mirror of
https://github.com/supabase/supabase.git
synced 2026-06-29 11:57:37 -04:00
Joshen Lim
3d10f2cab9
## Context We found an issue regarding Analytics Buckets and the Iceberg wrapper - upon creation of an analytics bucket, the wrapper is automatically created for the users which involves using the project's API keys as the catalog's token. However, if the user were to rotate the API keys, this will cause the wrapper to break and there's currently no clear user flow for the user to self-remediate - the only indicator they'll see is just a 403 error (e.g when trying to view the analytics bucket table via FDW on the table editor or SQL editor) ## Changes involved Am adding a user path for users to self-remediate a little, starting from the Table Editor - we'll add a contextual error message as such if we detect a 403 that's caused by an invalid token: <img width="1110" height="320" alt="Screenshot 2026-06-26 at 17 33 11" src="https://github.com/user-attachments/assets/28ea4ce6-5b81-4217-9952-880acb02f2bd" /> We'll subsequently also float this issue up in the Analytics Bucket UI (which is linked from the contextual error above) <img width="1114" height="466" alt="Screenshot 2026-06-26 at 17 31 52" src="https://github.com/user-attachments/assets/8d112e5b-6ecc-458b-b4dc-7e7647da3fb2" /> And users can then choose to use another API key as the catalog token <img width="585" height="246" alt="Screenshot 2026-06-26 at 17 31 56" src="https://github.com/user-attachments/assets/3d9689a5-b18d-4f07-a5a5-d882e41c5958" /> The warning will thereafter go away, and users will be able to query the FDW again via Table Editor or SQL Editor ## To test - [ ] Create an analytics bucket, set up a table and foreign schema (via Query via Postgres) - [ ] Insert some data, or verify that you can view the iceberg table from the Table Editor - [ ] Now rotate your API secret key (delete the old, create a new) - [ ] Verify that you'll run into that error if you view the iceberg table from the Table Editor - [ ] Follow the flow -> Go to the Analytics Bucket UI to update the catalog token - [ ] Verify that thereafter, you can view the iceberg table again from the Table Editor <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added clearer Iceberg/analytics bucket setup prompts for missing, outdated, or uninstalled wrappers. * Added an “Update catalog token” dialog and a collapsible “View error” troubleshooting UI. * **Bug Fixes** * Improved detection of Iceberg authorization failures and now shows a more specific error with guidance. * Warn users when the saved catalog token no longer matches available API keys. * Enhanced post-update refresh behavior so updated token values display correctly. * **Documentation** * Clarified vault token description to indicate it may be a secret or service role key. <!-- end of auto-generated comment: release notes by coderabbit.ai -->