Fix Iceberg vended credentials not working with REST catalogs that return credentials via storage-credentials instead of config.#28290
Open
rcjverhoef wants to merge 1 commit intotrinodb:masterfrom
Conversation
When the Iceberg REST catalog returns vended credentials via the storage-credentials field (REST spec v2) instead of the config map, Trino's custom ioBuilder causes RESTSessionCatalog to silently drop them. This results in 403 errors when writing to storage. Add StorageCredentialsMergingRestClient, a RESTClient wrapper that intercepts LoadTableResponse and merges the best-matching storage credential (by longest prefix) into the config map before Iceberg processes it. This makes vended credentials flow through the existing ioBuilder and IcebergRestCatalogFileSystemFactory without changes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
ebyhr
reviewed
Feb 16, 2026
| @@ -0,0 +1,170 @@ | |||
| /* | |||
| .withHeaders(RESTUtil.configHeaders(config)) | ||
| .build(), | ||
| config -> { | ||
| var client = HTTPClient.builder(config) |
Member
There was a problem hiding this comment.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Iceberg Credential Vending doesn't work with REST catalogs following latests specs, specifically catalogs that don't provide the
configfallback. Per latest spec:Additional context and related issues
The Iceberg REST spec defines two mechanisms for credential vending:
configmap (older): credentials are returned as key-value pairs in theconfigfield ofLoadTableResponse. Trino already supports this.storage-credentialsarray (newer, preferred): credentials are returned as typedCredentialobjects with aprefixandconfig. Trino did not support this.When Trino provides a custom
ioBuildertoRESTSessionCatalog(which it always does),storage-credentialsare dropped inRESTSessionCatalog.newFileIO()— only theconfigmap is passed through. Without a customioBuilder, Iceberg handles this via theSupportsStorageCredentialsinterface, but that path is never taken in Trino.Release notes
( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x ) Release notes are required, with the following suggested text:
Iceberg connector
storage-credentialsinstead ofconfig.