Route Iceberg listTables through service auth and constructor DI

Vibe Kanban · Vibe Kanban · commit 59a9742d8e36 · 2026-02-16T17:54:03.000-08:00
diff --git a/services/tables/src/main/java/com/linkedin/openhouse/tables/controller/IcebergRestCatalogController.java b/services/tables/src/main/java/com/linkedin/openhouse/tables/controller/IcebergRestCatalogController.java
@@ -7,6 +7,8 @@
 import com.linkedin.openhouse.tables.generated.iceberg.api.IcebergReadOnlyApi;
 import com.linkedin.openhouse.tables.api.validator.TablesApiValidator;
 import com.linkedin.openhouse.tables.services.TablesService;
+import java.util.List;
+import java.util.stream.Collectors;
 import org.apache.iceberg.catalog.Namespace;
 import org.apache.iceberg.catalog.TableIdentifier;
 import org.apache.iceberg.exceptions.NoSuchNamespaceException;
@@ -16,7 +18,6 @@
 import org.apache.iceberg.rest.responses.ConfigResponse;
 import org.apache.iceberg.rest.responses.ListTablesResponse;
 import org.apache.iceberg.rest.responses.LoadTableResponse;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.RestController;
@@ -30,11 +31,20 @@
 @RestController
 public class IcebergRestCatalogController implements IcebergReadOnlyApi {
 
-  @Autowired private OpenHouseInternalCatalog openHouseInternalCatalog;
+  private final OpenHouseInternalCatalog openHouseInternalCatalog;
 
-  @Autowired private TablesService tablesService;
+  private final TablesService tablesService;
 
-  @Autowired private TablesApiValidator tablesApiValidator;
+  private final TablesApiValidator tablesApiValidator;
+
+  public IcebergRestCatalogController(
+      OpenHouseInternalCatalog openHouseInternalCatalog,
+      TablesService tablesService,
+      TablesApiValidator tablesApiValidator) {
+    this.openHouseInternalCatalog = openHouseInternalCatalog;
+    this.tablesService = tablesService;
+    this.tablesApiValidator = tablesApiValidator;
+  }
 
   @Override
   public ResponseEntity<String> getConfig(String warehouse) {
@@ -50,8 +60,11 @@ public ResponseEntity<String> listTables(String namespace) {
     String databaseId = icebergNamespace.level(0);
     tablesApiValidator.validateSearchTables(databaseId);
 
-    ListTablesResponse response =
-        CatalogHandlers.listTables(openHouseInternalCatalog, icebergNamespace);
+    List<TableIdentifier> tableIdentifiers =
+        tablesService.searchTables(databaseId, extractAuthenticatedUserPrincipal()).stream()
+            .map(table -> TableIdentifier.of(icebergNamespace, table.getTableId()))
+            .collect(Collectors.toList());
+    ListTablesResponse response = ListTablesResponse.builder().addAll(tableIdentifiers).build();
     return ResponseEntity.ok()
         .contentType(MediaType.APPLICATION_JSON)
         .body(IcebergRestSerde.toJson(response));
diff --git a/services/tables/src/main/java/com/linkedin/openhouse/tables/services/TablesService.java b/services/tables/src/main/java/com/linkedin/openhouse/tables/services/TablesService.java
@@ -32,6 +32,15 @@ public interface TablesService {
    */
   List<TableDto> searchTables(String databaseId);
 
+  /**
+   * Given a databaseId, prepare list of {@link TableDto}s if actingPrincipal has list permission.
+   *
+   * @param databaseId
+   * @param actingPrincipal
+   * @return list of {@link TableDto}
+   */
+  List<TableDto> searchTables(String databaseId, String actingPrincipal);
+
   /**
    * Given a databaseId, prepare list of {@link TableDto}s.
    *
diff --git a/services/tables/src/main/java/com/linkedin/openhouse/tables/services/TablesServiceImpl.java b/services/tables/src/main/java/com/linkedin/openhouse/tables/services/TablesServiceImpl.java
@@ -79,6 +79,13 @@ public List<TableDto> searchTables(String databaseId) {
     return openHouseInternalRepository.searchTables(databaseId);
   }
 
+  @Override
+  public List<TableDto> searchTables(String databaseId, String actingPrincipal) {
+    authorizationUtils.checkDatabasePrivilege(
+        databaseId, actingPrincipal, Privileges.GET_TABLE_METADATA);
+    return searchTables(databaseId);
+  }
+
   @Override
   public Page<TableDto> searchTables(String databaseId, int page, int size, String sortBy) {
     Pageable pageable = createPageable(page, size, sortBy, null);
diff --git a/services/tables/src/test/java/com/linkedin/openhouse/tables/mock/controller/IcebergRestCatalogControllerTest.java b/services/tables/src/test/java/com/linkedin/openhouse/tables/mock/controller/IcebergRestCatalogControllerTest.java
@@ -21,7 +21,6 @@
 import org.apache.iceberg.SortOrder;
 import org.apache.iceberg.TableMetadata;
 import org.apache.iceberg.TableOperations;
-import org.apache.iceberg.catalog.Namespace;
 import org.apache.iceberg.catalog.TableIdentifier;
 import org.apache.iceberg.types.Types;
 import org.junit.jupiter.api.BeforeEach;
@@ -65,10 +64,11 @@ public void testConfig() throws Exception {
 
   @Test
   public void testListTables() throws Exception {
-    when(openHouseInternalCatalog.listTables(Namespace.of("db")))
+    when(tablesService.searchTables(eq("db"), anyString()))
         .thenReturn(
             Arrays.asList(
-                TableIdentifier.of("db", "tb1"), TableIdentifier.of("db", "tb2")));
+                TableDto.builder().databaseId("db").tableId("tb1").build(),
+                TableDto.builder().databaseId("db").tableId("tb2").build()));
 
     mvc.perform(MockMvcRequestBuilders.get("/v1/namespaces/db/tables"))
         .andExpect(status().isOk())
