Add configurable catalogs.conf path via GUC

sfc-gh-npuka · sfc-gh-npuka · commit b5192a9f9e21 · 2026-03-16T23:17:27.000+03:00
New GUC pg_lake_iceberg.catalogs_conf_path controls the location of the
catalog credentials file. Defaults to "catalogs.conf", which resolves to
$PGDATA/catalogs.conf. Absolute paths are used as-is. The GUC is
PGC_SIGHUP (reloadable) and superuser-only.

Signed-off-by: sfc-gh-npuka &lt;naisila.puka@snowflake.com&gt;
diff --git a/pg_lake_iceberg/include/pg_lake/rest_catalog/rest_catalog.h b/pg_lake_iceberg/include/pg_lake/rest_catalog/rest_catalog.h
@@ -28,6 +28,7 @@
 #define REST_CATALOG_AUTH_TYPE_OAUTH2 (0)
 #define REST_CATALOG_AUTH_TYPE_HORIZON (1)
 
+extern char *CatalogsConfPath;
 extern PGDLLEXPORT char *RestCatalogHost;
 extern char *RestCatalogOauthHostPath;
 extern char *RestCatalogClientId;
diff --git a/pg_lake_iceberg/src/init.c b/pg_lake_iceberg/src/init.c
@@ -253,6 +253,16 @@ _PG_init(void)
 							GUC_UNIT_KB,
 							NULL, NULL, NULL);
 
+	DefineCustomStringVariable("pg_lake_iceberg.catalogs_conf_path",
+							   gettext_noop("Path to the catalog credentials file. "
+											"Defaults to $PGDATA/catalogs.conf."),
+							   NULL,
+							   &CatalogsConfPath,
+							   "catalogs.conf",
+							   PGC_SIGHUP,
+							   GUC_SUPERUSER_ONLY,
+							   NULL, NULL, NULL);
+
 	DefineCustomEnumVariable("pg_lake_iceberg.rest_catalog_auth_type",
 							 gettext_noop("Determines the format for the initial OAuth token requests."),
 							 NULL,
diff --git a/pg_lake_iceberg/src/rest_catalog/rest_catalog.c b/pg_lake_iceberg/src/rest_catalog/rest_catalog.c
@@ -59,6 +59,7 @@
 
 
 /* determined by GUC */
+char	   *CatalogsConfPath = NULL;
 char	   *RestCatalogHost = "http://localhost:8181";
 char	   *RestCatalogOauthHostPath = "";
 char	   *RestCatalogClientId = NULL;
@@ -470,8 +471,6 @@ BlockDDLOnExtensionCatalogs(ProcessUtilityParams *processUtilityParams,
 }
 
 
-#define CATALOGS_CONF_FILENAME "catalogs.conf"
-
 /*
  * LookupUserMappingOptions returns the user mapping options for the current
  * user on the given server, or NULL if no mapping exists. Checks for a
@@ -509,9 +508,13 @@ LookupUserMappingOptions(Oid serverid)
 
 
 /*
- * ReadCatalogsConfCredentials reads $PGDATA/catalogs.conf and extracts
- * credentials for the given server name. The file uses PostgreSQL's
- * standard key = value format with dotted keys:
+ * ReadCatalogsConfCredentials reads the catalog credentials file and
+ * extracts credentials for the given server name.
+ *
+ * The file path is pg_lake_iceberg.catalogs_conf_path. Relative paths
+ * are resolved against the data directory.
+ *
+ * The file uses PostgreSQL's standard key = value format with dotted keys:
  *
  *   horizon.client_id = 'platform_id'
  *   horizon.client_secret = 'platform_secret'
@@ -535,7 +538,10 @@ ReadCatalogsConfCredentials(const char *serverName,
 	bool		found = false;
 	int			serverNameLen = strlen(serverName);
 
-	snprintf(path, MAXPGPATH, "%s/%s", DataDir, CATALOGS_CONF_FILENAME);
+	if (is_absolute_path(CatalogsConfPath))
+		strlcpy(path, CatalogsConfPath, MAXPGPATH);
+	else
+		snprintf(path, MAXPGPATH, "%s/%s", DataDir, CatalogsConfPath);
 
 	fp = AllocateFile(path, "r");
 	if (fp == NULL)
diff --git a/pg_lake_table/tests/pytests/test_iceberg_catalog_server.py b/pg_lake_table/tests/pytests/test_iceberg_catalog_server.py
@@ -1,4 +1,5 @@
 import os
+import tempfile
 import pytest
 from utils_pytest import *
 
@@ -852,6 +853,60 @@ def test_credentials_from_catalogs_conf_for_rest_server(
     pg_conn.rollback()
 
 
+def test_catalogs_conf_path_outside_pgdata(
+    pg_conn,
+    superuser_conn,
+    s3,
+    extension,
+    with_default_location,
+):
+    """catalogs_conf_path GUC accepts an absolute path for the credentials file."""
+    run_command("SET pg_lake_iceberg.rest_catalog_client_id TO ''", superuser_conn)
+    run_command("SET pg_lake_iceberg.rest_catalog_client_secret TO ''", superuser_conn)
+
+    fd, tmp_path = tempfile.mkstemp(suffix=".conf", prefix="catalogs_")
+    try:
+        with os.fdopen(fd, "w") as f:
+            f.write(
+                "rest.client_id = 'external-id'\n"
+                "rest.client_secret = 'external-secret'\n"
+            )
+
+        old_autocommit = superuser_conn.autocommit
+        superuser_conn.commit()
+        superuser_conn.autocommit = True
+        run_command(
+            f"ALTER SYSTEM SET pg_lake_iceberg.catalogs_conf_path TO '{tmp_path}'",
+            superuser_conn,
+        )
+        run_command("SELECT pg_reload_conf()", superuser_conn)
+        superuser_conn.autocommit = old_autocommit
+
+        err = run_command(
+            """
+            CREATE TABLE test_ext_conf_tbl ()
+                USING iceberg
+                WITH (catalog = 'rest', read_only = 'true',
+                      catalog_namespace = 'ns', catalog_table_name = 'tbl')
+            """,
+            pg_conn,
+            raise_error=False,
+        )
+        assert err is not None
+        assert "no credentials found" not in str(err)
+        pg_conn.rollback()
+    finally:
+        superuser_conn.autocommit = True
+        run_command(
+            "ALTER SYSTEM RESET pg_lake_iceberg.catalogs_conf_path",
+            superuser_conn,
+        )
+        run_command("SELECT pg_reload_conf()", superuser_conn)
+        superuser_conn.autocommit = old_autocommit
+        if os.path.exists(tmp_path):
+            os.remove(tmp_path)
+
+
 # ── Backward compatibility ─────────────────────────────────────────────────
 
 
