Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Polaris Server exposes backend meta in error response body #608

Open
george-zubrienko opened this issue Jan 3, 2025 · 0 comments
Open

Polaris Server exposes backend meta in error response body #608

george-zubrienko opened this issue Jan 3, 2025 · 0 comments
Labels
bug Something isn't working
Milestone
1.0.0

Comments

@george-zubrienko
Copy link
Contributor

george-zubrienko commented Jan 3, 2025
edited
Loading

Describe the bug

Spin up Polaris server using helm chart with Eclipse Link (Postgres), but do not create a Postgres database (do not bootstrap). Run this from inside a pod (or via exposed address if you have ingress):

PRINCIPAL_TOKEN="principal:root;realm:default-realm"
curl -i -X POST -H "Authorization: Bearer $PRINCIPAL_TOKEN" -H 'Accept: application/json' -H 'Content-Type: application/json'   http://localhost:8181/api/management/v1/catalogs   -d '{
        "catalog": {
          "name": "polaris",
          "type": "INTERNAL",
          "readOnly": false,
          "properties": {
            "default-base-location": "s3://tmp/development/polaris/"
          },
          "storageConfigInfo": {
            "storageType": "S3",
            "allowedLocations": [
              "s3://tmp/development/polaris/"
            ],
            "roleArn": "arn:aws:iam::000000000000:role/polaris-access-role"
          }
        }
      }'

Receive this:

HTTP/1.1 500 Server Error
Date: Fri, 03 Jan 2025 14:08:25 GMT
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: application/json
Content-Length: 1215
Connection: close

{
"cause2":"org.postgresql.util.PSQLException: FATAL: database "default-realm" does not exist",
"cause1":"Exception [EclipseLink-4002] (Eclipse Persistence Services - 4.0.4.v202407190748-059428cdd2583c46f1f3e50d235854840a6fa9a7): org.eclipse.persistence.exceptions.DatabaseException\nInternal Exception: org.postgresql.util.PSQLException: FATAL: database "default-realm" does not exist\nError Code: 0",
"servlet":"jersey",
"cause0":"jakarta.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 4.0.4.v202407190748-059428cdd2583c46f1f3e50d235854840a6fa9a7): org.eclipse.persistence.exceptions.DatabaseException\nInternal Exception: org.postgresql.util.PSQLException: FATAL: database "default-realm" does not exist\nError Code: 0",
"message":"jakarta.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 4.0.4.v202407190748-059428cdd2583c46f1f3e50d235854840a6fa9a7): org.eclipse.persistence.exceptions.DatabaseException\nInternal Exception: org.postgresql.util.PSQLException: FATAL: database "default-realm" does not exist\nError Code: 0",
"url":"/api/management/v1/catalogs",
"status":"500"

In this case, two things happened:

  • I was allowed unauthenticated call (check polaris-server below) w/o getting 401 right away
  • I am able to see what backend type is configured and I can check what databases are deployed there

To Reproduce

(in describe section)

Actual Behavior

HTTP call is allowed and stack trace information reveals certain details about metastore backend

Expected Behavior

HTTP 401 - w/o any details, details logged on DEBUG level if configured for the server via values.yaml

Additional context

Polairs build commit: 0f5850c
EclipseLink with PSQL

If database is bootstrapped, 401 is returned correctly

System information

Polaris container sourced from repo's Dockerfile - k8s 1.29 target cluster (EKS)
PSQL (Aurora)
polaris-server.yml:

authenticator:
  class: org.apache.polaris.service.auth.DefaultPolarisAuthenticator
callContextResolver:
  type: default
cors:
  allowed-credentials: true
  allowed-headers:
  - '*'
  allowed-methods:
  - PATCH
  - POST
  - DELETE
  - GET
  - PUT
  allowed-origins:
  - http://localhost:8080
  allowed-timing-origins:
  - http://localhost:8080
  exposed-headers:
  - '*'
  preflight-max-age: 600
defaultRealms:
- lakehouse
featureConfiguration:
  ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING: false
  SUPPORTED_CATALOG_STORAGE_TYPES:
  - S3
io:
  factoryType: default
logging:
  appenders:
  - logFormat: '%-5p [%d{ISO8601} - %-6r] [%t] [%X{aid}%X{sid}%X{tid}%X{wid}%X{oid}%X{srv}%X{job}%X{rid}]
      %c{30}: %m %kvp%n%ex'
    threshold: ALL
    type: console
  level: INFO
  loggers:
    org.apache.iceberg.rest: DEBUG
    org.apache.polaris: DEBUG
maxRequestBodyBytes: -1
metaStoreManager:
  conf-file: /eclipselink-config/conf.jar!/persistence.xml
  persistence-unit: polaris
  type: eclipse-link
oauth2:
  type: default
rateLimiter:
  type: no-op
realmContextResolver:
  type: default
server:
  adminConnectors:
  - port: 8182
    type: http
  applicationConnectors:
  - port: 8181
    type: http
  maxThreads: 200
  minThreads: 10
  requestLog:
    appenders:
    - type: console
tokenBroker:
  secret: ...
  type: symmetric-key
@george-zubrienko george-zubrienko added the bug Something isn't working label Jan 3, 2025
@flyrain flyrain modified the milestones: 0.9.0, 1.0.0 Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
2 participants
@flyrain @george-zubrienko