Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION is ignored in TaskFileIOSupplier #379

Open
1 task done
alessandro-nori opened this issue Oct 17, 2024 · 0 comments · May be fixed by #400
Open
1 task done

[BUG] SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION is ignored in TaskFileIOSupplier #379

alessandro-nori opened this issue Oct 17, 2024 · 0 comments · May be fixed by #400
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@alessandro-nori
Copy link
Contributor

Is this a possible security vulnerability?

  • This is NOT a possible security vulnerability

Describe the bug

The TaskFileIOSupplier class always tries to get subscoped credentials and doesn't take into consideration the SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION configuration parameter.
In certain setups, we should be able to load a FileIO without credentials.

To Reproduce

Assuming you're using AWS s3 as storage type for your catalog:

  1. Set SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION to true and run polaris
  2. Send a Purge request from a client that doesn't try to delete the files on the client side (e.g. pyiceberg)
  3. Look at the traces and see the call to aws.AssumeRole coming from TaskFileIOSupplier

Actual Behavior

Polaris tries to get subscoped credentials for the FileIO

Expected Behavior

Polaris should load a FileIO without credentials

Additional context

No response

System information

No response
@alessandro-nori alessandro-nori added the bug Something isn't working label Oct 17, 2024
@eric-maynard eric-maynard added the good first issue Good for newcomers label Oct 18, 2024
@alessandro-nori alessandro-nori linked a pull request Oct 23, 2024 that will close this issue
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

pass skip_credential_subscoping_indirection param to TaskFileIOSupplier alessandro-nori/polaris
2 participants
@eric-maynard @alessandro-nori