Add configurable catalogs.conf path via GUC

sfc-gh-npuka · sfc-gh-npuka · commit 3aa43480c266 · 2026-03-16T23:49:18.000+03:00
New GUC pg_lake_iceberg.catalogs_conf_path controls the location of the
catalog credentials file. Defaults to "catalogs.conf", which resolves to
$PGDATA/catalogs.conf. Absolute paths are used as-is. The GUC is
PGC_SIGHUP (reloadable) and superuser-only.

Signed-off-by: sfc-gh-npuka &lt;naisila.puka@snowflake.com&gt;
diff --git a/pg_lake_iceberg/include/pg_lake/rest_catalog/rest_catalog.h b/pg_lake_iceberg/include/pg_lake/rest_catalog/rest_catalog.h
@@ -28,6 +28,7 @@
 #define REST_CATALOG_AUTH_TYPE_OAUTH2 (0)
 #define REST_CATALOG_AUTH_TYPE_HORIZON (1)
 
+extern char *CatalogsConfPath;
 extern PGDLLEXPORT char *RestCatalogHost;
 extern char *RestCatalogOauthHostPath;
 extern char *RestCatalogClientId;
diff --git a/pg_lake_iceberg/src/init.c b/pg_lake_iceberg/src/init.c
@@ -253,6 +253,16 @@ _PG_init(void)
 							GUC_UNIT_KB,
 							NULL, NULL, NULL);
 
+	DefineCustomStringVariable("pg_lake_iceberg.catalogs_conf_path",
+							   gettext_noop("Path to the catalog credentials file. "
+											"Defaults to $PGDATA/catalogs.conf."),
+							   NULL,
+							   &CatalogsConfPath,
+							   "catalogs.conf",
+							   PGC_SIGHUP,
+							   GUC_SUPERUSER_ONLY,
+							   NULL, NULL, NULL);
+
 	DefineCustomEnumVariable("pg_lake_iceberg.rest_catalog_auth_type",
 							 gettext_noop("Determines the format for the initial OAuth token requests."),
 							 NULL,
diff --git a/pg_lake_iceberg/src/rest_catalog/rest_catalog.c b/pg_lake_iceberg/src/rest_catalog/rest_catalog.c
@@ -59,6 +59,7 @@
 
 
 /* determined by GUC */
+char	   *CatalogsConfPath = NULL;
 char	   *RestCatalogHost = "http://localhost:8181";
 char	   *RestCatalogOauthHostPath = "";
 char	   *RestCatalogClientId = NULL;
@@ -470,8 +471,6 @@ BlockDDLOnExtensionCatalogs(ProcessUtilityParams *processUtilityParams,
 }
 
 
-#define CATALOGS_CONF_FILENAME "catalogs.conf"
-
 /*
  * LookupUserMappingOptions returns the user mapping options for the current
  * user on the given server, or NULL if no mapping exists. Checks for a
@@ -509,9 +508,13 @@ LookupUserMappingOptions(Oid serverid)
 
 
 /*
- * ReadCatalogsConfCredentials reads $PGDATA/catalogs.conf and extracts
- * credentials for the given server name. The file uses PostgreSQL's
- * standard key = value format with dotted keys:
+ * ReadCatalogsConfCredentials reads the catalog credentials file and
+ * extracts credentials for the given server name.
+ *
+ * The file path is pg_lake_iceberg.catalogs_conf_path. Relative paths
+ * are resolved against the data directory.
+ *
+ * The file uses PostgreSQL's standard key = value format with dotted keys:
  *
  *   horizon.client_id = 'platform_id'
  *   horizon.client_secret = 'platform_secret'
@@ -535,7 +538,10 @@ ReadCatalogsConfCredentials(const char *serverName,
 	bool		found = false;
 	int			serverNameLen = strlen(serverName);
 
-	snprintf(path, MAXPGPATH, "%s/%s", DataDir, CATALOGS_CONF_FILENAME);
+	if (is_absolute_path(CatalogsConfPath))
+		strlcpy(path, CatalogsConfPath, MAXPGPATH);
+	else
+		snprintf(path, MAXPGPATH, "%s/%s", DataDir, CatalogsConfPath);
 
 	fp = AllocateFile(path, "r");
 	if (fp == NULL)
diff --git a/pg_lake_table/tests/pytests/test_iceberg_catalog_server.py b/pg_lake_table/tests/pytests/test_iceberg_catalog_server.py
@@ -1,4 +1,6 @@
 import os
+import tempfile
+
 import pytest
 from utils_pytest import *
 
@@ -852,6 +854,62 @@ def test_credentials_from_catalogs_conf_for_rest_server(
     pg_conn.rollback()
 
 
+def test_catalogs_conf_path_outside_pgdata(
+    pg_conn,
+    superuser_conn,
+    s3,
+    extension,
+    with_default_location,
+):
+    """catalogs_conf_path GUC accepts an absolute path for the credentials file."""
+    fd, tmp_path = tempfile.mkstemp(suffix=".conf", prefix="catalogs_")
+    try:
+        with os.fdopen(fd, "w") as f:
+            f.write(
+                "rest.client_id = 'external-id'\n"
+                "rest.client_secret = 'external-secret'\n"
+            )
+
+        run_command_outside_tx(
+            [
+                "ALTER SYSTEM SET pg_lake_iceberg.rest_catalog_client_id TO ''",
+                "ALTER SYSTEM SET pg_lake_iceberg.rest_catalog_client_secret TO ''",
+                f"ALTER SYSTEM SET pg_lake_iceberg.catalogs_conf_path TO '{tmp_path}'",
+                "SELECT pg_reload_conf()",
+            ],
+        )
+
+        # Use a fresh connection so its backend reads the updated
+        # postgresql.auto.conf on startup — avoids SIGHUP race.
+        fresh = open_pg_conn()
+        try:
+            err = run_command(
+                """
+                CREATE TABLE test_ext_conf_tbl ()
+                    USING iceberg
+                    WITH (catalog = 'rest', read_only = 'true',
+                          catalog_namespace = 'ns', catalog_table_name = 'tbl')
+                """,
+                fresh,
+                raise_error=False,
+            )
+            assert err is not None
+            assert "no credentials found" not in str(err)
+        finally:
+            fresh.close()
+    finally:
+        run_command_outside_tx(
+            [
+                "ALTER SYSTEM RESET pg_lake_iceberg.catalogs_conf_path",
+                "ALTER SYSTEM RESET pg_lake_iceberg.rest_catalog_client_id",
+                "ALTER SYSTEM RESET pg_lake_iceberg.rest_catalog_client_secret",
+                "SELECT pg_reload_conf()",
+            ],
+        )
+        if os.path.exists(tmp_path):
+            os.remove(tmp_path)
+
+
 # ── Backward compatibility ─────────────────────────────────────────────────
 
 
