OpenAPI: Standardize credentials in loadTable/loadView responses

Author: nastra

open-api/rest-catalog-open-api.py

@@ -441,6 +441,30 @@ class AssertViewUUID(BaseModel):
     uuid: str
 
 
+class AzureCredentials(BaseModel):
+    account_name: Optional[str] = Field(None, alias='account-name')
+    account_key: Optional[str] = Field(None, alias='account-key')
+    token: Optional[str] = None
+
+
+class AwsCredentials(BaseModel):
+    access_key_id: str = Field(..., alias='access-key-id')
+    secret_access_key: str = Field(..., alias='secret-access-key')
+    token: Optional[str] = None
+    expires_at_ms: Optional[int] = Field(None, alias='expires-at-ms')
+
+
+class GcsCredentials(BaseModel):
+    token: str
+    expires_at_ms: Optional[int] = Field(None, alias='expires-at-ms')
+
+
+class Credentials(BaseModel):
+    aws: Optional[AwsCredentials] = None
+    azure: Optional[AzureCredentials] = None
+    gcs: Optional[GcsCredentials] = None
+
+
 class RegisterTableRequest(BaseModel):
     name: str
     metadata_location: str = Field(..., alias='metadata-location')
@@ -1113,6 +1137,11 @@ class LoadTableResult(BaseModel):
      - `s3.session-token`: if present, this value should be used for as the session token
      - `s3.remote-signing-enabled`: if `true` remote signing should be performed as described in the `s3-signer-open-api.yaml` specification
 
+    ## Credentials
+
+    Credentials for Azure / AWS / GCS are provided through the `credentials` field. Clients should first check whether the
+    respective credentials exist in the `credentials` field before checking the `config` for credentials.
+
     """
 
     metadata_location: Optional[str] = Field(
@@ -1121,6 +1150,7 @@ class LoadTableResult(BaseModel):
         description='May be null if the table is staged as part of a transaction',
     )
     metadata: TableMetadata
+    credentials: Optional[Credentials] = None
     config: Optional[Dict[str, str]] = None
 
 
@@ -1183,10 +1213,16 @@ class LoadViewResult(BaseModel):
 
     - `token`: Authorization bearer token to use for view requests if OAuth2 security is enabled
 
+    ## Credentials
+
+    Credentials for Azure / AWS / GCS are provided through the `credentials` field. Clients should first check whether the
+    respective credentials exist in the `credentials` field before checking the `config` for credentials.
+
     """
 
     metadata_location: str = Field(..., alias='metadata-location')
     metadata: ViewMetadata
+    credentials: Optional[Credentials] = None
     config: Optional[Dict[str, str]] = None
 
 

open-api/rest-catalog-open-api.yaml

@@ -2747,6 +2747,54 @@ components:
         uuid:
           type: string
 
+    AzureCredentials:
+      type: object
+      properties:
+        account-name:
+          type: string
+        account-key:
+          type: string
+        token:
+          type: string
+
+    AwsCredentials:
+      type: object
+      required:
+        - access-key-id
+        - secret-access-key
+      properties:
+        access-key-id:
+          type: string
+        secret-access-key:
+          type: string
+        token:
+          type: string
+        expires-at-ms:
+          type: integer
+          format: int64
+
+    GcsCredentials:
+      type: object
+      required:
+        - token
+        - expires-at
+      properties:
+        token:
+          type: string
+        expires-at-ms:
+          type: integer
+          format: int64
+
+    Credentials:
+      type: object
+      properties:
+        aws:
+          $ref: '#/components/schemas/AwsCredentials'
+        azure:
+          $ref: '#/components/schemas/AzureCredentials'
+        gcs:
+          $ref: '#/components/schemas/GcsCredentials'
+
     LoadTableResult:
       description: |
         Result used when a table is successfully loaded.
@@ -2773,6 +2821,11 @@ components:
          - `s3.secret-access-key`: secret for credentials that provide access to data in S3 
          - `s3.session-token`: if present, this value should be used for as the session token 
          - `s3.remote-signing-enabled`: if `true` remote signing should be performed as described in the `s3-signer-open-api.yaml` specification
+
+        ## Credentials
+
+        Credentials for Azure / AWS / GCS are provided through the `credentials` field. Clients should first check whether the
+        respective credentials exist in the `credentials` field before checking the `config` for credentials.
       type: object
       required:
         - metadata
@@ -2782,6 +2835,8 @@ components:
           description: May be null if the table is staged as part of a transaction
         metadata:
           $ref: '#/components/schemas/TableMetadata'
+        credentials:
+          $ref: '#/components/schemas/Credentials'
         config:
           type: object
           additionalProperties:
@@ -2905,6 +2960,10 @@ components:
 
         - `token`: Authorization bearer token to use for view requests if OAuth2 security is enabled
 
+        ## Credentials
+
+        Credentials for Azure / AWS / GCS are provided through the `credentials` field. Clients should first check whether the
+        respective credentials exist in the `credentials` field before checking the `config` for credentials.
       type: object
       required:
         - metadata-location
@@ -2914,6 +2973,8 @@ components:
           type: string
         metadata:
           $ref: '#/components/schemas/ViewMetadata'
+        credentials:
+          $ref: '#/components/schemas/Credentials'
         config:
           type: object
           additionalProperties: