What would you like to be improved?
The planTableScan endpoint (POST /v1/{prefix}/namespaces/{namespace}/tables/{table}/scan) does not accept the X-Iceberg-Access-Delegation header and does not return storage credentials in its response. The Iceberg REST spec defines the data-access header as a parameter on the planTableScan endpoint, and the CompletedPlanningResult schema includes a storage-credentials field for clients to access the data files returned in the scan result.
In the current planTableScan method (IcebergTableOperations.java#L513-L545):
- No
@HeaderParam(X_ICEBERG_ACCESS_DELEGATION) parameter
IcebergRequestContext is constructed without isCredentialVending- The
CompletedPlanningResult response does not include storage-credentials
In contrast, createTable and loadTable accept this header and inject credentials into the response. Without this, clients performing server-side scan planning must make a separate GET .../credentials call to obtain storage access credentials before reading the data files returned in the scan plan.
How should we improve?
- Add
@HeaderParam(X_ICEBERG_ACCESS_DELEGATION) String accessDelegation to planTableScan
- Pass
isCredentialVending to IcebergRequestContext so credential injection can be triggered
- When credential vending is enabled, include
storage-credentials in the CompletedPlanningResult response so clients can immediately access the returned data files without a separate credentials call
What would you like to be improved?
The
planTableScanendpoint (POST /v1/{prefix}/namespaces/{namespace}/tables/{table}/scan) does not accept theX-Iceberg-Access-Delegationheader and does not return storage credentials in its response. The Iceberg REST spec defines thedata-accessheader as a parameter on theplanTableScanendpoint, and theCompletedPlanningResultschema includes astorage-credentialsfield for clients to access the data files returned in the scan result.In the current
planTableScanmethod (IcebergTableOperations.java#L513-L545):@HeaderParam(X_ICEBERG_ACCESS_DELEGATION)parameterIcebergRequestContextis constructed withoutisCredentialVendingCompletedPlanningResultresponse does not includestorage-credentialsIn contrast,
createTableandloadTableaccept this header and inject credentials into the response. Without this, clients performing server-side scan planning must make a separateGET .../credentialscall to obtain storage access credentials before reading the data files returned in the scan plan.How should we improve?
@HeaderParam(X_ICEBERG_ACCESS_DELEGATION) String accessDelegationtoplanTableScanisCredentialVendingtoIcebergRequestContextso credential injection can be triggeredstorage-credentialsin theCompletedPlanningResultresponse so clients can immediately access the returned data files without a separate credentials call