_catalog_client_id,true,properties/cluster-properties[`iceberg_rest_catalog_client_id`]: The ID used to query the OAuth token endpoint for REST catalog authentication. +* config_ref:iceberg_rest_catalog_client_secret,true,properties/cluster-properties[`iceberg_rest_catalog_client_secret`]: The secret used with the client ID to query the OAuth token endpoint for REST catalog authentication. +-- +** For `bearer`, configure the config_ref:iceberg_rest_catalog_token,true,properties/cluster-properties[`iceberg_rest_catalog_token`] property with your bearer token. ++ +Redpanda uses the bearer token unconditionally and does not attempt to refresh the token. Only use the bearer authentication mode for ad hoc or testing purposes. For REST catalogs that use self-signed certificates, also configure these properties: @@ -37,9 +46,10 @@ For example, if you have Redpanda cluster configuration properties set to connec [,yaml] ---- iceberg_catalog_type: rest -iceberg_rest_catalog_endpoint: http://catalog-service:8181 -iceberg_rest_catalog_client_id: -iceberg_rest_catalog_client_secret: +iceberg_rest_catalog_endpoint: http://catalog-service:8181 +iceberg_rest_catalog_authentication_mode: oauth2 +iceberg_rest_catalog_client_id: +iceberg_rest_catalog_client_secret: ---- And you use Apache Spark as a processing engine, configured to use a catalog named `streaming`: diff --git a/modules/reference/pages/properties/cluster-properties.adoc b/modules/reference/pages/properties/cluster-properties.adoc index 11319c96d0..648061414b 100644 --- a/modules/reference/pages/properties/cluster-properties.adoc +++ b/modules/reference/pages/properties/cluster-properties.adoc @@ -1898,7 +1898,7 @@ The authentication mode for client requests made to the Iceberg catalog. Choose === iceberg_rest_catalog_client_id -Iceberg REST catalog user ID. This ID is used to query the catalog API for the OAuth token. Required if catalog type is set to `rest`. +The client ID used to query the REST catalog API for the OAuth token. Required if catalog type is set to `rest`. *Requires restart:* Yes @@ -1918,7 +1918,7 @@ Iceberg REST catalog user ID. This ID is used to query the catalog API for the O === iceberg_rest_catalog_client_secret -Secret to authenticate against Iceberg REST catalog. Required if catalog type is set to `rest` and `iceberg_rest_catalog_authentication_mode` is set to `oauth2`. +Secret used with the client ID to query the OAuth token endpoint for Iceberg REST catalog authentication. Required if catalog type is set to `rest` and `iceberg_rest_catalog_authentication_mode` is set to `oauth2`. *Requires restart:* Yes @@ -1992,7 +1992,7 @@ URL of Iceberg REST catalog endpoint. === iceberg_rest_catalog_oauth2_server_uri -The OAuth URI used to retrieve access tokens for Iceberg catalog authentication. If left undefined, the deprecated Iceberg catalog endpoint `/v1/oauth/tokens` is used instead. +The OAuth URI used to retrieve access tokens for Iceberg REST catalog authentication. If left undefined, the deprecated Iceberg catalog endpoint `/v1/oauth/tokens` is used instead. *Requires restart:* Yes