Skip to content

[#10682] feat(iceberg-rest): Implement Iceberg REST remote-signing for S3#11854

Open
lasdf1234 wants to merge 1 commit into
apache:mainfrom
lasdf1234:feat/iceberg-remote-signing
Open

[#10682] feat(iceberg-rest): Implement Iceberg REST remote-signing for S3#11854
lasdf1234 wants to merge 1 commit into
apache:mainfrom
lasdf1234:feat/iceberg-remote-signing

Conversation

@lasdf1234

@lasdf1234 lasdf1234 commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

What changes were proposed in this pull request?

Implement Iceberg REST remote signing for the Gravitino Iceberg REST server:

  • Add POST .../namespaces/{namespace}/tables/{table}/sign in IcebergTableOperations, accepting RemoteSignRequest and returning RemoteSignResponse with Cache-Control: private.
  • Parse X-Iceberg-Access-Delegation: remote-signing via IcebergAccessDelegation and propagate it through IcebergRequestContext and the table/namespace dispatcher chain.
  • On create/load/register table for S3-backed tables, inject client config:
    • s3.remote-signing-enabled=true
    • signer.endpoint=v1/{prefix}/namespaces/{namespace}/tables/{table}/sign
  • Sign S3 requests server-side with S3RemoteRequestSigner using Gravitino credential providers (S3SecretKeyCredential, S3TokenCredential, AwsIrsaCredential), and validate sign URIs stay within table storage prefixes.
  • Advertise Endpoint.V1_TABLE_REMOTE_SIGN in /v1/config endpoints.
  • Proxy remote sign requests to upstream REST catalogs in FederatedCatalogWrapper.

Why are the changes needed?

Fix: #10682

The Iceberg REST server previously rejected remote-signing and did not expose the /sign endpoint. This is a gap against the Iceberg REST spec and blocks clients (for example Spark and PyIceberg) that prefer pre-signed S3 URLs over receiving cloud credentials directly.

Does this PR introduce any user-facing change?

Yes.

  1. IRC clients can request X-Iceberg-Access-Delegation: remote-signing on create/load/register table.
  2. S3-backed tables receive s3.remote-signing-enabled and signer.endpoint in the load/create/register response config.
  3. IRC exposes POST .../tables/{table}/sign and advertises it in /v1/config.
  4. gravitino.iceberg-rest.data-access=remote-signing can be advertised to REST clients via /v1/config defaults.

S3 is the only supported remote-sign provider in this PR.

How was this patch tested?

  • ./gradlew :iceberg:iceberg-rest-server:test -PskipITs
  • ./gradlew :iceberg:iceberg-rest-server:test --tests org.apache.gravitino.iceberg.service.sign.* --tests org.apache.gravitino.iceberg.service.TestIcebergAccessDelegation --tests org.apache.gravitino.iceberg.service.rest.TestIcebergConfig.testConfigRemoteSignEndpoint -PskipITs

…ing for S3

Add POST .../tables/{table}/sign, remote-signing access delegation, and
client config injection so Spark/PyIceberg can use pre-signed S3 URLs instead
of vended cloud credentials.

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Code Coverage Report

Overall Project 67.35% +0.2% 🟢
Files changed 78.87% 🟢

Module Coverage
aliyun 1.72% 🔴
api 46.82% 🟢
authorization-common 85.96% 🟢
aws 26.5% 🔴
azure 2.47% 🔴
catalog-common 10.4% 🔴
catalog-fileset 80.23% 🟢
catalog-glue 66.91% 🟢
catalog-hive 79.42% 🟢
catalog-jdbc-clickhouse 80.2% 🟢
catalog-jdbc-common 44.22% 🟢
catalog-jdbc-doris 80.28% 🟢
catalog-jdbc-hologres 54.03% 🟢
catalog-jdbc-mysql 79.23% 🟢
catalog-jdbc-oceanbase 80.91% 🟢
catalog-jdbc-postgresql 82.29% 🟢
catalog-jdbc-starrocks 78.51% 🟢
catalog-kafka 77.01% 🟢
catalog-lakehouse-generic 58.53% 🟢
catalog-lakehouse-hudi 79.1% 🟢
catalog-lakehouse-iceberg 85.94% 🟢
catalog-lakehouse-paimon 84.25% 🟢
catalog-model 77.72% 🟢
cli 44.51% 🟢
client-java 78.01% 🟢
common 50.17% 🟢
core 82.59% 🟢
filesystem-hadoop3 77.3% 🟢
flink 0.0% 🔴
flink-common 47.12% 🟢
flink-runtime 0.0% 🔴
gcp 14.12% 🔴
hadoop-auth 66.67% 🟢
hadoop-common 12.7% 🔴
hive-metastore-common 53.29% 🟢
iceberg-common 58.3% 🟢
iceberg-rest-server 72.68% +3.38% 🟢
idp-basic 85.71% 🟢
integration-test-common 0.0% 🔴
jobs 66.17% 🟢
lance-common 20.81% 🔴
lance-rest-server 64.84% 🟢
lineage 53.02% 🟢
optimizer 83.24% 🟢
optimizer-api 21.95% 🔴
server 85.96% 🟢
server-common 74.62% 🟢
spark 28.57% 🔴
spark-common 45.58% 🟢
trino-connector 40.29% 🟢
Files
Module File Coverage
iceberg-rest-server IcebergNamespaceOperationExecutor.java 100.0% 🟢
IcebergConfigOperations.java 96.43% 🟢
IcebergTableOperationExecutor.java 94.74% 🟢
IcebergTableEventDispatcher.java 94.44% 🟢
IcebergAccessDelegation.java 81.48% 🟢
IcebergTableHookDispatcher.java 80.41% 🟢
IcebergNamespaceOperations.java 79.51% 🟢
IcebergRequestContext.java 75.86% 🟢
FederatedCatalogWrapper.java 75.1% 🟢
IcebergTableOperations.java 74.78% 🟢
CatalogWrapperForREST.java 74.39% 🟢
RemoteSignPathValidator.java 68.75% 🟢
S3RemoteRequestSigner.java 67.53% 🟢
AwsSigningCredentials.java 22.22% 🔴
IcebergTableOperationDispatcher.java 0.0% 🔴

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Improvement] Implement remote signing endpoint for Iceberg REST server

1 participant