Summary
The "Add New Catalog" form in the Fusion UI (Optimizer → Catalogs → Add New Catalog) has a few UX issues that cost real debugging time when setting up a REST catalog against Snowflake-hosted Apache Polaris. Filing as one issue because they're all in the same dialog.
1. "S3 Path" field is misleadingly labeled
The field labeled S3 Path (with a * required marker) maps to the iceberg_s3_path writer property, which — per OLake's own docs — is the Polaris catalog name, not an S3 URI:
iceberg_s3_path: Name of the Polaris catalog
The current label invites the user to type s3://bucket/..., which is wrong. Either:
- Rename the field to "Polaris Catalog Name" (or "Iceberg Catalog Identifier"), or
- Update the tooltip to clarify that this is a logical catalog name, with an explicit example: "Polaris catalog name (e.g.
airflow, production_db) — not an S3 URI".
2. "REST Enable Signature V4" defaults to ON and silently breaks OAuth2 + Snowflake-Polaris
The most common Polaris deployment today is Snowflake's hosted offering, which uses OAuth2 client-credentials auth — not AWS SigV4. With the SigV4 toggle ON (the form default), the Iceberg Java client wraps its HTTP client with RESTSigV4Signer, which then tries to sign even the OAuth token-fetch request with AWS SigV4. The Spark optimizer pod has no AWS creds (intentionally — we use Polaris credential vending), so the SDK's default credential chain fails before OAuth even runs:
software.amazon.awssdk.core.exception.SdkClientException:
Unable to load credentials from any of the providers in the chain …
at org.apache.iceberg.aws.RESTSigV4Signer.process(RESTSigV4Signer.java:88)
at org.apache.iceberg.rest.HTTPClient.execute(HTTPClient.java:305)
at org.apache.iceberg.rest.auth.OAuth2Util.fetchToken(OAuth2Util.java:264)
at org.apache.iceberg.rest.RESTSessionCatalog.initialize(...)
The error message points the user toward AWS credential configuration, which is the wrong direction — the actual fix is "turn SigV4 off". The signal is buried in the stack trace; nothing in the connection failure surfaces the SigV4-vs-OAuth conflict.
Suggestions (any one would help):
- Default the toggle OFF. It's only relevant for the niche case of Polaris fronted by AWS API Gateway with IAM auth. Most Polaris deployments don't need it.
- Auto-disable SigV4 when REST Auth Type is
oauth2 (or none). SigV4 + OAuth2 in the same request is rarely valid.
- Surface a clearer error when SigV4 is on without AWS creds: detect the
SdkClientException and explain "SigV4 is enabled but no AWS credentials are available — either disable SigV4 (likely correct for Snowflake-hosted Polaris) or provide AWS Access Key / Secret Key."
3. "REST Auth Type" should be a dropdown, not a free-text field
The current input is a text box that accepts arbitrary strings. The valid values are a small enum (looks like oauth2, plus presumably bearer, sigv4, none). A dropdown / select would:
- Prevent typos that lead to silent failures
- Self-document the valid options
- Let the UI conditionally show/hide downstream fields (e.g. hide REST Token + REST Credential when
none, hide REST Signing Name/Region when not sigv4)
Context
- OLake Helm chart
0.0.18 on EKS, Fusion-enabled, Snowflake-hosted Polaris as the REST catalog
- Lost ~30 minutes debugging the SigV4 / OAuth2 conflict because the credential-chain error pointed in the wrong direction
- Once SigV4 was turned off, the catalog connected cleanly on the first attempt
Happy to send a PR for any/all of these if you'd like — (1) and (3) are pure UI changes, (2) is a server-side default flip + maybe a clearer error path.
Summary
The "Add New Catalog" form in the Fusion UI (
Optimizer → Catalogs → Add New Catalog) has a few UX issues that cost real debugging time when setting up a REST catalog against Snowflake-hosted Apache Polaris. Filing as one issue because they're all in the same dialog.1. "S3 Path" field is misleadingly labeled
The field labeled S3 Path (with a
*required marker) maps to theiceberg_s3_pathwriter property, which — per OLake's own docs — is the Polaris catalog name, not an S3 URI:The current label invites the user to type
s3://bucket/..., which is wrong. Either:airflow,production_db) — not an S3 URI".2. "REST Enable Signature V4" defaults to ON and silently breaks OAuth2 + Snowflake-Polaris
The most common Polaris deployment today is Snowflake's hosted offering, which uses OAuth2 client-credentials auth — not AWS SigV4. With the SigV4 toggle ON (the form default), the Iceberg Java client wraps its HTTP client with
RESTSigV4Signer, which then tries to sign even the OAuth token-fetch request with AWS SigV4. The Spark optimizer pod has no AWS creds (intentionally — we use Polaris credential vending), so the SDK's default credential chain fails before OAuth even runs:The error message points the user toward AWS credential configuration, which is the wrong direction — the actual fix is "turn SigV4 off". The signal is buried in the stack trace; nothing in the connection failure surfaces the SigV4-vs-OAuth conflict.
Suggestions (any one would help):
oauth2(ornone). SigV4 + OAuth2 in the same request is rarely valid.SdkClientExceptionand explain "SigV4 is enabled but no AWS credentials are available — either disable SigV4 (likely correct for Snowflake-hosted Polaris) or provide AWS Access Key / Secret Key."3. "REST Auth Type" should be a dropdown, not a free-text field
The current input is a text box that accepts arbitrary strings. The valid values are a small enum (looks like
oauth2, plus presumablybearer,sigv4,none). A dropdown / select would:none, hide REST Signing Name/Region when notsigv4)Context
0.0.18on EKS, Fusion-enabled, Snowflake-hosted Polaris as the REST catalogHappy to send a PR for any/all of these if you'd like — (1) and (3) are pure UI changes, (2) is a server-side default flip + maybe a clearer error path.