Document Updated: Added GCS related Bucket Properties for vending credentials.#3066
Conversation
dimas-b
left a comment
dimas-b
left a comment
There was a problem hiding this comment.
Thanks for your contribution, @sakshamratra0106 !
| - [ ] Use a durable metastore (JDBC + PostgreSQL) | ||
| - [ ] Bootstrap valid realms in the metastore | ||
| - [ ] Disable local FILE storage | ||
| - [ ] Polaris Server Header |
There was a problem hiding this comment.
Why is Polaris Server Header a critical point for production configuration?
There was a problem hiding this comment.
This section already exists in the page but there wasnt any header for this. Thought i would just add it as header on the top of the page. But i see the point, will remove it.
There was a problem hiding this comment.
Yes, the Server header is off by default due to possible security concerns. If a user wishes to enable it, it is possible. However, it does not look like every user has to make a decision about it.
|
|
||
| Polaris authentication requires specifying a token broker factory type. Two implementations are | ||
| supported out of the box: | ||
| Polaris authentication requires specifying a token broker factory type. Two implementations are supported out of the |
There was a problem hiding this comment.
I'd prefer not to change the formatting on existing lines when the text itself does not change. It complicates reviews and skews line authorship attribution.
There was a problem hiding this comment.
makes reverting those changes.
|
|
||
| ### Cloud Storage Specific Configuration | ||
|
|
||
| GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on |
There was a problem hiding this comment.
GCS is one of several possible cloud storage implementations. I believe it would be nicer to move this section into a sub-page under https://polaris.apache.org/in-dev/unreleased/configuring-polaris-for-production/
Other cloud storage options can get dedicated pages parallel to that one later. WDYT?
There was a problem hiding this comment.
i was thinking the same thing, there could be more of cloud configuration which would come eventually in documentation. Where would it go. I will put that in sub page under this.
flyrain
left a comment
flyrain
left a comment
There was a problem hiding this comment.
Thanks @sakshamratra0106 for working on it. Left some comments.
| [rsa-key-pair]: | ||
| https://github.com/apache/polaris/blob/390f1fa57bb1af24a21aa95fdbff49a46e31add7/service/common/src/main/java/org/apache/polaris/service/auth/JWTRSAKeyPairFactory.java | ||
| [symmetric-key]: | ||
| https://github.com/apache/polaris/blob/390f1fa57bb1af24a21aa95fdbff49a46e31add7/service/common/src/main/java/org/apache/polaris/service/auth/JWTSymmetricKeyFactory.java |
There was a problem hiding this comment.
There seems be a lot of changes not related. Can we revert them?
|
|
||
| ### Cloud Storage Specific Configuration | ||
|
|
||
| GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on |
There was a problem hiding this comment.
I'd suggest a subtitle
| GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on | |
| #### GCS | |
| When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on |
There was a problem hiding this comment.
You mean title of the section could be GCS ? is it ?
There was a problem hiding this comment.
oh ok! Got it!
|
|
||
| ### Cloud Storage Specific Configuration | ||
|
|
||
| GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on |
There was a problem hiding this comment.
Can we use the term credential vending instead of token vending to be more consistent with other places?
I'd also recommend to not mention fine-grained access to avoid any confusion with table's FGAC. I think the context is pretty clear when it comes to storage credential vending. fine-grained access isn't necessary.
There was a problem hiding this comment.
make sense! Removing!
…ine width to 120 char" This reverts commit 5cd0cc9.
…-page for "Con figuring polaris for production"
| # specific language governing permissions and limitations | ||
| # under the License. | ||
| # | ||
| title: Configuring Cloud Storage |
There was a problem hiding this comment.
Suggestion: how about Configuring GCS Cloud Storage?
If AWS S3, etc. are added later, it will be a new page, not an edit to this page, which will be easier to maintain, IMHO... but current layout is ok too.
There was a problem hiding this comment.
sounds good!!
|
|
||
| ### Configuring Polaris for Cloud Storages | ||
|
|
||
| For guidance on configuring cloud storage providers (such as Google Cloud Storage, Amazon S3, and Azure Blob Storage) for use with Polaris—including credential vending, IAM roles, ACL requirements, and best practices—see [Configuring Cloud Storage](./configuring-cloud-storage-specific/). |
There was a problem hiding this comment.
Suggestion: For guidance on configuring cloud storage providers ... see child pages (links in the left-hand pane)
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
…-page for "Con figuring polaris for production"
|
@dimas-b please review again! |
|
|
||
| ### Configuring Polaris for Cloud Storages | ||
|
|
||
| For guidance on configuring cloud storage providers ... see child pages (links in the left-hand pane) for use with Polaris—including credential vending, IAM roles, ACL requirements, and best practices—see [Configuring GCS Cloud Storage](./configuring-gcs-cloud-storage-specific/). |
There was a problem hiding this comment.
| For guidance on configuring cloud storage providers ... see child pages (links in the left-hand pane) for use with Polaris—including credential vending, IAM roles, ACL requirements, and best practices—see [Configuring GCS Cloud Storage](./configuring-gcs-cloud-storage-specific/). | |
| For guidance on configuring specific cloud storage providers see child pages (links in the left-hand pane). |
…-page for "Con figuring polaris for production"
flyrain
left a comment
flyrain
left a comment
There was a problem hiding this comment.
Thanks for keeping working on it. We are getting close!
| This page provides guidance for Configuring GCS Cloud Storage provider for use with Polaris. | ||
| It covers credential vending, IAM roles, ACL requirements, and best practices to ensure secure and reliable integration. | ||
|
|
||
| #### GCS |
There was a problem hiding this comment.
We don't need this title as this page is dedicated for GCS config
There was a problem hiding this comment.
fair enough!!
| #### GCS | ||
|
|
||
| When using credential vending for Google Cloud Storage (GCS) with Apache Iceberg on | ||
| Polaris, ensure that both IAM roles and HNS ACLs (if HNS is enabled) are properly configured. Even with the correct IAM |
There was a problem hiding this comment.
Does HNS refer to Hierarchical namespace described here, https://docs.cloud.google.com/storage/docs/hns-overview? We might add the full name and links so that reader arent' confused the by the acronym.
| Polaris, ensure that both IAM roles and HNS ACLs (if HNS is enabled) are properly configured. Even with the correct IAM | ||
| role (e.g., `roles/storage.objectAdmin`), access to paths such as `gs://<bucket>/idsp_ns/sample_table4/` may fail with | ||
| 403 errors if HNS ACLs are missing for scoped tokens. The original access token may work, but scoped (vended) tokens | ||
| require HNS ACLs on the base path or relevant subpath. Polaris does not require HNS to be enabled for basic operation, |
There was a problem hiding this comment.
What are basic operations? Can we clarify that? My impression is that we cannot disable credential vending when a catalog based on GCS. In that case, HNS seems mandatory.
There was a problem hiding this comment.
Actually no. HNS is not mandatory with Credential Vending. We can disable HNS and use Credential vending as is with bare min permissions[object Read and Write]. And that works, i am currently doing the same thing in my project.
Where as with HNS enabled we need to another of permissions in ACLs, refference https://docs.cloud.google.com/storage/docs/uniform-bucket-level-access. i still need to explore that territory. Will keep adding more information as and when i know more about it. If thats fine ?
There was a problem hiding this comment.
I have made some changes again to make more sense and details about HNS is not mandatory.
There was a problem hiding this comment.
Correct one dead internal link to "admin-tool" page
There was a problem hiding this comment.
@flyrain also could you confirm if these dead link issues to external location are bound to happen and we can merge anyways ?
There was a problem hiding this comment.
Merged, the markdown issue isn't related.
2. Corrected one broken link in "Polaris Configurtion Page"
flyrain
left a comment
flyrain
left a comment
There was a problem hiding this comment.
LGTM. Thanks @sakshamratra0106 !
github-project-automation
bot
moved this from Ready to merge
to Done
in Basic Kanban Board
|
|
||
| This page provides guidance for configuring GCS Cloud Storage provider for use with Polaris. It covers credential vending, IAM roles, ACL requirements, and best practices to ensure secure and reliable integration. | ||
|
|
||
| All catalog operations in Polaris for Google Cloud Storage (GCS)—including listing, reading, and writing objects—are performed using credential vending, which issues scoped (vended) tokens for secure access. |
There was a problem hiding this comment.
This is not 100% accurate, the SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION flag (if set) can turn off credential vending.
* Docs: update Helm Chart page to show usage without cloning Polaris github repo (apache#2939) * Docs: update Helm Chart page to show usage without cloning Polaris github repo * Apply suggestions from code review * Add separate flows in Helm Chart doc for installing released chart and images vs building from source --------- Co-authored-by: Alexandre Dutra <adutra@apache.org> * docs: improve getting started and README documentation (apache#2267) * The outdated config snippets and health-checks are removed from the index * The binary guide stays focused and concise * Update changelog with missing 1.3.0 features (apache#3087) * Update registry.access.redhat.com/ubi9/openjdk-21-runtime Docker tag to v1.23-6.1763034977 (apache#3092) * Update docker.io/jaegertracing/all-in-one Docker tag to v1.75.0 (apache#3093) * feat: Make generate_clients.py windows compatible (apache#3084) * Make generate_clients.py windows compatible * Updated CHANGELOG.md * PRs: Remove markdown-links-check from required checks (apache#3102) The "Check Markdown links" workflow is known to produce false failures, leading to apache#3097. This change is intended to unblock PRs due to these false failures. * Update dependency com.diffplug.spotless:spotless-plugin-gradle to v8.1.0 (apache#3083) * Update dependency com.diffplug.spotless:spotless-plugin-gradle to v8.1.0 * spotlessApply --------- Co-authored-by: Robert Stupp <snazy@snazy.de> * chore(deps): update gradle to v9.2.1 (apache#3069) * chore(deps): update gradle to v9.2.1 * Fix Grale wrapper SHA --------- Co-authored-by: Robert Stupp <snazy@snazy.de> * chore(deps): update mongo docker tag to v8.2.2 (apache#3100) * chore(deps): update docker.io/mongo docker tag to v8.2.2 (apache#3099) * Source-tarball - eliminate git-gzip risk (apache#3075) Details in the `git archive` chapter in https://reproducible-builds.org/docs/archives/ * NoSQL: Allow `null` IndexKey (de)serialization (apache#3076) This change adopts the implementation to the API specification. * PRs: Re-add markdown-links-check step (apache#3103) The step was disabled in apache#3102 to pass CI and enable merging. * NoSQL: Add maintenance implementation (apache#3077) * Inject DefaultFileIOFactory in tests (apache#3043) * Inject DefaultFileIOFactory in tests also simplify `TaskFileIOSupplier` usage in tests, which allows removal of `TestFileIOFactory`. * Update Quarkus Platform and Group to v3.29.4 (apache#3094) * Site: Replace feather logo (apache#3101) The ASF has a new logo, a leaf. There is sadly no free icon that matches the new logo, so replacing the feather-ASF with "The ASF" in the top-bar navigation. * Update actions/checkout action to v6 (apache#3106) * Core: resolveAll() must be called before reading resolution results (apache#3064) * Site: Added GCS related Bucket Properties for vending credentials. (apache#3066) * Publish/pom: don't include test-fixtures dependencies as runtime (apache#3085) The list of dependencies in pom's includes the api/runtime elements of the test-fixtures, which is not what should be published, as it "pulls up" deps like junit, mockito and assertj as Maven runtime scope dependencies. This change fixes this. * Increase javadoc visibility in `persistence/nosql/persistence/cdi/weld` (apache#3110) This is to fix javadoc error: `No public or protected classes found to document` * Disable cloud storage tests that would use @tempdir (apache#3095) Disable tests from ViewCatalogTests for cloud storage integration tests (S3, ADLS, GCS) that would otherwise use @tempdir. Since @tempdir internally uses Paths.get, it cannot point to cloud storage paths. These tests remain enabled for file-based integration tests. * Remove 'beta' label for Generic Table (apache#3096) * remove beta label * address comments for change log --------- Co-authored-by: Pierre Laporte <pierre@pingtimeout.fr> * Update dependency jupyterlab to v4.5.0 (apache#3074) * chore: Fix md link check in GH action (apache#3128) * Fix md link check in GH action * Fix md link check in GH action * Update dependency pre-commit to v4.5.0 (apache#3123) * Update dependency software.amazon.awssdk:bom to v2.39.2 (apache#3127) * NoSQL: authZ API, SPI, impl and store (apache#3078) NoSQL base functionality for ACLs * NoSQL: Quarkus distributed cache invalidation (apache#3105) Adds support for distributed NoSQL cache invalidation leveraging Quarkus. * NoSQL: adjustments / merge fixes * Last merged commit e124348 --------- Co-authored-by: Oleg Soloviov <40199597+olsoloviov@users.noreply.github.com> Co-authored-by: Alexandre Dutra <adutra@apache.org> Co-authored-by: Subham <subham.sangwan@adypu.edu.in> Co-authored-by: Pierre Laporte <pierre@pingtimeout.fr> Co-authored-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: Yong Zheng <yongzheng0809@gmail.com> Co-authored-by: Christopher Lambert <xn137@gmx.de> Co-authored-by: Yufei Gu <yufei@apache.org> Co-authored-by: Saksham Ratra <sakshamratra.0106@gmail.com> Co-authored-by: Dmitri Bourlatchkov <dmitri.bourlatchkov@gmail.com> Co-authored-by: Tamas Mate <50709850+tmater@users.noreply.github.com> Co-authored-by: Yun Zou <yunzou.colostate@gmail.com>
3 participants
==> Document Updated on 18th Nov 2025
==> Edit on 20th Nov 2025