Skip to content

Move Iceberg request.validate() to the REST adapter#4423

Open
flyrain wants to merge 1 commit into
apache:mainfrom
flyrain:move-validate
Open

Move Iceberg request.validate() to the REST adapter#4423
flyrain wants to merge 1 commit into
apache:mainfrom
flyrain:move-validate

Conversation

@flyrain
Copy link
Copy Markdown
Contributor

@flyrain flyrain commented May 13, 2026
edited
Loading

Why do we need this change:

  1. Validate before authorize. Request validation (well-formedness) is cheap; authorization is expensive (entity
    resolution, role/grant checks). Doing validate first means malformed requests don't burn auth work. Also gives clearer errors: a user sending a bad payload now gets "invalid request," not "forbidden."
  2. One validation point per endpoint, regardless of branching. createTable was the clearest case: validation lived in both createTableDirect and stageTableCreateHelper because the handler branches on stageCreate. The adapter doesn't branch yet, so validating once at the top covers both paths and removes the duplication. Same shape for the other three endpoints. validation now lives at the boundary, not inside util methods that may be called from multiple places.
  3. Layering. Request schema validation is a REST-boundary concern; the handler should assume requests are well-formed and focus on auth + catalog logic. The new layout reflects that.

Checklist

  • 🛡️ Don't disclose security issues! (contact security@apache.org)
  • 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
  • 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
  • 💡 Added comments for complex logic
  • 🧾 Updated CHANGELOG.md (if needed)
  • 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

Move Iceberg request.validate() to the REST adapter
303cc7e 
Run request.validate() once at the top of IcebergCatalogAdapter
methods (createTable, updateProperties, registerTable, createView)
instead of inside the handler/util layer. Validation now happens
before authorization, which is cheaper and gives clearer errors for
malformed payloads. Also collapses two validate() calls in the
createTable flow (direct + staged paths) into one at the boundary.
@github-project-automation github-project-automation Bot moved this to PRs In Progress in Basic Kanban Board May 13, 2026
@jbonofre jbonofre self-requested a review May 13, 2026 05:54
@github-project-automation github-project-automation Bot moved this from PRs In Progress to Ready to merge in Basic Kanban Board May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dimas-b dimas-b dimas-b approved these changes

@jbonofre jbonofre Awaiting requested review from jbonofre

@adutra adutra Awaiting requested review from adutra

@MonkeyCanCode MonkeyCanCode Awaiting requested review from MonkeyCanCode

@singhpk234 singhpk234 Awaiting requested review from singhpk234

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flyrain @dimas-b