Skip to content

IRC: Optimize Credential Vending #3997

Open
singhpk234 wants to merge 2 commits intoapache:mainfrom
singhpk234:optimize/cred-vending
Open

IRC: Optimize Credential Vending #3997
singhpk234 wants to merge 2 commits intoapache:mainfrom
singhpk234:optimize/cred-vending

Conversation

@singhpk234
Copy link
Contributor

@singhpk234 singhpk234 commented Mar 14, 2026

About the change

The /credentials endpoint currently performs a full table metadata read from object storage to vend credentials.
This is expensive and unnecessary — the table locations needed for credential vending are already available in the
entity's internal properties stored in the metastore.

This PR introduces an optimized credential vending path (loadCredentialsFromEntityProperties) that reads locations
directly from the metastore, avoiding the object storage round-trip. The optimization is gated behind the
OPTIMIZED_CREDENTIAL_VENDING feature flag (defaults to false). When disabled, the endpoint falls back to the existing
loadTableWithAccessDelegation path. When the entity lacks the required internal properties (e.g. tables created before
the property was stored), it also gracefully falls back.

co-author : @adutra

Checklist

  • 🛡️ Don't disclose security issues! (contact security@apache.org)
  • 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
  • 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
  • 💡 Added comments for complex logic
  • 🧾 Updated CHANGELOG.md (if needed) --later
  • 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

@singhpk234
Optimize credential vending by reading locations from metastore
846a36e 
Add an OPTIMIZED_CREDENTIAL_VENDING feature flag that allows the
loadCredentials endpoint to vend storage credentials using location
data stored in entity internal properties, bypassing the expensive
full table metadata read from object storage.

When the flag is enabled, the new loadCredentialsFromEntityProperties
path resolves the table's base and data locations directly from the
metastore and uses them to scope credentials. If the entity or its
location data is missing (e.g. external catalogs or pre-apache#3226 data),
it falls back transparently to the standard loadTableWithAccessDelegation
path.
@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Mar 14, 2026
@sfc-gh-prsingh sfc-gh-prsingh force-pushed the optimize/cred-vending branch from ea3d45a to eb5db50 Compare March 14, 2026 08:01
@singhpk234
Add tests for loadCredentials endpoint and optimized credential vending
f802657 
- Add authz test for loadCredentialsFromEntityProperties verifying
  TABLE_READ_DATA and TABLE_WRITE_DATA privileges
- Add integration tests for /loadCredentials endpoint with optimized
  credential vending both enabled and disabled
- Add loadCredentials helper method to CatalogApi
- Remove Javadoc from private vendCredentials method
@sfc-gh-prsingh sfc-gh-prsingh force-pushed the optimize/cred-vending branch from eb5db50 to f802657 Compare March 14, 2026 08:19
@singhpk234 singhpk234 marked this pull request as ready for review March 18, 2026 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flyrain flyrain Awaiting requested review from flyrain

@adutra adutra Awaiting requested review from adutra

@dimas-b dimas-b Awaiting requested review from dimas-b

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@singhpk234