zy-kkk opened a new pull request, #51670:
URL: https://github.com/apache/doris/pull/51670
### What problem does this PR solve?
This PR adds OAuth2 authentication support for Iceberg REST catalogs in
Doris, enabling integration with modern REST catalog implementations like
Apache Polaris.
Problem Summary:
### What's Changed
- Added OAuth2 authentication support for `IcebergRestExternalCatalog`
- Implemented two OAuth2 flows: Client Credentials Flow and Pre-configured
Token Flow
### New Properties
#### Authentication Configuration
- `iceberg.rest-catalog.security`: Authentication type (set to `oauth2`,
default `none`)
#### Client Credentials Flow
- `iceberg.rest-catalog.oauth2.credential`: Client credentials in format
`client_id:client_secret`
- `iceberg.rest-catalog.oauth2.server-uri`: OAuth2 token endpoint URI
- `iceberg.rest-catalog.oauth2.scope`: OAuth2 scope (optional)
- `iceberg.rest-catalog.oauth2.token-refresh-enabled`: Enable automatic
token refresh (default: `true`)
#### Pre-configured Token Flow
- `iceberg.rest-catalog.oauth2.token`: Bearer token for authentication
### Usage Examples
#### Client Credentials Flow (Recommended)
```sql
CREATE CATALOG polaris_oauth2_cred PROPERTIES (
'type' = 'iceberg',
'iceberg.catalog.type' = 'rest',
'uri' = 'http://localhost:8181/api/catalog',
'warehouse' = 'my_catalog',
'iceberg.rest-catalog.security' = 'oauth2',
'iceberg.rest-catalog.oauth2.credential' = 'client_id:client_secret',
'iceberg.rest-catalog.oauth2.server-uri' =
'http://localhost:8181/api/catalog/v1/oauth/tokens',
'iceberg.rest-catalog.oauth2.scope' = 'PRINCIPAL_ROLE:ALL',
's3.access_key' = 'your_access_key',
's3.secret_key' = 'your_secret_key',
's3.endpoint' = 'https://s3.us-west-2.amazonaws.com',
's3.region' = 'us-west-2'
);
```
#### Pre-configured Token Flow
```sql
CREATE CATALOG polaris_token_auth PROPERTIES (
'type' = 'iceberg',
'iceberg.catalog.type' = 'rest',
'uri' = 'http://localhost:8181/api/catalog',
'warehouse' = 'my_catalog',
'iceberg.rest-catalog.security' = 'oauth2',
'iceberg.rest-catalog.oauth2.token' = 'your_bearer_token',
's3.access_key' = 'your_access_key',
's3.secret_key' = 'your_secret_key',
's3.endpoint' = 'https://s3.us-west-2.amazonaws.com',
's3.region' = 'us-west-2'
);
```
### Limitations
- **Vended Credentials**: Currently not supported. Users must manually
provide storage backend credentials (access keys, etc.)
- **Authentication Methods**: Only OAuth2 is supported in this implementation
### Release note
None
### Check List (For Author)
- Test <!-- At least one of them must be included. -->
- [ ] Regression test
- [ ] Unit Test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No need to test or manual test. Explain why:
- [ ] This is a refactor/code format and no logic has been changed.
- [ ] Previous test can cover this change.
- [ ] No code files have been changed.
- [ ] Other reason <!-- Add your reason? -->
- Behavior changed:
- [ ] No.
- [ ] Yes. <!-- Explain the behavior change -->
- Does this need documentation?
- [ ] No.
- [ ] Yes. <!-- Add document PR link here. eg:
https://github.com/apache/doris-website/pull/1214 -->
### Check List (For Reviewer who merge this PR)
- [ ] Confirm the release note
- [ ] Confirm test cases
- [ ] Confirm document
- [ ] Add branch pick label <!-- Add branch pick label that this PR should
merge into -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
