-
Notifications
You must be signed in to change notification settings - Fork 101
-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pyiceberg always return false for catalog.table_exists when using Snowflake managed Polaris service #96
Comments
Hi @djouallah, this project is for OSS Polaris and not any vendor-managed deployment of Polaris. Having said that, I'm interested in taking a look -- can you share your code? I was not able to reproduce this. I created a config file
I used the CLI to create the catalog, and used another engine to create a namespace and table in the catalog. I then ran this Python script using PyIceberg:
I saw that the
|
all good, I will open a ticket i guess. |
Chiming into this, PyIceberg currently has an issue when parsing the table identifier with the "catalog name". How did you initialize the |
In PyIceberg, the catalog is named If you rename the PyIceberg catalog to |
no luck :( |
Weird, I'll try to repro |
To check table existence pyiceberg calls "HEAD" via the API. In OSS Polaris it currently works as expected. If I had to guess, the managed Polaris may not be listening to HEAD requests and therefore might be returning 404 which translates to False. |
@TomerHeber good catch! |
@eric-maynard which credentials are you using? I tried to reproduce with a local docker deployment of Polaris
the credentials are from the logs
I cannot create a table due to permission issues
|
@kevinjqliu it shouldn't matter so long as the credentials you're using have Using those same credentials, can you create a table with Spark? |
With the root credentials, I was able to create tables using Pyspark, but not with PyIceberg ReproRun a new Polaris instance in docker
Create a new catalog in Polaris
Get the root credentials in Polaris logEdit the
|
Hi @kevinjqliu, I was able to reproduce this -- I can't create tables with PyIceberg using root credentials. The error I see is:
|
It's a bit unintuitive, but due to the intentional segmentation of "metadata management" and "content management", the default Some of the distinction between CONTENT and METADATA is called out here: https://polaris.io/#tag/Access-Control/Access-control-privileges The initialization where the This can be solved by either omitting the |
Thanks for taking a look at this. @sfc-gh-dhuo I think your theory is correct. PyIceberg's REST client sets the Everything works after I comment that out |
Seems to me that PyIceberg should set the |
Reading the spec for It sounds like clients are free to send that header on requests, as a way to signal the server of its capabilities.
I'm interpreting the header as a signal for credential vending or remote signing capabilities. Perhaps the Polaris permission model is making the assumption that setting the header means requesting for table access. |
I guess the ultimate question is, what permission is required to run a |
@kevinjqliu Good question! This is an area that's probably worth adding more explicit documentation for. The ground truth for privilege requirements can be found in PolarisAuthorizableOperation.java:
And the relationship between direct privileges vs inheritance through "super-privileges" can be found in PolarisAuthorizer.java:
So you need only And you need both In both cases Polaris will be able to write to the metadata store and write the metadata JSON file itself, but the difference is that if you specify |
@dennishuo thanks for the explanation.
This is an interesting behavior. In this case, Polaris must vend credentials with the ... Regarding the original error message. I confirmed that setting |
(Looks like To summarize, this boils down to the set of permissions the
|
From an access control perspective, we probably don't want to grant |
nice it seems pyiceberg deployed a fix, who thoughts having multiple catalog implementation is a good thing !!! |
using polaris managed offering and pyiceberg 0.7, catalog.table_exists will return false even if the table exist
The text was updated successfully, but these errors were encountered: