Document Updated: Added GCS related Bucket Properties for vending credentials. #3066
Conversation
dimas-b
left a comment
dimas-b
left a comment
There was a problem hiding this comment.
Thanks for your contribution, @sakshamratra0106 !
| - [ ] Use a durable metastore (JDBC + PostgreSQL) | ||
| - [ ] Bootstrap valid realms in the metastore | ||
| - [ ] Disable local FILE storage | ||
| - [ ] Polaris Server Header |
There was a problem hiding this comment.
Why is Polaris Server Header a critical point for production configuration?
There was a problem hiding this comment.
This section already exists in the page but there wasnt any header for this. Thought i would just add it as header on the top of the page. But i see the point, will remove it.
There was a problem hiding this comment.
Yes, the Server header is off by default due to possible security concerns. If a user wishes to enable it, it is possible. However, it does not look like every user has to make a decision about it.
|
|
||
| Polaris authentication requires specifying a token broker factory type. Two implementations are | ||
| supported out of the box: | ||
| Polaris authentication requires specifying a token broker factory type. Two implementations are supported out of the |
There was a problem hiding this comment.
I'd prefer not to change the formatting on existing lines when the text itself does not change. It complicates reviews and skews line authorship attribution.
There was a problem hiding this comment.
makes reverting those changes.
|
|
||
| ### Cloud Storage Specific Configuration | ||
|
|
||
| GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on |
There was a problem hiding this comment.
GCS is one of several possible cloud storage implementations. I believe it would be nicer to move this section into a sub-page under https://polaris.apache.org/in-dev/unreleased/configuring-polaris-for-production/
Other cloud storage options can get dedicated pages parallel to that one later. WDYT?
There was a problem hiding this comment.
i was thinking the same thing, there could be more of cloud configuration which would come eventually in documentation. Where would it go. I will put that in sub page under this.
flyrain
left a comment
flyrain
left a comment
There was a problem hiding this comment.
Thanks @sakshamratra0106 for working on it. Left some comments.
| [rsa-key-pair]: | ||
| https://github.com/apache/polaris/blob/390f1fa57bb1af24a21aa95fdbff49a46e31add7/service/common/src/main/java/org/apache/polaris/service/auth/JWTRSAKeyPairFactory.java | ||
| [symmetric-key]: | ||
| https://github.com/apache/polaris/blob/390f1fa57bb1af24a21aa95fdbff49a46e31add7/service/common/src/main/java/org/apache/polaris/service/auth/JWTSymmetricKeyFactory.java |
There was a problem hiding this comment.
There seems be a lot of changes not related. Can we revert them?
|
|
||
| ### Cloud Storage Specific Configuration | ||
|
|
||
| GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on |
There was a problem hiding this comment.
I'd suggest a subtitle
| GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on | |
| #### GCS | |
| When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on |
There was a problem hiding this comment.
You mean title of the section could be GCS ? is it ?
There was a problem hiding this comment.
oh ok! Got it!
|
|
||
| ### Cloud Storage Specific Configuration | ||
|
|
||
| GCS + Polaris: When using token vending for fine-grained access in Google Cloud Storage (GCS) with Apache Iceberg on |
There was a problem hiding this comment.
Can we use the term credential vending instead of token vending to be more consistent with other places?
I'd also recommend to not mention fine-grained access to avoid any confusion with table's FGAC. I think the context is pretty clear when it comes to storage credential vending. fine-grained access isn't necessary.
There was a problem hiding this comment.
make sense! Removing!
…ine width to 120 char" This reverts commit 5cd0cc9.
…-page for "Con figuring polaris for production"
| # specific language governing permissions and limitations | ||
| # under the License. | ||
| # | ||
| title: Configuring Cloud Storage |
There was a problem hiding this comment.
Suggestion: how about Configuring GCS Cloud Storage?
If AWS S3, etc. are added later, it will be a new page, not an edit to this page, which will be easier to maintain, IMHO... but current layout is ok too.
There was a problem hiding this comment.
sounds good!!
|
|
||
| ### Configuring Polaris for Cloud Storages | ||
|
|
||
| For guidance on configuring cloud storage providers (such as Google Cloud Storage, Amazon S3, and Azure Blob Storage) for use with Polaris—including credential vending, IAM roles, ACL requirements, and best practices—see [Configuring Cloud Storage](./configuring-cloud-storage-specific/). |
There was a problem hiding this comment.
Suggestion: For guidance on configuring cloud storage providers ... see child pages (links in the left-hand pane)
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
…-page for "Con figuring polaris for production"
|
@dimas-b please review again! |
|
|
||
| ### Configuring Polaris for Cloud Storages | ||
|
|
||
| For guidance on configuring cloud storage providers ... see child pages (links in the left-hand pane) for use with Polaris—including credential vending, IAM roles, ACL requirements, and best practices—see [Configuring GCS Cloud Storage](./configuring-gcs-cloud-storage-specific/). |
There was a problem hiding this comment.
| For guidance on configuring cloud storage providers ... see child pages (links in the left-hand pane) for use with Polaris—including credential vending, IAM roles, ACL requirements, and best practices—see [Configuring GCS Cloud Storage](./configuring-gcs-cloud-storage-specific/). | |
| For guidance on configuring specific cloud storage providers see child pages (links in the left-hand pane). |
…-page for "Con figuring polaris for production"
flyrain
left a comment
flyrain
left a comment
There was a problem hiding this comment.
Thanks for keeping working on it. We are getting close!
| This page provides guidance for Configuring GCS Cloud Storage provider for use with Polaris. | ||
| It covers credential vending, IAM roles, ACL requirements, and best practices to ensure secure and reliable integration. | ||
|
|
||
| #### GCS |
There was a problem hiding this comment.
We don't need this title as this page is dedicated for GCS config
There was a problem hiding this comment.
fair enough!!
| #### GCS | ||
|
|
||
| When using credential vending for Google Cloud Storage (GCS) with Apache Iceberg on | ||
| Polaris, ensure that both IAM roles and HNS ACLs (if HNS is enabled) are properly configured. Even with the correct IAM |
There was a problem hiding this comment.
Does HNS refer to Hierarchical namespace described here, https://docs.cloud.google.com/storage/docs/hns-overview? We might add the full name and links so that reader arent' confused the by the acronym.
| Polaris, ensure that both IAM roles and HNS ACLs (if HNS is enabled) are properly configured. Even with the correct IAM | ||
| role (e.g., `roles/storage.objectAdmin`), access to paths such as `gs://<bucket>/idsp_ns/sample_table4/` may fail with | ||
| 403 errors if HNS ACLs are missing for scoped tokens. The original access token may work, but scoped (vended) tokens | ||
| require HNS ACLs on the base path or relevant subpath. Polaris does not require HNS to be enabled for basic operation, |
There was a problem hiding this comment.
What are basic operations? Can we clarify that? My impression is that we cannot disable credential vending when a catalog based on GCS. In that case, HNS seems mandatory.
There was a problem hiding this comment.
Actually no. HNS is not mandatory with Credential Vending. We can disable HNS and use Credential vending as is with bare min permissions[object Read and Write]. And that works, i am currently doing the same thing in my project.
Where as with HNS enabled we need to another of permissions in ACLs, refference https://docs.cloud.google.com/storage/docs/uniform-bucket-level-access. i still need to explore that territory. Will keep adding more information as and when i know more about it. If thats fine ?
There was a problem hiding this comment.
I have made some changes again to make more sense and details about HNS is not mandatory.
There was a problem hiding this comment.
Correct one dead internal link to "admin-tool" page
There was a problem hiding this comment.
@flyrain also could you confirm if these dead link issues to external location are bound to happen and we can merge anyways ?
https://github.com/apache/polaris/actions/runs/19544276537/job/55967194931?pr=3066
There was a problem hiding this comment.
Merged, the markdown issue isn't related.
2. Corrected one broken link in "Polaris Configurtion Page"
flyrain
left a comment
flyrain
left a comment
There was a problem hiding this comment.
LGTM. Thanks @sakshamratra0106 !
github-project-automation
bot
moved this from Ready to merge
to Done
in Basic Kanban Board
|
|
||
| This page provides guidance for configuring GCS Cloud Storage provider for use with Polaris. It covers credential vending, IAM roles, ACL requirements, and best practices to ensure secure and reliable integration. | ||
|
|
||
| All catalog operations in Polaris for Google Cloud Storage (GCS)—including listing, reading, and writing objects—are performed using credential vending, which issues scoped (vended) tokens for secure access. |
There was a problem hiding this comment.
This is not 100% accurate, the SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION flag (if set) can turn off credential vending.
3 participants
==> Document Updated on 18th Nov 2025
==> Edit on 20th Nov 2025