You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}` | `vended-credentials` | Signal to the server that the client supports delegated access via a comma-separated list of access mechanisms. The server may choose to supply access via any or none of the requested mechanisms |
376
376
377
+
#### Authentication in RESTCatalog
378
+
379
+
The RESTCatalog supports pluggable authentication via the `auth` configuration block. This allows you to specify which how the access token will be fetched and managed for use with the HTTP requests to the RESTCatalog server. The authentication method is selected by setting the `auth.type` property, and additional configuration can be provided as needed for each method.
380
+
381
+
##### Supported Authentication Types
382
+
383
+
- `noop`: No authentication (no Authorization header sent).
384
+
- `basic`: HTTP Basic authentication.
385
+
- `oauth2`: OAuth2 client credentials flow.
386
+
- `legacyoauth2`: Legacy OAuth2 client credentials flow (Deprecated and will be removed in PyIceberg 1.0.0)
| `auth.type` | Yes | The authentication type to use (`noop`, `basic`, `oauth2`, or `custom`). |
410
+
| `auth.impl` | Conditionally | The fully qualified class path for a custom AuthManager. Required if `auth.type` is `custom`. |
411
+
| `auth.basic` | If type is `basic` | Block containing `username` and `password` for HTTP Basic authentication. |
412
+
| `auth.oauth2` | If type is `oauth2` | Block containing OAuth2 configuration (see below). |
413
+
| `auth.custom` | If type is `custom` | Block containing configuration for the custom AuthManager. |
414
+
415
+
##### Examples
416
+
417
+
**No Authentication:**
418
+
419
+
```yaml
420
+
auth:
421
+
type: noop
422
+
```
423
+
424
+
**Basic Authentication:**
425
+
426
+
```yaml
427
+
auth:
428
+
type: basic
429
+
basic:
430
+
username: myuser
431
+
password: mypass
432
+
```
433
+
434
+
**OAuth2 Authentication:**
435
+
436
+
```yaml
437
+
auth:
438
+
type: oauth2
439
+
oauth2:
440
+
client_id: my-client-id
441
+
client_secret: my-client-secret
442
+
token_url: https://auth.example.com/oauth/token
443
+
scope: read
444
+
refresh_margin: 60 # (optional) seconds before expiry to refresh
445
+
expires_in: 3600 # (optional) fallback if server does not provide
446
+
```
447
+
448
+
**Custom Authentication:**
449
+
450
+
```yaml
451
+
auth:
452
+
type: custom
453
+
impl: mypackage.module.MyAuthManager
454
+
custom:
455
+
property1: value1
456
+
property2: value2
457
+
```
458
+
459
+
##### Notes
460
+
461
+
- If `auth.type` is `custom`, you **must** specify `auth.impl` with the full class path to your custom AuthManager.
462
+
- If `auth.type` is not `custom`, specifying `auth.impl` is not allowed.
463
+
- The configuration block under each type (e.g., `basic`, `oauth2`, `custom`) is passed as keyword arguments to the corresponding AuthManager.
464
+
377
465
### SQL Catalog
378
466
379
467
The SQL catalog requires a database for its backend. PyIceberg supports PostgreSQL and SQLite through psycopg2. The database connection has to be configured using the `uri` property. The init_catalog_tables is optional and defaults to True. If it is set to False, the catalog tables will not be created when the SQLCatalog is initialized. See SQLAlchemy's [documentation for URL format](https://docs.sqlalchemy.org/en/20/core/engines.html#backend-specific-urls):
0 commit comments