feat: credential vending for REST catalog

[smaheshwar-pltr]

Issue

Closes #10

iceberg-cpp's REST catalog has no support for per-table credential vending. When a REST catalog server returns vended credentials (temporary S3 access keys) in the LoadTableResponse, iceberg-cpp ignores them and uses the catalog-level FileIO for all tables.

Consumers using iceberg-cpp to read tables from a credential-vending REST catalog get authentication failures when trying to read data files:

HTTP 403 Forbidden
AccessDenied: Access Denied
Authentication Failure - this is usually caused by invalid or missing credentials.
* No credentials are provided.

The catalog discovery and table metadata loading succeed (those use the catalog-level credentials), but reading the actual data files fails because the per-table S3 credentials from the REST catalog response are never extracted or applied.

PR

Implement per-table credential vending in RestCatalog, following the pattern from iceberg-java's RESTSessionCatalog and PyIceberg's REST catalog.

Credential vending pipeline

• RestCatalog sends X-Iceberg-Access-Delegation: vended-credentials header on all table-returning operations (LoadTable, CreateTable, RegisterTable, StageCreateTable)
• ResolveTableFileIO merges catalog properties < table config < storage credentials (longest prefix match), then creates a per-table FileIO via FileIORegistry
• Vended credentials are accessible to engines via FileIO::properties(), matching Python's table.io.properties pattern

API design: FileIO::properties()

We initially exposed io_properties() on the Table class, but after reviewing how engines actually consume vended credentials across the ecosystem:

How each implementation surfaces credentials to engines:

• Java: FileIO.properties() — Trino's IcebergRestCatalogFileSystemFactory calls baseTable.io().properties() directly to extract S3/GCS/Azure credentials and inject them into its own filesystem layer. It does NOT use the SupportsStorageCredentials interface.
• Python: table.io.properties — PyIceberg's DataFusion integration passes self.io.properties to configure its native filesystem
• Rust: table.file_io().config().props() — credentials flow through FileIO's config

No implementation exposes credentials on the Table object. FileIO::properties() is the standard surface. So we:

• Added properties() accessor to the FileIO base class
• FileIORegistry::Load() automatically populates FileIO::properties_ with the merged config
• Removed io_properties from Table/StagedTable entirely
• Removed the ResolvedTableIO struct (no longer needed since properties live on FileIO)

Integration tests

The REST fixture is configured with CATALOG_INCLUDE__CREDENTIALS=true and dummy S3 credentials. The fixture's RESTServerCatalogAdapter injects these into LoadTableResponse.config when credential vending is enabled. Integration tests verify that vended credentials flow through ResolveTableFileIO and are accessible via table->io()->properties() on all table-returning operations.

A full end-to-end test (reading from MinIO with vended credentials via Arrow S3 FileIO) would require ICEBERG_S3=ON in CI — left as a follow-up.

Known limitations

• No credential refresh (Java has VendedCredentialsProvider with expiry tracking)
• No remote-signing access delegation mode (only vended-credentials)
• Storage credential longest-prefix match uses metadata_location (like Python); Java defers matching to the FileIO per file access

[smaheshwar-pltr]

Design note: credential vending in the test fixture

We enable include-credentials with dummy S3 keys so the fixture's RESTServerCatalogAdapter injects them into LoadTableResponse.config. This lets us verify the full vending pipeline (header → server response → ResolveTableFileIO → FileIO::properties()) without needing MinIO.

Follow-up: For a true end-to-end test (reading data from MinIO using only vended credentials), we'd need to add MinIO here + build with ICEBERG_S3=ON in CI so the Arrow S3 FileIO can actually connect. Left as a follow-up since it requires CI config changes.

[smaheshwar-pltr]

Merge ordering: catalog props < table config < storage credentials

This matches all three reference implementations:

• Java (RESTSessionCatalog.java): merges catalog properties → table config → storage credentials
• Python (pyiceberg/catalog/rest/__init__.py): {**table_response.metadata.properties, **table_response.config, **credential_config}
• Rust (catalog/rest/src/catalog.rs): merges response.config into self.user_config.props (though Rust currently discards storage_credentials)

[smaheshwar-pltr]

Longest prefix match on metadata_location

This follows Python's approach (_resolve_storage_credentials() in pyiceberg/catalog/rest/__init__.py), which matches against metadata_location.

Java takes a different approach: it passes ALL credentials to the FileIO via SupportsStorageCredentials.setCredentials(), and the FileIO itself (e.g., S3FileIO) does per-file longest-prefix matching at read time. This is more correct for tables whose data files span multiple prefixes, but more complex.

We chose the Python pattern for simplicity. The spec's StorageCredential schema defines prefix + config but doesn't mandate the matching algorithm.

[smaheshwar-pltr]

Why FileIO::properties() instead of Table::io_properties()?

We initially had io_properties() on the Table class, but after reviewing all three reference implementations:

• Java: engines use table.io() directly; credentials live on FileIO via SupportsStorageCredentials
• Python: engines read table.io.properties (a dict on FileIO) — e.g., the DataFusion integration explicitly passes self.io.properties
• Rust: credentials flow through table.file_io().config().props()

No implementation exposes credentials on the Table object itself. FileIO::properties() matches the Python pattern and is the standard surface for engines that need to configure their own storage access.

[smaheshwar-pltr]

FileIORegistry::Load() automatically populates properties_ on every FileIO it creates. This means any FileIO from the registry (including per-table FileIOs from ResolveTableFileIO) will have the merged properties available via properties() without each factory needing to set them manually.

[smaheshwar-pltr]

Real-world engine validation: Trino

Trino (a major Java query engine) validates this exact pattern. Its IcebergRestCatalogFileSystemFactory extracts vended credentials by calling baseTable.io().properties() directly — it does NOT use Java's SupportsStorageCredentials interface.

The flow: BaseTable.io().properties() → IcebergTableCredentials → IcebergRestCatalogFileSystemFactory.create(identity, fileIoProperties) → extracts S3/GCS/Azure keys → injects them into Trino's ConnectorIdentity.extraCredentials → Trino's filesystem factories use the vended creds.

See: trino/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/catalog/rest/IcebergRestCatalogFileSystemFactory.java

[smaheshwar-pltr]

matches pyiceberg?

[smaheshwar-pltr]

rev:

Suggested change

	// No io-impl or warehouse configured. Fall back to a local FileIO as a
	// default — the per-table ResolveTableFileIO will resolve the real FileIO
	// when a table is loaded (using the table's location to detect S3, etc.).
	// No io-impl or warehouse configured. Fall back to a local FileIO as a
	// default — enabling per-table ResolveTableFileIO (vending).

[smaheshwar-pltr]

rev: remove python comment and just mention our chain
then, PR comment the python thing as a TODO to flag please

[smaheshwar-pltr]

Done — removed the Python comment from code.

TODO for follow-up: Python also merges result.metadata->properties into the chain (metadata props < catalog < table config < credentials). Java and Rust do not. We match Java/Rust. Worth revisiting if we find a case where table-metadata-level io-impl is needed.

[smaheshwar-pltr]

rev: this file isn't written for just this it happens to be that. internal helpers for REST file IO construction or smth pls

[smaheshwar-pltr]

rev: spaces between Fa and \p intentional? fine if so

[smaheshwar-pltr]

rev: should warehouse be stringview?

[smaheshwar-pltr]

fine if not

[smaheshwar-pltr]

rev: PR comment on this please. friend is controversial

[smaheshwar-pltr]

friend class FileIORegistry is intentional: properties_ should only be populated by the registry (which creates FileIO instances with merged config). Making it protected would let any subclass set arbitrary properties, breaking the invariant that properties reflect the config used to create the FileIO. The friend constrains this to the single correct code path.

If a second factory path emerges later (e.g., custom FileIO outside the registry), we can add a protected setter at that point.

[smaheshwar-pltr]

rev:

wait... is DetectBuiltinFileIO basically just a helper function too that's public I guess?

I don't see it in src/iceberg/catalog/rest/rest_file_io_internal.h so I guess it's on the main class? has it always been public?

then, let's maybe ditch the whole internal model and new file and just put resolve in that class too. I was concerned about visibility, but if there's precedence then fine. if we do that, then after comment on this PR please saying that we did it for this reason (otherwise you ask "why is this not internal"?)

[smaheshwar-pltr]

(ofc i'm talking about ResolveTableFileIO function

[smaheshwar-pltr]

Yes — DetectBuiltinFileIO, BuiltinFileIOName, and MakeCatalogFileIO are all already public in rest_file_io.h. Moved ResolveTableFileIO there too for consistency. Deleted rest_file_io_internal.h.

[smaheshwar-pltr]

rev: this change is unrelated to the PR, did linter really flag it? wouldn't have thought so

[smaheshwar-pltr]

if linter let's us, let's try and not change things unrelated to the PR please

[smaheshwar-pltr]

rev: this comment doesn't add much, remove