I've had some issues with a federated (a.k.a catalog) in Polaris connecting to GCP so I raised this ticket outlining the problem
Having a bit of time to implement it, I've raised a PR. The first thing I had to do was get familiar with:
The Polaris Architecture
redocly bundle spec/polaris-catalog-service.yaml -o spec/generated/bundled-polaris-catalog-service.yaml
brings all the YML together and
The reason for doing it this way is to generate both Python (with make client-regenerate) and Java (with ./gradlew :polaris-api-management-model:openApiGenerate) that are in lockstep with the spec.
So, the DTOs are auto generated but the DPOs are hand coded. This is because they are internal whereas DTOs are client facing and that client could be Java, Python or something else.
After making the change, then it's:
./gradlew assemble -x test && ./gradlew publishToMavenLocal -x test
to push it to the awaiting code in my project.
Git
Then as I make my changes, I keep pulling from original repo with:
git pull https://github.com/apache/polaris.git main --rebase
The --rebase at the end is saying "make my branch exactly the same as the original repo then add my deltas on to it at the end of its history."
git pull https://github.com/apache/polaris.git main --rebase
The --rebase at the end is saying "make my branch exactly the same as the original repo then add my deltas on to it at the end of its history."
Following the Polaris instructions, I noticedthat my origin was the Polaris Git repo (see this with git remote -v).I actually found it easier to run:
git remote set-url origin https://github.com/PhillHenry/polaris.git
git remote add upstream https://github.com/apache/polaris
git push --force-with-lease origin 3451_federated_google_auth # this is the branch
to push my changes (and any from Apache) to my own branch.
Now, with:
$ git remote -v
origin https://github.com/PhillHenry/polaris.git (fetch)
origin https://github.com/PhillHenry/polaris.git (push)
upstream https://github.com/apache/polaris (fetch)
upstream https://github.com/apache/polaris (push)
I can keep my repo in synch with the original and ensure that my changes are always the last commits in the history with:
git fetch upstream
git fetch origin
git rebase upstream/main
as rebase flattens the history graph and rewrites the hash of commits (not the commits themselves).
To squash the commits, run:
git config --global core.editor "vim" # I prefer vim to emacs
git rebase -i HASH_OF_LAST_COMMIT_THAT_IS_NOT_YOURS
git rebase -i HASH_OF_LAST_COMMIT_THAT_IS_NOT_YOURS
then edit the file such that the top line starts with pick and the subsequent list of commits begin with squash. Save it then you'll be prompted to write another file. Put the final, informative comment here. Save it too then push.
If you get into a pickle,
git reset --hard
rm -fr ".git/rebase-merge"
gets you back to where you were.
Once you're happy
Don't forget to
./gradlew spotlessApply
Note, this will change the files on disk. Also, run:
./gradlew build -x rat
For my 24 core Intel Ultra 9 185H:
BUILD SUCCESSFUL in 23m 52s
so, I don't want to do this too often...
Debugging
Polaris is heavily dependent on Quarkus which was throwing an HTTP 400 according to the logs but gave no further information. So, it's good at this point to put a breakpoint in org.jboss.resteasy.reactive.server.handlers.RequestDeserializeHandler as I suspected that it was related to my new DTOs.
Google
Google by default stops an account from impersonating itself.
So, to mitigate this in my integration tests, I've created two service accounts - one that my Polaris always runs as and the second to pretend to be the account that manages access to the external catalog. You get the Polaris SA to impersonate the external SA with:
gcloud iam service-accounts add-iam-policy-binding EXTERNAL_SA@PROJECT_ID.iam.gserviceaccount.com --member="serviceAccount:POLARIS_SA@PROJECT_ID.iam.gserviceaccount.com" --role="roles/iam.serviceAccountTokenCreator"
An unexpected regression
Almost there, I came across this unexpected error:
2026-02-09 09:38:11,924 ERROR [io.qua.ver.htt.run.QuarkusErrorHandler] ... java.lang.NoClassDefFoundError: Could not initialize class com.google.cloud.iam.credentials.v1.stub.GrpcIamCredentialsStub
at com.google.cloud.iam.credentials.v1.stub.IamCredentialsStubSettings.createStub(IamCredentialsStubSettings.java:145)
The error was deep in some class initialization so I added this code:
try {
ProtoUtils.marshaller(GenerateAccessTokenRequest.getDefaultInstance());
} catch (Throwable t) {
t.getCause().printStackTrace();
LOGGER.error( "Failed to create IAM credentials stub", t);
}
which gave:
Caused by: com.google.protobuf.RuntimeVersion$ProtobufRuntimeVersionException: Detected incompatible Protobuf Gencode/Runtime versions when loading GenerateAccessTokenRequest: gencode 4.33.2, runtime 4.32.1. Runtime version cannot be older than the linked gencode version.
at com.google.protobuf.RuntimeVersion.validateProtobufGencodeVersionImpl(RuntimeVersion.java:120)
at com.google.protobuf.RuntimeVersion.validateProtobufGencodeVersion(RuntimeVersion.java:68)
at com.google.cloud.iam.credentials.v1.GenerateAccessTokenRequest.<clinit>(GenerateAccessTokenRequest.java:32)
... 77 more
com.google.protobuf.RuntimeVersion$ProtobufRuntimeVersionException: Detected incompatible Protobuf Gencode/Runtime versions when loading GenerateAccessTokenRequest: gencode 4.33.2, runtime 4.32.1. Runtime version cannot be older than the linked gencode version.
at com.google.protobuf.RuntimeVersion.validateProtobufGencodeVersionImpl(RuntimeVersion.java:120)
at com.google.protobuf.RuntimeVersion.validateProtobufGencodeVersion(RuntimeVersion.java:68)
at com.google.cloud.iam.credentials.v1.GenerateAccessTokenRequest.<clinit>(GenerateAccessTokenRequest.java:32)
at org.apache.polaris.core.storage.gcp.GcpCredentialsStorageIntegration.createIamCredentialsClient(GcpCredentialsStorageIntegration.java:287)
Urgh. It appears that GenerateAccessTokenRequest (which is itself @com.google.protobuf.Generated) in JAR proto-google-cloud-iamcredentials-v1:2.83.0 says in its static initializer that it is associated with protobuf version 4.33.2. Meanwhile, RuntimeVersion in JAR protobuf-java:4.32.1 checks this against itself and obviously fails it.
No comments:
Post a Comment