Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Ignore SSL Verification #2805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rohangoli wants to merge 1 commit into apache:main
base: main
Choose a base branch
Loading
from rohangoli:s3-cmtbl-url-ignore-ssl-verification

Conversation

@rohangoli
Copy link

@rohangoli rohangoli commented Oct 13, 2025
edited
Loading

What changes were proposed in this pull request?

Why are the changes needed?

  • Unable to create table with HTTPS (self-signed certificates)
curl --location 'http://localhost:8181/api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables' \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
-H 'Polaris-Realm: POLARIS' \
--data '{
 "name": "minio_polaris_ns_table01",
 "schema": {
 "type": "struct",
 "fields": [
 {
 "id": 0,
 "name": "id",
 "type": "string",
 "required": true,
 "doc": "car model"
 },
 {
 "id": 1,
 "name": "first_name",
 "type": "string",
 "required": true,
 "doc": "first name"
 }
 ]
 }
}' | jq
{
 "error": {
 "message": "Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (SDK Attempt Count: 6)",
 "type": "SdkClientException",
 "code": 500
 }
}

Polaris Logs:

polaris-1 | 2025年10月13日 15:20:52,403 INFO [io.qua.htt.access-log] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000007,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [13/Oct/2025:15:20:52 +0000] "GET /api/catalog/v1/quickstart_catalog/namespaces HTTP/1.1" 200 60
polaris-1 | 2025年10月13日 15:21:05,522 INFO [org.apa.pol.ser.cat.ice.IcebergCatalogHandler] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Initializing non-federated catalog
polaris-1 | 2025年10月13日 15:21:05,530 INFO [org.apa.ice.BaseMetastoreCatalog] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Table properties set at catalog level through catalog properties: {}
polaris-1 | 2025年10月13日 15:21:05,533 INFO [org.apa.ice.BaseMetastoreCatalog] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Table properties enforced at catalog level through catalog properties: {}
polaris-1 | 2025年10月13日 15:21:05,717 WARN [org.apa.pol.ser.con.ServiceProducers] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Creating HTTP client with SSL certificate verification disabled. Use only in development!
polaris-1 | 2025年10月13日 15:21:05,791 INFO [org.apa.ice.CatalogUtil] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Loading custom FileIO implementation: org.apache.iceberg.aws.s3.S3FileIO
polaris-1 | 2025年10月13日 15:21:06,177 INFO [org.apa.pol.ser.cat.io.s3.ReflectionS3ClientInjector] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Successfully injected S3Client into org.apache.iceberg.aws.s3.S3FileIO
polaris-1 | 2025年10月13日 15:21:06,178 INFO [org.apa.pol.ser.cat.io.DefaultFileIOFactory] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Injected insecure S3Client into Iceberg S3FileIO for ioImpl=org.apache.iceberg.aws.s3.S3FileIO
polaris-1 | 2025年10月13日 15:21:08,723 INFO [org.apa.pol.ser.exc.IcebergExceptionMapper] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Handling runtimeException Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (SDK Attempt Count: 6)
polaris-1 | 2025年10月13日 15:21:08,733 ERROR [org.apa.pol.ser.exc.IcebergExceptionMapper] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Unhandled exception returning INTERNAL_SERVER_ERROR: software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (SDK Attempt Count: 6)
polaris-1 | at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:130)
polaris-1 | at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:95)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.utils.RetryableStageHelper.retryPolicyDisallowedRetryException(RetryableStageHelper.java:168)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:73)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:36)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1 | at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:53)
polaris-1 | at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:35)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.executeWithTimer(ApiCallTimeoutTrackingStage.java:82)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:62)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:43)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:50)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:32)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:37)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26)
polaris-1 | at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:210)
polaris-1 | at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:103)
polaris-1 | at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.doExecute(BaseSyncClientHandler.java:173)
polaris-1 | at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute1ドル(BaseSyncClientHandler.java:80)
polaris-1 | at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:182)
polaris-1 | at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:74)
polaris-1 | at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
polaris-1 | at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:53)
polaris-1 | at software.amazon.awssdk.services.s3.DefaultS3Client.putObject(DefaultS3Client.java:11883)
polaris-1 | at org.apache.iceberg.aws.s3.S3OutputStream.completeUploads(S3OutputStream.java:443)
polaris-1 | at org.apache.iceberg.aws.s3.S3OutputStream.close(S3OutputStream.java:269)
polaris-1 | at org.apache.iceberg.aws.s3.S3OutputStream.close(S3OutputStream.java:255)
polaris-1 | at java.base/sun.nio.cs.StreamEncoder.implClose(StreamEncoder.java:435)
polaris-1 | at java.base/sun.nio.cs.StreamEncoder.lockedClose(StreamEncoder.java:237)
polaris-1 | at java.base/sun.nio.cs.StreamEncoder.close(StreamEncoder.java:222)
polaris-1 | at java.base/java.io.OutputStreamWriter.close(OutputStreamWriter.java:266)
polaris-1 | at org.apache.iceberg.TableMetadataParser.internalWrite(TableMetadataParser.java:135)
polaris-1 | at org.apache.iceberg.TableMetadataParser.overwrite(TableMetadataParser.java:119)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.writeNewMetadata(IcebergCatalog.java:1647)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.writeNewMetadataIfRequired(IcebergCatalog.java:1636)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.doCommit(IcebergCatalog.java:1505)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.commit(IcebergCatalog.java:1356)
polaris-1 | at org.apache.iceberg.BaseMetastoreCatalog$BaseMetastoreCatalogTableBuilder.create(BaseMetastoreCatalog.java:201)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogHandler.createTableDirect(IcebergCatalogHandler.java:456)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.lambda$createTable6ドル(IcebergCatalogAdapter.java:394)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.withCatalog(IcebergCatalogAdapter.java:209)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.createTable(IcebergCatalogAdapter.java:378)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_Subclass.createTable$$superforward(Unknown Source)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergRestCatalogEventServiceDelegator_Gj_WCptqTcdHu-fbZfgVkAwPXCI_Delegate_Subclass.createTable(Unknown Source)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergRestCatalogEventServiceDelegator.createTable(IcebergRestCatalogEventServiceDelegator.java:217)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_Subclass.createTable(Unknown Source)
polaris-1 | at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_ClientProxy.createTable(Unknown Source)
polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi.createTable(IcebergRestCatalogApi.java:193)
polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass.createTable$$superforward(Unknown Source)
polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass$$function$3ドル.apply(Unknown Source)
polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:73)
polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)
polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor.lambda$syncFlow8ドル(FaultToleranceInterceptor.java:364)
polaris-1 | at io.smallrye.faulttolerance.core.Future.from(Future.java:85)
polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor.lambda$syncFlow9ドル(FaultToleranceInterceptor.java:364)
polaris-1 | at io.smallrye.faulttolerance.core.FaultToleranceContext.call(FaultToleranceContext.java:20)
polaris-1 | at io.smallrye.faulttolerance.core.Invocation.apply(Invocation.java:29)
polaris-1 | at io.smallrye.faulttolerance.core.metrics.MetricsCollector.apply(MetricsCollector.java:98)
polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor.syncFlow(FaultToleranceInterceptor.java:367)
polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor.intercept(FaultToleranceInterceptor.java:205)
polaris-1 | at io.smallrye.faulttolerance.FaultToleranceInterceptor_Bean.intercept(Unknown Source)
polaris-1 | at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)
polaris-1 | at io.quarkus.micrometer.runtime.MicrometerTimedInterceptor.timedMethod(MicrometerTimedInterceptor.java:79)
polaris-1 | at io.quarkus.micrometer.runtime.MicrometerTimedInterceptor_Bean.intercept(Unknown Source)
polaris-1 | at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)
polaris-1 | at io.quarkus.security.runtime.interceptor.SecurityHandler.handle(SecurityHandler.java:27)
polaris-1 | at io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor.intercept(RolesAllowedInterceptor.java:29)
polaris-1 | at io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor_Bean.intercept(Unknown Source)
polaris-1 | at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:62)
polaris-1 | at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor.intercept(StandardSecurityCheckInterceptor.java:44)
polaris-1 | at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor_RolesAllowedInterceptor_Bean.intercept(Unknown Source)
polaris-1 | at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1 | at io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:30)
polaris-1 | at io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:27)
polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass.createTable(Unknown Source)
polaris-1 | at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi$quarkusrestinvoker$createTable_01f5a1bd6d7815fd3314a553161c943c8cd03101.invoke(Unknown Source)
polaris-1 | at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
polaris-1 | at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
polaris-1 | at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
polaris-1 | at io.quarkus.vertx.core.runtime.VertxCoreRecorder15ドル.runWith(VertxCoreRecorder.java:645)
polaris-1 | at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
polaris-1 | at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
polaris-1 | at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
polaris-1 | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
polaris-1 | at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
polaris-1 | at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
polaris-1 | at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
polaris-1 | at java.base/java.lang.Thread.run(Thread.java:1583)
polaris-1 | Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 1 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1 | Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 2 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1 | Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 3 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1 | Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 4 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1 | Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 5 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1 | Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1 | at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
polaris-1 | at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
polaris-1 | at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
polaris-1 | at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
polaris-1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1327)
polaris-1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
polaris-1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1147)
polaris-1 | at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
polaris-1 | at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
polaris-1 | at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
polaris-1 | at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206)
polaris-1 | at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
polaris-1 | at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
polaris-1 | at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
polaris-1 | at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
polaris-1 | at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
polaris-1 | at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
polaris-1 | at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
polaris-1 | at software.amazon.awssdk.http.apache.internal.conn.SdkTlsSocketFactory.connectSocket(SdkTlsSocketFactory.java:63)
polaris-1 | at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
polaris-1 | at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
polaris-1 | at software.amazon.awssdk.http.apache.internal.conn.ClientConnectionManagerFactory$DelegatingHttpClientConnectionManager.connect(ClientConnectionManagerFactory.java:86)
polaris-1 | at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
polaris-1 | at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
polaris-1 | at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
polaris-1 | at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
polaris-1 | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
polaris-1 | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
polaris-1 | at software.amazon.awssdk.http.apache.internal.impl.ApacheSdkHttpClient.execute(ApacheSdkHttpClient.java:72)
polaris-1 | at software.amazon.awssdk.http.apache.ApacheHttpClient.execute(ApacheHttpClient.java:261)
polaris-1 | at software.amazon.awssdk.http.apache.ApacheHttpClient.access600ドル(ApacheHttpClient.java:106)
polaris-1 | at software.amazon.awssdk.http.apache.ApacheHttpClient1ドル.call(ApacheHttpClient.java:238)
polaris-1 | at software.amazon.awssdk.http.apache.ApacheHttpClient1ドル.call(ApacheHttpClient.java:235)
polaris-1 | at software.amazon.awssdk.core.internal.util.MetricUtils.measureDurationUnsafe(MetricUtils.java:103)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.MakeHttpRequestStage.executeHttpRequest(MakeHttpRequestStage.java:88)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.MakeHttpRequestStage.execute(MakeHttpRequestStage.java:64)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.MakeHttpRequestStage.execute(MakeHttpRequestStage.java:46)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:74)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:43)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:79)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:41)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptMetricCollectionStage.execute(ApiCallAttemptMetricCollectionStage.java:55)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptMetricCollectionStage.execute(ApiCallAttemptMetricCollectionStage.java:39)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.executeRequest(RetryableStage.java:93)
polaris-1 | at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:56)
polaris-1 | ... 92 more
polaris-1 | Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1 | at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
polaris-1 | at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
polaris-1 | at java.base/sun.security.validator.Validator.validate(Validator.java:256)
polaris-1 | at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
polaris-1 | at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
polaris-1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1311)
polaris-1 | ... 136 more
polaris-1 | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1 | at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
polaris-1 | at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
polaris-1 | at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
polaris-1 | at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
polaris-1 | ... 141 more
polaris-1 | 
polaris-1 | 2025年10月13日 15:21:08,739 INFO [io.qua.htt.access-log] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [13/Oct/2025:15:21:08 +0000] "POST /api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables HTTP/1.1" 500 264

Does this PR introduce any user-facing change?

  • Yes, it introduces ignoreSSLVerification flag for S3 Storage Type Parameters

How was this patch tested?

  • Full Gradle Tests were successful
  • Updated the following tests
    • api/management-model/src/test/java/org/apache/polaris/core/admin/model/CatalogSerializationTest.java
    • runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java
  • Added following tests
    • runtime/service/src/test/java/org/apache/polaris/service/catalog/io/s3/ReflectionS3ClientInjectorConfigTest.java
    • runtime/service/src/test/java/org/apache/polaris/service/catalog/io/s3/ReflectionS3ClientInjectorTest.java
  • Create Table Rest API is successful
curl --location 'http://localhost:8181/api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables' \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
-H 'Polaris-Realm: POLARIS' \
--data '{
 "name": "minio_polaris_ns_table01",
 "schema": {
 "type": "struct",
 "fields": [
 {
 "id": 0,
 "name": "id",
 "type": "string",
 "required": true,
 "doc": "car model"
 },
 {
 "id": 1,
 "name": "first_name",
 "type": "string",
 "required": true,
 "doc": "first name"
 }
 ]
 }
}' | jq
 % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 1454 100 1073 100 381 863 306 0:00:01 0:00:01 --:--:-- 1170
{
 "metadata-location": "s3://bucket123/minio_polaris_ns/minio_polaris_ns_table01/metadata/00000-6e118173-519e-401c-87ea-549eb70b939e.metadata.json",
 "metadata": {
 "format-version": 2,
 "table-uuid": "29f5d242-8bab-4052-be02-4313b4ec6a31",
 "location": "s3://bucket123/minio_polaris_ns/minio_polaris_ns_table01",
 "last-sequence-number": 0,
 "last-updated-ms": 1760372568321,
 "last-column-id": 2,
 "current-schema-id": 0,
 "schemas": [
 {
 "type": "struct",
 "schema-id": 0,
 "fields": [
 {
 "id": 1,
 "name": "id",
 "required": true,
 "type": "string",
 "doc": "car model"
 },
 {
 "id": 2,
 "name": "first_name",
 "required": true,
 "type": "string",
 "doc": "first name"
 }
 ]
 }
 ],
 "default-spec-id": 0,
 "partition-specs": [
 {
 "spec-id": 0,
 "fields": []
 }
 ],
 "last-partition-id": 999,
 "default-sort-order-id": 0,
 "sort-orders": [
 {
 "order-id": 0,
 "fields": []
 }
 ],
 "properties": {
 "created-at": "2025-10-13T16:22:48.289344333Z",
 "write.parquet.compression-codec": "zstd"
 },
 "current-snapshot-id": -1,
 "refs": {},
 "snapshots": [],
 "statistics": [],
 "partition-statistics": [],
 "snapshot-log": [],
 "metadata-log": []
 },
 "config": {
 "s3.path-style-access": "true",
 "s3.endpoint": "https://localhost:9000"
 }
}

polaris-1 | 2025年10月13日 16:22:16,633 INFO [io.qua.htt.access-log] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000004,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - - [13/Oct/2025:16:22:16 +0000] "POST /api/catalog/v1/oauth/tokens HTTP/1.1" 200 757
polaris-1 | 2025年10月13日 16:22:25,631 INFO [org.apa.pol.ser.cat.ice.IcebergCatalogHandler] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000005,POLARIS] [,,,] (executor-thread-1) Initializing non-federated catalog
polaris-1 | 2025年10月13日 16:22:25,676 INFO [io.qua.htt.access-log] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000005,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [13/Oct/2025:16:22:25 +0000] "POST /api/catalog/v1/quickstart_catalog/namespaces/ HTTP/1.1" 200 95
polaris-1 | 2025年10月13日 16:22:48,284 INFO [org.apa.pol.ser.cat.ice.IcebergCatalogHandler] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Initializing non-federated catalog
polaris-1 | 2025年10月13日 16:22:48,293 INFO [org.apa.ice.BaseMetastoreCatalog] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Table properties set at catalog level through catalog properties: {}
polaris-1 | 2025年10月13日 16:22:48,296 INFO [org.apa.ice.BaseMetastoreCatalog] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Table properties enforced at catalog level through catalog properties: {}
polaris-1 | 2025年10月13日 16:22:48,501 WARN [org.apa.pol.ser.con.ServiceProducers] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Creating HTTP client with SSL certificate verification disabled. Use only in development!
polaris-1 | 2025年10月13日 16:22:48,586 INFO [org.apa.ice.CatalogUtil] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Loading custom FileIO implementation: org.apache.iceberg.aws.s3.S3FileIO
polaris-1 | 2025年10月13日 16:22:49,010 INFO [org.apa.pol.ser.cat.io.DefaultFileIOFactory] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Injected SerializableSupplier for insecure S3 client into Iceberg S3FileIO for ioImpl=org.apache.iceberg.aws.s3.S3FileIO
polaris-1 | 2025年10月13日 16:22:49,478 INFO [org.apa.pol.ser.cat.ice.IcebergCatalog] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Successfully committed to table quickstart_catalog.minio_polaris_ns.minio_polaris_ns_table01 in 1151 ms
polaris-1 | 2025年10月13日 16:22:49,495 INFO [io.qua.htt.access-log] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [13/Oct/2025:16:22:49 +0000] "POST /api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables HTTP/1.1" 200 1073

CHANGELOG.md

fcc779b Ignore SSL Verification

Copy link
Contributor

@dimas-b dimas-b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution, @rohangoli ! Some preliminary comments below.

WARNING: This should only be used for development and testing environments with self-signed certificates.
Disabling SSL verification in production environments compromises security.
example: false
default: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to avoid an explicit default here. Having a default value in this YAML will cause all clients to receive in in REST API responses. On the other hand this property is not likely to be used in many cases.

We should certainly implement the change such that false is the default behaviour, but I believe it would be preferable to avoid declaring it here as an Open API default (so that clients will not receive this property at all, unless it is set explicitly).

Ignore this comment if you're moving the flag to FeatureConfiguration.

type: boolean
description: >-
Whether SSL certificate verification should be disabled for STS and S3 endpoints (optional).
WARNING: This should only be used for development and testing environments with self-signed certificates.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the intention is to support dev / test environments only, I believe it would be preferable to have this flag in FeatureConfiguration as opposed to catalog properties.

Copy link
Author

@rohangoli rohangoli Oct 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review! I thought it would be useful if it can be configurable via dockerfile.

Let me update the code to use ignoreSSLVerification under Feature Configuration!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docker/helm can set flags in FeatureConfiguration (e.g. via env. variables)

Copy link
Member

@snazy snazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the whole reflection stuff is not needed.

You can test for the S3FileIO class name early in DefaultFileIOFactory.loadFileIOInternal(). It that test yields true, construct it directly via o.a.i.aws.s3.S3FileIO#S3FileIO(o.a.i.util.SerializableSupplier<software.amazon.awssdk.services.s3.S3Client>, o.a.i.util.SerializableSupplier<software.amazon.awssdk.services.s3.S3AsyncClient>) and initialize S3FileIO manually (do what CatalogUtil.loadFileIO() does).

I'd also prefer to not eagerly build the S3Client+S3AsyncClient but only when Supplier.get() is called.

"Blind trust" isn't really great, and it would be much safer to guard the ability to do this via a global option and check it in ProductionReadinessChecks#checkInsecureStorageSettings.

The even better approach would be a change in Iceberg, to configure the SdkHttpConfigurationOption#TRUST_ALL_CERTIFICATES option.

A much safer option than blindly trusting all certificates is to allow configuring custom key and trust stores via ApacheHttpClient.Builder.tlsTrustManagersProvider()/.tlsKeyManagersProvider().

I'd avoid recommending users to configure the global Java key/trust stores, because other external systems (backend database, other object stores) would be affected by such a change.

*/
public SdkHttpClient createInsecureHttpClient(S3AccessConfig config) {
try {
SSLContext sslContext =
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

software.amazon.awssdk.http.SdkHttpConfigurationOption#TRUST_ALL_CERTIFICATES seems to be a simpler way.

Comment on lines +263 to +270
// Apply configuration options
config.maxHttpConnections().ifPresent(httpClient::maxConnections);
config.readTimeout().ifPresent(httpClient::socketTimeout);
config.connectTimeout().ifPresent(httpClient::connectionTimeout);
config.connectionAcquisitionTimeout().ifPresent(httpClient::connectionAcquisitionTimeout);
config.connectionMaxIdleTime().ifPresent(httpClient::connectionMaxIdleTime);
config.connectionTimeToLive().ifPresent(httpClient::connectionTimeToLive);
config.expectContinueEnabled().ifPresent(httpClient::expectContinueEnabled);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is duplicated code, which can be shared w/ sdkHttpClient?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snazy snazy snazy left review comments

@dimas-b dimas-b dimas-b left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /