Kafka Connect: Handle AccessDeniedException in auto-create#16072
Kafka Connect: Handle AccessDeniedException in auto-create#16072yadavay-amzn wants to merge 1 commit into
Conversation
yadavay-amzn
force-pushed
the
fix/13758-access-denied-autocreate
branch
from
eac974f to
4a1977d
Compare
yadavay-amzn
changed the title
|
@Baunsgaard @nastra Could you take a look when you get a chance? This handles AccessDeniedException gracefully in the Kafka Connect auto-create path when the user lacks glue:CreateDatabase permission. Fixed the PR title format as well. |
|
Wouldn't this approach still cause the connector to crash if There is another approach that would work. The outer method is called |
yadavay-amzn
force-pushed
the
fix/13758-access-denied-autocreate
branch
from
4a1977d to
8468b73
Compare
|
@cloventt Good suggestion. Updated to check |
|
Nice one, I submitted my own PR so the maintainers can choose whichever impl they prefer #16297. |
yadavay-amzn
force-pushed
the
fix/13758-access-denied-autocreate
branch
from
8468b73 to
a6128c8
Compare
Baunsgaard
left a comment
Baunsgaard
left a comment
There was a problem hiding this comment.
TBH, my feeling is that it should fail on these exception types, and only the AlreadyExistsException should be allowed to skip.
| nsCatalog.createNamespace(namespace); | ||
| } catch (AlreadyExistsException | ForbiddenException | NotAuthorizedException ex) { | ||
| // Namespace may have been created concurrently, or the user lacks create permission | ||
| // but the namespace already exists. Either way, proceed gracefully. |
There was a problem hiding this comment.
This seems wrong to me. We should at minimum do a LOG.warning() to highlight that we have an conflict. I do see the old code did not do any logging, but if we add it we can get some statistics on how often this error is encountered.
yadavay-amzn
force-pushed
the
fix/13758-access-denied-autocreate
branch
from
a6128c8 to
e6a03e9
Compare
|
@Baunsgaard Makes sense. Updated: the catch now only handles |
yadavay-amzn
force-pushed
the
fix/13758-access-denied-autocreate
branch
from
e6a03e9 to
7e50d6d
Compare
) GlueCatalog.createNamespace() did not catch AccessDeniedException from the AWS Glue SDK. When a user lacks glue:CreateDatabase permission, Glue throws AccessDeniedException (HTTP 400) which propagated uncaught, crashing the Kafka Connect connector even when the database already exists. This fix: - Catches AccessDeniedException in GlueCatalog.createNamespace() and wraps it as ForbiddenException, consistent with how GlueTableOperations already handles this exception. - Adds NotAuthorizedException to the catch block in IcebergWriterFactory.createNamespaceIfNotExist() for defense-in-depth against auth exceptions from any catalog implementation. Closes apache#13758
yadavay-amzn
force-pushed
the
fix/13758-access-denied-autocreate
branch
from
7e50d6d to
ac7d7b3
Compare
3 participants
Summary
Fixes #13758.
When
iceberg.tables.auto-create-enabledis set, the Kafka Connect sink connector callsGlueCatalog.createNamespace()which can throwsoftware.amazon.awssdk.services.glue.model.AccessDeniedExceptionif the user lacksglue:CreateDatabasepermission. This exception was not caught, crashing the connector even when the database already exists.Changes
Root cause fix —
GlueCatalog.createNamespace():AccessDeniedExceptionand wrap it as Iceberg'sForbiddenException, consistent with howGlueTableOperationsalready handles this exception for table operations.Defense-in-depth —
IcebergWriterFactory.createNamespaceIfNotExist():NotAuthorizedExceptionto the existing catch block alongsideAlreadyExistsExceptionandForbiddenException, so auth exceptions from any catalog implementation are handled gracefully.Testing
testCreateNamespaceAccessDeniedinTestGlueCatalog: verifiesAccessDeniedExceptionis wrapped asForbiddenException.testCreateNamespaceHandlesForbiddenExceptionandtestCreateNamespaceHandlesNotAuthorizedExceptioninTestIcebergWriterFactory: verifies both exception types are swallowed during namespace creation.