When creating and managing tables in the Apache Iceberg REST catalog endpoint, the following location, permission, and security hardening rules apply:
Table location
Table paths must be nested within the parent namespace path (for example,
gs://{namespace_path}/.../{table_name}). This constraint is enforced to help
with security and catalog hardening.
Behavior change for table paths: Note that the resulting table location
(under which the metadata/ folder is created) automatically has a random
string attached as a suffix to prevent conflicts and improve security:
- If no specific location is provided, the resulting location is
gs://{namespace_path}/{table_name}/{random_suffix}. - If a specific location is provided (for example,
gs://{namespace_path}/.../{table_name}), the resulting location isgs://{namespace_path}/.../{table_name}/{random_suffix}.
Table registration permissions
Multi-bucket (bl://) catalogs (recommended) require the
biglake.tables.register permission to register a table. This permission is
restricted to the BigLake Admin (roles/biglake.admin) role to ensure only
administrators can perform table registration.
Single-bucket (gs://)
catalogs currently still enforce biglake.tables.create for table
registration.