Could not disable ssl verification.

[MenelikV]

Apache Iceberg version

None

Please describe the bug 🐞

Hello,

I am trying to use pyiceberg with a nessie deployed on a kubernetes cluster. Nessie is exposed through an ingress with a auto-signed certificate.

I am trying to connect with the following:

catalog = load_catalog("iceberg", **{"uri":"https://myhost/iceberg/", "s3.endpoint":"https://xxx","s3.access-key-id":"XXXXXXX", "s3.secret-access-key":"XXXXX", "ssl": {"cabundle": False}})

This code raises an Exception

SSLError: HTTPSConnectionPool(host='myhost', port=443): Max retries exceeded with url: /iceberg/v1/config (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'myhost'. (_ssl.c:1018)")))

Looking at the code of RestCatalog, especially the _create_session function, it seems that a check is made to see of "cabundle" is neither None, nor False (https://github.com/apache/iceberg-python/blob/main/pyiceberg/catalog/rest/__init__.py#L361)

To my understanding, this prevents session.verify to be set to False.

I would change if ssl_ca_bundle := ssl_config.get(CA_BUNDLE): by (ssl_ca_bundle := ssl_config.get(CA_BUNDLE)) is not None

Cheers,

Ménélik

Willingness to contribute

• I can contribute a fix for this bug independently
• I would be willing to contribute a fix for this bug with guidance from the Iceberg community
• I cannot contribute a fix for this bug at this time

[kevinjqliu]

thanks @MenelikV that makes sense, would you like to add a PR for this fix?

and perhaps add a test around here

iceberg-python/tests/catalog/test_rest.py

Lines 1644 to 1676 in d62b360

	def test_request_session_with_ssl_ca_bundle(monkeypatch: pytest.MonkeyPatch) -> None:
	# Given
	catalog_properties = {
	"uri": TEST_URI,
	"token": TEST_TOKEN,
	"ssl": {
	"cabundle": "path_to_ca_bundle",
	},
	}
	with pytest.raises(OSError) as e:
	monkeypatch.delenv("REQUESTS_CA_BUNDLE", raising=False)
	monkeypatch.delenv("CURL_CA_BUNDLE", raising=False)
	# Missing namespace
	RestCatalog("rest", **catalog_properties) # type: ignore
	assert "Could not find a suitable TLS CA certificate bundle, invalid path: path_to_ca_bundle" in str(e.value)
	def test_request_session_with_ssl_client_cert() -> None:
	# Given
	catalog_properties = {
	"uri": TEST_URI,
	"token": TEST_TOKEN,
	"ssl": {
	"client": {
	"cert": "path_to_client_cert",
	"key": "path_to_client_key",
	}
	},
	}
	with pytest.raises(OSError) as e:
	# Missing namespace
	RestCatalog("rest", **catalog_properties) # type: ignore
	assert "Could not find the TLS certificate file, invalid path: path_to_client_cert" in str(e.value)

[MenelikV]

Okay, I will do it this week :) @kevinjqliu