-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security improvements in the Iceberg REST specification #10537
Milestone
Comments
Should we add this to the "Iceberg REST Catalog" milestone? |
I have added now. |
There is also a weekly sync planned for REST catalog. We have one on next Monday here the second point in agenda is to discuss the same. |
snazy
added a commit
to snazy/iceberg
that referenced
this issue
Jun 28, 2024
This PR implements "M1" of [this document](https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ/), see apache#10537.
snazy
added a commit
to snazy/iceberg
that referenced
this issue
Jun 28, 2024
This PR implements "M1" of [this document](https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ/), see apache#10537.
snazy
added a commit
to snazy/iceberg
that referenced
this issue
Jun 29, 2024
This PR implements "M1" of [this document](https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ/), see apache#10537.
snazy
added a commit
to snazy/iceberg
that referenced
this issue
Jul 1, 2024
This PR implements "M1" of [this document](https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ/), see apache#10537.
snazy
added a commit
to snazy/iceberg
that referenced
this issue
Jul 1, 2024
This PR implements "M1" of [this document](https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ/), see apache#10537.
snazy
added a commit
to snazy/iceberg
that referenced
this issue
Jul 4, 2024
This PR implements "M1" of [this document](https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ/), see apache#10537.
snazy
added a commit
to snazy/iceberg
that referenced
this issue
Jul 10, 2024
This PR implements "M1" of [this document](https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ/), see apache#10537.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Proposed Change
Following up on the mailing list discussion, we propose the following changes to Apache Iceberg. The following summary chapter is a summary of the initial message on this topic on the iceberg-dev mailing list.
We think that the ‘/v1/oauth/tokens’ endpoint in the Iceberg REST spec poses potential security and OAuth2 compliance issues, and excessively restricts how authorization should be implemented.
Clients might expose their clear-text credentials to the wrong service, if the (correct) OAuth endpoint is not configured (humans do make mistakes).
The goals of this proposal are:
Proposed "milestones" are:
M1: Deprecate the /v1/oauth/tokens endpoint, targeting Apache Iceberg 1.7.0
M2: Update & clarify documentation, asap
M3: Define a pluggable REST client authorization framework, before M4
M4: Reference client authorization implementation(s) in Java, targeting Iceberg 1.8.0 or 2.0
M5: Removal the /v1/oauth/tokens endpoint, targeting Iceberg 1.9.0 or 2.0
Details in the linked document.
Proposal document
https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ/
Specifications
The text was updated successfully, but these errors were encountered: