feat(catalog): use specific credential refresh endpoint

rockwotj · rockwotj · commit f342e7fd1fdb · 2026-03-18T20:20:54.000Z
diff --git a/catalog/rest/rest.go b/catalog/rest/rest.go
@@ -136,11 +136,21 @@ func (t *commitTableResponse) UnmarshalJSON(b []byte) (err error) {
 	return err
 }
 
+type storageCredential struct {
+	Prefix string             `json:"prefix"`
+	Config iceberg.Properties `json:"config"`
+}
+
 type loadTableResponse struct {
-	MetadataLoc string             `json:"metadata-location"`
-	RawMetadata json.RawMessage    `json:"metadata"`
-	Config      iceberg.Properties `json:"config"`
-	Metadata    table.Metadata     `json:"-"`
+	MetadataLoc        string              `json:"metadata-location"`
+	RawMetadata        json.RawMessage     `json:"metadata"`
+	Config             iceberg.Properties  `json:"config"`
+	StorageCredentials []storageCredential `json:"storage-credentials"`
+	Metadata           table.Metadata      `json:"-"`
+}
+
+type loadCredentialsResponse struct {
+	StorageCredentials []storageCredential `json:"storage-credentials"`
 }
 
 func (t *loadTableResponse) UnmarshalJSON(b []byte) (err error) {
@@ -677,11 +687,13 @@ func checkValidNamespace(ident table.Identifier) error {
 
 func (r *Catalog) tableFromResponse(_ context.Context, identifier []string, metadata table.Metadata, loc string, config iceberg.Properties) (*table.Table, error) {
 	refresher := &vendedCredentialRefresher{
-		mu:          semaphore.NewWeighted(1),
-		identifier:  identifier,
-		location:    loc,
-		props:       config,
-		fetchConfig: r.fetchTableConfig,
+		mu:         semaphore.NewWeighted(1),
+		identifier: identifier,
+		location:   loc,
+		props:      config,
+		fetchCreds: func(ctx context.Context, ident []string) (iceberg.Properties, error) {
+			return r.fetchTableCreds(ctx, ident, loc)
+		},
 	}
 
 	return table.New(
@@ -693,25 +705,19 @@ func (r *Catalog) tableFromResponse(_ context.Context, identifier []string, meta
 	), nil
 }
 
-func (r *Catalog) fetchTableConfig(ctx context.Context, ident []string) (iceberg.Properties, error) {
+func (r *Catalog) fetchTableCreds(ctx context.Context, ident []string, location string) (iceberg.Properties, error) {
 	ns, tbl, err := splitIdentForPath(ident)
 	if err != nil {
 		return nil, err
 	}
 
-	ret, err := doGet[loadTableResponse](ctx, r.baseURI, []string{"namespaces", ns, "tables", tbl},
+	ret, err := doGet[loadCredentialsResponse](ctx, r.baseURI, []string{"namespaces", ns, "tables", tbl, "credentials"},
 		r.cl, map[int]error{http.StatusNotFound: catalog.ErrNoSuchTable})
 	if err != nil {
 		return nil, err
 	}
 
-	config := maps.Clone(r.props)
-	maps.Copy(config, ret.Metadata.Properties())
-	for k, v := range ret.Config {
-		config[k] = v
-	}
-
-	return config, nil
+	return resolveStorageCredentials(ret.StorageCredentials, location), nil
 }
 
 func (r *Catalog) ListTables(ctx context.Context, namespace table.Identifier) iter.Seq2[table.Identifier, error] {
@@ -825,6 +831,7 @@ func (r *Catalog) CreateTable(ctx context.Context, identifier table.Identifier,
 	config := maps.Clone(r.props)
 	maps.Copy(config, ret.Metadata.Properties())
 	maps.Copy(config, ret.Config)
+	maps.Copy(config, resolveStorageCredentials(ret.StorageCredentials, ret.MetadataLoc))
 
 	return r.tableFromResponse(ctx, identifier, ret.Metadata, ret.MetadataLoc, config)
 }
@@ -936,6 +943,7 @@ func (r *Catalog) RegisterTable(ctx context.Context, identifier table.Identifier
 	config := maps.Clone(r.props)
 	maps.Copy(config, ret.Metadata.Properties())
 	maps.Copy(config, ret.Config)
+	maps.Copy(config, resolveStorageCredentials(ret.StorageCredentials, ret.MetadataLoc))
 
 	return r.tableFromResponse(ctx, identifier, ret.Metadata, ret.MetadataLoc, config)
 }
@@ -954,9 +962,8 @@ func (r *Catalog) LoadTable(ctx context.Context, identifier table.Identifier) (*
 
 	config := maps.Clone(r.props)
 	maps.Copy(config, ret.Metadata.Properties())
-	for k, v := range ret.Config {
-		config[k] = v
-	}
+	maps.Copy(config, ret.Config)
+	maps.Copy(config, resolveStorageCredentials(ret.StorageCredentials, ret.MetadataLoc))
 
 	return r.tableFromResponse(ctx, identifier, ret.Metadata, ret.MetadataLoc, config)
 }
diff --git a/catalog/rest/vended_creds.go b/catalog/rest/vended_creds.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"maps"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/apache/iceberg-go"
@@ -37,6 +38,24 @@ const (
 	defaultVendedCredentialsTTL = 60 * time.Minute
 )
 
+// resolveStorageCredentials finds the best-matching credential for the given
+// location using longest-prefix match, mirroring the Java and Python implementations.
+func resolveStorageCredentials(creds []storageCredential, location string) iceberg.Properties {
+	var best *storageCredential
+	for i := range creds {
+		c := &creds[i]
+		if strings.HasPrefix(location, c.Prefix) {
+			if best == nil || len(c.Prefix) > len(best.Prefix) {
+				best = c
+			}
+		}
+	}
+	if best == nil {
+		return nil
+	}
+	return best.Config
+}
+
 var credentialExpiryKeys = []string{
 	keyS3TokenExpiresAtMs,
 	keyAdlsSasExpiresAtMs,
@@ -66,7 +85,7 @@ type vendedCredentialRefresher struct {
 	location   string
 	props      iceberg.Properties
 
-	fetchConfig func(ctx context.Context, ident []string) (iceberg.Properties, error)
+	fetchCreds func(ctx context.Context, ident []string) (iceberg.Properties, error)
 
 	nowFunc func() time.Time // for testing
 }
@@ -93,14 +112,14 @@ func (v *vendedCredentialRefresher) loadFS(ctx context.Context) (iceio.IO, error
 	if v.cachedIO == nil {
 		config = v.props
 	} else {
-		freshConfig, err := v.fetchConfig(ctx, v.identifier)
+		freshCreds, err := v.fetchCreds(ctx, v.identifier)
 		if err != nil {
 			return v.cachedIO, nil
 		}
 
-		config = make(iceberg.Properties, len(v.props)+len(freshConfig))
+		config = make(iceberg.Properties, len(v.props)+len(freshCreds))
 		maps.Copy(config, v.props)
-		maps.Copy(config, freshConfig)
+		maps.Copy(config, freshCreds)
 	}
 
 	newIO, err := iceio.LoadFS(ctx, config, v.location)
diff --git a/catalog/rest/vended_creds_test.go b/catalog/rest/vended_creds_test.go
@@ -33,13 +33,13 @@ import (
 	"golang.org/x/sync/semaphore"
 )
 
-func newTestRefresher(fetchConfig func(ctx context.Context, ident []string) (iceberg.Properties, error)) *vendedCredentialRefresher {
+func newTestRefresher(fetchCreds func(ctx context.Context, ident []string) (iceberg.Properties, error)) *vendedCredentialRefresher {
 	return &vendedCredentialRefresher{
-		mu:          semaphore.NewWeighted(1),
-		identifier:  []string{"db", "tbl"},
-		location:    "file:///tmp/test",
-		props:       iceberg.Properties{},
-		fetchConfig: fetchConfig,
+		mu:         semaphore.NewWeighted(1),
+		identifier: []string{"db", "tbl"},
+		location:   "file:///tmp/test",
+		props:      iceberg.Properties{},
+		fetchCreds: fetchCreds,
 	}
 }
 
@@ -321,3 +321,66 @@ func TestVendedCredsServerExpiryUsedOnRefresh(t *testing.T) {
 	// expiresAt should be the server-provided value, not now+default.
 	assert.Equal(t, serverExpiry.UnixMilli(), r.expiresAt.UnixMilli())
 }
+
+func TestResolveStorageCredentials(t *testing.T) {
+	t.Parallel()
+
+	s3Creds := iceberg.Properties{"s3.access-key-id": "AKID", "s3.secret-access-key": "secret"}
+	specificCreds := iceberg.Properties{"s3.access-key-id": "SPECIFIC"}
+
+	tests := []struct {
+		name     string
+		creds    []storageCredential
+		location string
+		want     iceberg.Properties
+	}{
+		{
+			name:     "empty credentials",
+			creds:    nil,
+			location: "s3://bucket/path",
+			want:     nil,
+		},
+		{
+			name: "matching prefix",
+			creds: []storageCredential{
+				{Prefix: "s3://bucket/", Config: s3Creds},
+			},
+			location: "s3://bucket/path/to/file",
+			want:     s3Creds,
+		},
+		{
+			name: "no matching prefix",
+			creds: []storageCredential{
+				{Prefix: "s3://other-bucket/", Config: s3Creds},
+			},
+			location: "s3://bucket/path",
+			want:     nil,
+		},
+		{
+			name: "longest prefix wins",
+			creds: []storageCredential{
+				{Prefix: "s3://bucket/", Config: s3Creds},
+				{Prefix: "s3://bucket/specific/", Config: specificCreds},
+			},
+			location: "s3://bucket/specific/path",
+			want:     specificCreds,
+		},
+		{
+			name: "longest prefix wins regardless of order",
+			creds: []storageCredential{
+				{Prefix: "s3://bucket/specific/", Config: specificCreds},
+				{Prefix: "s3://bucket/", Config: s3Creds},
+			},
+			location: "s3://bucket/specific/path",
+			want:     specificCreds,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := resolveStorageCredentials(tt.creds, tt.location)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
