When creating and managing tables in the Apache Iceberg REST catalog endpoint, the following location, permission, and security hardening rules apply:
Table location
Table paths must be nested within the parent namespace path (for example,
gs://{namespace_path}/.../{table_name}). This constraint is enforced for security
and catalog hardening.
Behavior change for table paths: Note that the resulting table location (under
which the metadata/ folder is created) automatically has a random string attached
as a suffix to prevent conflicts and improve security:
- If no specific location is provided, the resulting location is
gs://{namespace_path}/{table_name}/{random_suffix}. - If a specific location is provided (for example,
gs://{namespace_path}/.../{table_name}), the resulting location isgs://{namespace_path}/.../{table_name}/{random_suffix}.
Table registration permissions
BigLake catalogs require the biglake.tables.register permission to register a
table. This permission is restricted to the BigLake Admin (roles/biglake.admin)
role to ensure only administrators can perform table registration. Legacy Cloud Storage
bucket catalogs currently still enforce biglake.tables.create for table registration,
but will eventually transition to the new register permission after an official announcement.