Skip to content

Ignore SSL Verification #2805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Ignore SSL Verification #2805

wants to merge 1 commit into from

Conversation

@rohangoli
Copy link

@rohangoli rohangoli commented Oct 13, 2025
edited
Loading

What changes were proposed in this pull request?

Why are the changes needed?

  • Unable to create table with HTTPS (self-signed certificates)
curl --location 'http://localhost:8181/api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables' \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
-H 'Polaris-Realm: POLARIS' \
--data '{
  "name": "minio_polaris_ns_table01",
  "schema": {
    "type": "struct",
    "fields": [
      {
        "id": 0,
        "name": "id",
        "type": "string",
        "required": true,
        "doc": "car model"
      },
      {
        "id": 1,
        "name": "first_name",
        "type": "string",
        "required": true,
        "doc": "first name"
      }
    ]
  }
}' | jq

{
  "error": {
    "message": "Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (SDK Attempt Count: 6)",
    "type": "SdkClientException",
    "code": 500
  }
}

Polaris Logs:

polaris-1        | 2025-10-13 15:20:52,403 INFO  [io.qua.htt.access-log] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000007,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [13/Oct/2025:15:20:52 +0000] "GET /api/catalog/v1/quickstart_catalog/namespaces HTTP/1.1" 200 60
polaris-1        | 2025-10-13 15:21:05,522 INFO  [org.apa.pol.ser.cat.ice.IcebergCatalogHandler] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Initializing non-federated catalog
polaris-1        | 2025-10-13 15:21:05,530 INFO  [org.apa.ice.BaseMetastoreCatalog] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Table properties set at catalog level through catalog properties: {}
polaris-1        | 2025-10-13 15:21:05,533 INFO  [org.apa.ice.BaseMetastoreCatalog] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Table properties enforced at catalog level through catalog properties: {}
polaris-1        | 2025-10-13 15:21:05,717 WARN  [org.apa.pol.ser.con.ServiceProducers] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Creating HTTP client with SSL certificate verification disabled. Use only in development!
polaris-1        | 2025-10-13 15:21:05,791 INFO  [org.apa.ice.CatalogUtil] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Loading custom FileIO implementation: org.apache.iceberg.aws.s3.S3FileIO
polaris-1        | 2025-10-13 15:21:06,177 INFO  [org.apa.pol.ser.cat.io.s3.ReflectionS3ClientInjector] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Successfully injected S3Client into org.apache.iceberg.aws.s3.S3FileIO
polaris-1        | 2025-10-13 15:21:06,178 INFO  [org.apa.pol.ser.cat.io.DefaultFileIOFactory] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Injected insecure S3Client into Iceberg S3FileIO for ioImpl=org.apache.iceberg.aws.s3.S3FileIO
polaris-1        | 2025-10-13 15:21:08,723 INFO  [org.apa.pol.ser.exc.IcebergExceptionMapper] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Handling runtimeException Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (SDK Attempt Count: 6)
polaris-1        | 2025-10-13 15:21:08,733 ERROR [org.apa.pol.ser.exc.IcebergExceptionMapper] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) Unhandled exception returning INTERNAL_SERVER_ERROR: software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (SDK Attempt Count: 6)
polaris-1        |      at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:130)
polaris-1        |      at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:95)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.utils.RetryableStageHelper.retryPolicyDisallowedRetryException(RetryableStageHelper.java:168)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:73)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:36)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1        |      at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:53)
polaris-1        |      at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:35)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.executeWithTimer(ApiCallTimeoutTrackingStage.java:82)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:62)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:43)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:50)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:32)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:37)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26)
polaris-1        |      at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:210)
polaris-1        |      at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:103)
polaris-1        |      at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.doExecute(BaseSyncClientHandler.java:173)
polaris-1        |      at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:80)
polaris-1        |      at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:182)
polaris-1        |      at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:74)
polaris-1        |      at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
polaris-1        |      at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:53)
polaris-1        |      at software.amazon.awssdk.services.s3.DefaultS3Client.putObject(DefaultS3Client.java:11883)
polaris-1        |      at org.apache.iceberg.aws.s3.S3OutputStream.completeUploads(S3OutputStream.java:443)
polaris-1        |      at org.apache.iceberg.aws.s3.S3OutputStream.close(S3OutputStream.java:269)
polaris-1        |      at org.apache.iceberg.aws.s3.S3OutputStream.close(S3OutputStream.java:255)
polaris-1        |      at java.base/sun.nio.cs.StreamEncoder.implClose(StreamEncoder.java:435)
polaris-1        |      at java.base/sun.nio.cs.StreamEncoder.lockedClose(StreamEncoder.java:237)
polaris-1        |      at java.base/sun.nio.cs.StreamEncoder.close(StreamEncoder.java:222)
polaris-1        |      at java.base/java.io.OutputStreamWriter.close(OutputStreamWriter.java:266)
polaris-1        |      at org.apache.iceberg.TableMetadataParser.internalWrite(TableMetadataParser.java:135)
polaris-1        |      at org.apache.iceberg.TableMetadataParser.overwrite(TableMetadataParser.java:119)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.writeNewMetadata(IcebergCatalog.java:1647)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.writeNewMetadataIfRequired(IcebergCatalog.java:1636)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.doCommit(IcebergCatalog.java:1505)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.commit(IcebergCatalog.java:1356)
polaris-1        |      at org.apache.iceberg.BaseMetastoreCatalog$BaseMetastoreCatalogTableBuilder.create(BaseMetastoreCatalog.java:201)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogHandler.createTableDirect(IcebergCatalogHandler.java:456)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.lambda$createTable$6(IcebergCatalogAdapter.java:394)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.withCatalog(IcebergCatalogAdapter.java:209)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.createTable(IcebergCatalogAdapter.java:378)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_Subclass.createTable$$superforward(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergRestCatalogEventServiceDelegator_Gj_WCptqTcdHu-fbZfgVkAwPXCI_Delegate_Subclass.createTable(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergRestCatalogEventServiceDelegator.createTable(IcebergRestCatalogEventServiceDelegator.java:217)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_Subclass.createTable(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_ClientProxy.createTable(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi.createTable(IcebergRestCatalogApi.java:193)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass.createTable$$superforward(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass$$function$$3.apply(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:73)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor.lambda$syncFlow$8(FaultToleranceInterceptor.java:364)
polaris-1        |      at io.smallrye.faulttolerance.core.Future.from(Future.java:85)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor.lambda$syncFlow$9(FaultToleranceInterceptor.java:364)
polaris-1        |      at io.smallrye.faulttolerance.core.FaultToleranceContext.call(FaultToleranceContext.java:20)
polaris-1        |      at io.smallrye.faulttolerance.core.Invocation.apply(Invocation.java:29)
polaris-1        |      at io.smallrye.faulttolerance.core.metrics.MetricsCollector.apply(MetricsCollector.java:98)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor.syncFlow(FaultToleranceInterceptor.java:367)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor.intercept(FaultToleranceInterceptor.java:205)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor_Bean.intercept(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)
polaris-1        |      at io.quarkus.micrometer.runtime.MicrometerTimedInterceptor.timedMethod(MicrometerTimedInterceptor.java:79)
polaris-1        |      at io.quarkus.micrometer.runtime.MicrometerTimedInterceptor_Bean.intercept(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)
polaris-1        |      at io.quarkus.security.runtime.interceptor.SecurityHandler.handle(SecurityHandler.java:27)
polaris-1        |      at io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor.intercept(RolesAllowedInterceptor.java:29)
polaris-1        |      at io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor_Bean.intercept(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:62)
polaris-1        |      at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor.intercept(StandardSecurityCheckInterceptor.java:44)
polaris-1        |      at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor_RolesAllowedInterceptor_Bean.intercept(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:30)
polaris-1        |      at io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:27)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass.createTable(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi$quarkusrestinvoker$createTable_01f5a1bd6d7815fd3314a553161c943c8cd03101.invoke(Unknown Source)
polaris-1        |      at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
polaris-1        |      at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
polaris-1        |      at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
polaris-1        |      at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
polaris-1        |      at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
polaris-1        |      at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
polaris-1        |      at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
polaris-1        |      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
polaris-1        |      at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
polaris-1        |      at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
polaris-1        |      at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
polaris-1        |      at java.base/java.lang.Thread.run(Thread.java:1583)
polaris-1        |      Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 1 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1        |      Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 2 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1        |      Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 3 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1        |      Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 4 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1        |      Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 5 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1        | Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1        |      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
polaris-1        |      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
polaris-1        |      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
polaris-1        |      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
polaris-1        |      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1327)
polaris-1        |      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
polaris-1        |      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1147)
polaris-1        |      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
polaris-1        |      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
polaris-1        |      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
polaris-1        |      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206)
polaris-1        |      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
polaris-1        |      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
polaris-1        |      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
polaris-1        |      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
polaris-1        |      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
polaris-1        |      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
polaris-1        |      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
polaris-1        |      at software.amazon.awssdk.http.apache.internal.conn.SdkTlsSocketFactory.connectSocket(SdkTlsSocketFactory.java:63)
polaris-1        |      at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
polaris-1        |      at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
polaris-1        |      at software.amazon.awssdk.http.apache.internal.conn.ClientConnectionManagerFactory$DelegatingHttpClientConnectionManager.connect(ClientConnectionManagerFactory.java:86)
polaris-1        |      at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
polaris-1        |      at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
polaris-1        |      at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
polaris-1        |      at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
polaris-1        |      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
polaris-1        |      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
polaris-1        |      at software.amazon.awssdk.http.apache.internal.impl.ApacheSdkHttpClient.execute(ApacheSdkHttpClient.java:72)
polaris-1        |      at software.amazon.awssdk.http.apache.ApacheHttpClient.execute(ApacheHttpClient.java:261)
polaris-1        |      at software.amazon.awssdk.http.apache.ApacheHttpClient.access$600(ApacheHttpClient.java:106)
polaris-1        |      at software.amazon.awssdk.http.apache.ApacheHttpClient$1.call(ApacheHttpClient.java:238)
polaris-1        |      at software.amazon.awssdk.http.apache.ApacheHttpClient$1.call(ApacheHttpClient.java:235)
polaris-1        |      at software.amazon.awssdk.core.internal.util.MetricUtils.measureDurationUnsafe(MetricUtils.java:103)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.MakeHttpRequestStage.executeHttpRequest(MakeHttpRequestStage.java:88)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.MakeHttpRequestStage.execute(MakeHttpRequestStage.java:64)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.MakeHttpRequestStage.execute(MakeHttpRequestStage.java:46)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:74)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:43)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:79)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:41)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptMetricCollectionStage.execute(ApiCallAttemptMetricCollectionStage.java:55)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptMetricCollectionStage.execute(ApiCallAttemptMetricCollectionStage.java:39)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.executeRequest(RetryableStage.java:93)
polaris-1        |      at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:56)
polaris-1        |      ... 92 more
polaris-1        | Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1        |      at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
polaris-1        |      at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
polaris-1        |      at java.base/sun.security.validator.Validator.validate(Validator.java:256)
polaris-1        |      at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
polaris-1        |      at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
polaris-1        |      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1311)
polaris-1        |      ... 136 more
polaris-1        | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
polaris-1        |      at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
polaris-1        |      at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
polaris-1        |      at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
polaris-1        |      at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
polaris-1        |      ... 141 more
polaris-1        | 
polaris-1        | 2025-10-13 15:21:08,739 INFO  [io.qua.htt.access-log] [a97e3793-1931-405c-aa0d-b402ebb7b4dc_0000000000000000008,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [13/Oct/2025:15:21:08 +0000] "POST /api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables HTTP/1.1" 500 264

Does this PR introduce any user-facing change?

  • Yes, it introduces ignoreSSLVerification flag for S3 Storage Type Parameters

How was this patch tested?

  • Full Gradle Tests were successful
  • Updated the following tests
    • api/management-model/src/test/java/org/apache/polaris/core/admin/model/CatalogSerializationTest.java
    • runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java
  • Added following tests
    • runtime/service/src/test/java/org/apache/polaris/service/catalog/io/s3/ReflectionS3ClientInjectorConfigTest.java
    • runtime/service/src/test/java/org/apache/polaris/service/catalog/io/s3/ReflectionS3ClientInjectorTest.java
  • Create Table Rest API is successful
curl --location 'http://localhost:8181/api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables' \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
-H 'Polaris-Realm: POLARIS' \
--data '{
  "name": "minio_polaris_ns_table01",
  "schema": {
    "type": "struct",
    "fields": [
      {
        "id": 0,
        "name": "id",
        "type": "string",
        "required": true,
        "doc": "car model"
      },
      {
        "id": 1,
        "name": "first_name",
        "type": "string",
        "required": true,
        "doc": "first name"
      }
    ]
  }
}' | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1454  100  1073  100   381    863    306  0:00:01  0:00:01 --:--:--  1170
{
  "metadata-location": "s3://bucket123/minio_polaris_ns/minio_polaris_ns_table01/metadata/00000-6e118173-519e-401c-87ea-549eb70b939e.metadata.json",
  "metadata": {
    "format-version": 2,
    "table-uuid": "29f5d242-8bab-4052-be02-4313b4ec6a31",
    "location": "s3://bucket123/minio_polaris_ns/minio_polaris_ns_table01",
    "last-sequence-number": 0,
    "last-updated-ms": 1760372568321,
    "last-column-id": 2,
    "current-schema-id": 0,
    "schemas": [
      {
        "type": "struct",
        "schema-id": 0,
        "fields": [
          {
            "id": 1,
            "name": "id",
            "required": true,
            "type": "string",
            "doc": "car model"
          },
          {
            "id": 2,
            "name": "first_name",
            "required": true,
            "type": "string",
            "doc": "first name"
          }
        ]
      }
    ],
    "default-spec-id": 0,
    "partition-specs": [
      {
        "spec-id": 0,
        "fields": []
      }
    ],
    "last-partition-id": 999,
    "default-sort-order-id": 0,
    "sort-orders": [
      {
        "order-id": 0,
        "fields": []
      }
    ],
    "properties": {
      "created-at": "2025-10-13T16:22:48.289344333Z",
      "write.parquet.compression-codec": "zstd"
    },
    "current-snapshot-id": -1,
    "refs": {},
    "snapshots": [],
    "statistics": [],
    "partition-statistics": [],
    "snapshot-log": [],
    "metadata-log": []
  },
  "config": {
    "s3.path-style-access": "true",
    "s3.endpoint": "https://localhost:9000"
  }
}

polaris-1        | 2025-10-13 16:22:16,633 INFO  [io.qua.htt.access-log] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000004,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - - [13/Oct/2025:16:22:16 +0000] "POST /api/catalog/v1/oauth/tokens HTTP/1.1" 200 757
polaris-1        | 2025-10-13 16:22:25,631 INFO  [org.apa.pol.ser.cat.ice.IcebergCatalogHandler] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000005,POLARIS] [,,,] (executor-thread-1) Initializing non-federated catalog
polaris-1        | 2025-10-13 16:22:25,676 INFO  [io.qua.htt.access-log] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000005,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [13/Oct/2025:16:22:25 +0000] "POST /api/catalog/v1/quickstart_catalog/namespaces/ HTTP/1.1" 200 95
polaris-1        | 2025-10-13 16:22:48,284 INFO  [org.apa.pol.ser.cat.ice.IcebergCatalogHandler] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Initializing non-federated catalog
polaris-1        | 2025-10-13 16:22:48,293 INFO  [org.apa.ice.BaseMetastoreCatalog] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Table properties set at catalog level through catalog properties: {}
polaris-1        | 2025-10-13 16:22:48,296 INFO  [org.apa.ice.BaseMetastoreCatalog] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Table properties enforced at catalog level through catalog properties: {}
polaris-1        | 2025-10-13 16:22:48,501 WARN  [org.apa.pol.ser.con.ServiceProducers] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Creating HTTP client with SSL certificate verification disabled. Use only in development!
polaris-1        | 2025-10-13 16:22:48,586 INFO  [org.apa.ice.CatalogUtil] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Loading custom FileIO implementation: org.apache.iceberg.aws.s3.S3FileIO
polaris-1        | 2025-10-13 16:22:49,010 INFO  [org.apa.pol.ser.cat.io.DefaultFileIOFactory] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Injected SerializableSupplier for insecure S3 client into Iceberg S3FileIO for ioImpl=org.apache.iceberg.aws.s3.S3FileIO
polaris-1        | 2025-10-13 16:22:49,478 INFO  [org.apa.pol.ser.cat.ice.IcebergCatalog] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Successfully committed to table quickstart_catalog.minio_polaris_ns.minio_polaris_ns_table01 in 1151 ms
polaris-1        | 2025-10-13 16:22:49,495 INFO  [io.qua.htt.access-log] [02f56580-8e05-4dcd-a818-636533aafecd_0000000000000000006,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [13/Oct/2025:16:22:49 +0000] "POST /api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables HTTP/1.1" 200 1073

CHANGELOG.md

fcc779b Ignore SSL Verification

@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Oct 13, 2025
@rohangoli rohangoli marked this pull request as ready for review October 13, 2025 22:04
@rohangoli rohangoli mentioned this pull request Oct 15, 2025
Draft
dimas-b
dimas-b reviewed Oct 15, 2025
View reviewed changes
Copy link
Contributor

@dimas-b dimas-b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution, @rohangoli ! Some preliminary comments below.

spec/polaris-management-service.yml
WARNING: This should only be used for development and testing environments with self-signed certificates.
Disabling SSL verification in production environments compromises security.
example: false
default: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to avoid an explicit default here. Having a default value in this YAML will cause all clients to receive in in REST API responses. On the other hand this property is not likely to be used in many cases.

We should certainly implement the change such that false is the default behaviour, but I believe it would be preferable to avoid declaring it here as an Open API default (so that clients will not receive this property at all, unless it is set explicitly).

Ignore this comment if you're moving the flag to FeatureConfiguration.

spec/polaris-management-service.yml
type: boolean
description: >-
Whether SSL certificate verification should be disabled for STS and S3 endpoints (optional).
WARNING: This should only be used for development and testing environments with self-signed certificates.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the intention is to support dev / test environments only, I believe it would be preferable to have this flag in FeatureConfiguration as opposed to catalog properties.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review! I thought it would be useful if it can be configurable via dockerfile.

Let me update the code to use ignoreSSLVerification under Feature Configuration!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docker/helm can set flags in FeatureConfiguration (e.g. via env. variables)

snazy
snazy reviewed Oct 17, 2025
View reviewed changes
Copy link
Member

@snazy snazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the whole reflection stuff is not needed.

You can test for the S3FileIO class name early in DefaultFileIOFactory.loadFileIOInternal(). It that test yields true, construct it directly via o.a.i.aws.s3.S3FileIO#S3FileIO(o.a.i.util.SerializableSupplier<software.amazon.awssdk.services.s3.S3Client>, o.a.i.util.SerializableSupplier<software.amazon.awssdk.services.s3.S3AsyncClient>) and initialize S3FileIO manually (do what CatalogUtil.loadFileIO() does).

I'd also prefer to not eagerly build the S3Client+S3AsyncClient but only when Supplier.get() is called.

"Blind trust" isn't really great, and it would be much safer to guard the ability to do this via a global option and check it in ProductionReadinessChecks#checkInsecureStorageSettings.

The even better approach would be a change in Iceberg, to configure the SdkHttpConfigurationOption#TRUST_ALL_CERTIFICATES option.

A much safer option than blindly trusting all certificates is to allow configuring custom key and trust stores via ApacheHttpClient.Builder.tlsTrustManagersProvider()/.tlsKeyManagersProvider().

I'd avoid recommending users to configure the global Java key/trust stores, because other external systems (backend database, other object stores) would be affected by such a change.

runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
*/
public SdkHttpClient createInsecureHttpClient(S3AccessConfig config) {
try {
SSLContext sslContext =
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

software.amazon.awssdk.http.SdkHttpConfigurationOption#TRUST_ALL_CERTIFICATES seems to be a simpler way.

runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
Comment on lines +263 to +270
// Apply configuration options
config.maxHttpConnections().ifPresent(httpClient::maxConnections);
config.readTimeout().ifPresent(httpClient::socketTimeout);
config.connectTimeout().ifPresent(httpClient::connectionTimeout);
config.connectionAcquisitionTimeout().ifPresent(httpClient::connectionAcquisitionTimeout);
config.connectionMaxIdleTime().ifPresent(httpClient::connectionMaxIdleTime);
config.connectionTimeToLive().ifPresent(httpClient::connectionTimeToLive);
config.expectContinueEnabled().ifPresent(httpClient::expectContinueEnabled);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is duplicated code, which can be shared w/ sdkHttpClient?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snazy snazy snazy left review comments

@dimas-b dimas-b dimas-b left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rohangoli @snazy @dimas-b