From 5d638248b8a1c979663abd3388d7a82d47ca53de Mon Sep 17 00:00:00 2001 From: kuldeep27396 Date: Sun, 21 Sep 2025 23:46:01 +0530 Subject: [PATCH 1/3] DOC: Add REST catalog authentication properties documentation Add a new section documenting REST catalog authentication properties including: - Authentication types (none, basic, oauth2, sigv4, google) - Basic authentication properties - OAuth2 authentication properties - Token management properties This addresses issue #13209 by providing comprehensive documentation for REST catalog authentication configuration. --- docs/docs/configuration.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs/docs/configuration.md b/docs/docs/configuration.md index 433da6ad0ddf..9fd3cf8a7532 100644 --- a/docs/docs/configuration.md +++ b/docs/docs/configuration.md @@ -198,3 +198,23 @@ is available on the Hive Metastore server, if it is backed by MySQL or MariaDB Even with `iceberg.engine.hive.lock-enabled` set to `false`, a HiveCatalog can still use locks for individual tables by setting the table property `engine.hive.lock-enabled`=`true`. This is useful in the case where other HiveCatalogs cannot be upgraded and set to commit without using Hive locks. +## REST catalog authentication properties + +The REST catalog supports multiple authentication mechanisms to secure access to catalog operations. These properties are used to configure authentication for REST catalog clients. + +| Property | Default | Description | +| --------------------------------- | ------------------ | ------------------------------------------------------ | +| rest.auth.type | null | Authentication type: `none`, `basic`, `oauth2`, `sigv4`, `google` | +| rest.auth.basic.username | null | Username for basic authentication | +| rest.auth.basic.password | null | Password for basic authentication | +| oauth2-server-uri | null | OAuth2 server URI for token endpoint | +| token | null | Bearer token for OAuth2 authentication | +| credential | null | Credential to exchange for OAuth2 token | +| token-expires-in-ms | 3600000 (1 hour) | Token expiration time in milliseconds | +| token-refresh-enabled | true | Whether to refresh tokens when expiration info is available | +| token-exchange-enabled | true | Whether to use token exchange for acquiring new tokens | +| scope | null | Additional scope for OAuth2 | +| audience | null | Optional audience parameter for OAuth2 | +| resource | null | Optional resource parameter for OAuth2 | +| rest.auth.sigv4.delegate-auth-type| oauth2 | Delegate auth type for SigV4 authentication | + From cccfebfa838188d3fef3602075bc60b87686f01b Mon Sep 17 00:00:00 2001 From: Kuldeep Pal Date: Mon, 22 Sep 2025 17:07:54 +0530 Subject: [PATCH 2/3] Update docs/docs/configuration.md Co-authored-by: Eduard Tudenhoefner --- docs/docs/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/configuration.md b/docs/docs/configuration.md index 9fd3cf8a7532..bbc86ac071b9 100644 --- a/docs/docs/configuration.md +++ b/docs/docs/configuration.md @@ -212,7 +212,7 @@ The REST catalog supports multiple authentication mechanisms to secure access to | credential | null | Credential to exchange for OAuth2 token | | token-expires-in-ms | 3600000 (1 hour) | Token expiration time in milliseconds | | token-refresh-enabled | true | Whether to refresh tokens when expiration info is available | -| token-exchange-enabled | true | Whether to use token exchange for acquiring new tokens | +| token-exchange-enabled | true | Whether to use token exchange for acquiring new tokens | | scope | null | Additional scope for OAuth2 | | audience | null | Optional audience parameter for OAuth2 | | resource | null | Optional resource parameter for OAuth2 | From bb153a25ac4fde4c177be46ee2cdc40c0c2738df Mon Sep 17 00:00:00 2001 From: Kuldeep Pal Date: Mon, 22 Sep 2025 17:08:06 +0530 Subject: [PATCH 3/3] Update docs/docs/configuration.md Co-authored-by: Eduard Tudenhoefner --- docs/docs/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/configuration.md b/docs/docs/configuration.md index bbc86ac071b9..e612120afe19 100644 --- a/docs/docs/configuration.md +++ b/docs/docs/configuration.md @@ -209,7 +209,7 @@ The REST catalog supports multiple authentication mechanisms to secure access to | rest.auth.basic.password | null | Password for basic authentication | | oauth2-server-uri | null | OAuth2 server URI for token endpoint | | token | null | Bearer token for OAuth2 authentication | -| credential | null | Credential to exchange for OAuth2 token | +| credential | null | Credential to exchange for OAuth2 token | | token-expires-in-ms | 3600000 (1 hour) | Token expiration time in milliseconds | | token-refresh-enabled | true | Whether to refresh tokens when expiration info is available | | token-exchange-enabled | true | Whether to use token exchange for acquiring new tokens |