Re: [PR] [feature](fe) Support OIDC session credentials for Iceberg REST catalog [doris]

Fri, 05 Jun 2026 03:05:19 -0700 


CalvinKirs commented on code in PR #63068:
URL: https://github.com/apache/doris/pull/63068#discussion_r3361910274


##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/AuthenticatorManager.java:
##########
@@ -240,7 +244,38 @@ private Optional<AuthenticateRequest> 
resolveAuthenticateRequest(Authenticator a
 
     private AuthenticateResponse authenticateWith(Authenticator authenticator,
             AuthenticateRequest request) throws IOException {
-        return authenticator.authenticate(request);
+        AuthenticateResponse response = authenticator.authenticate(request);
+        attachDelegatedCredential(response, request);
+        return response;
+    }
+
+    private void attachDelegatedCredential(AuthenticateResponse response, 
AuthenticateRequest request) {
+        if (!response.isSuccess() || request.getCredential() == null || 
response.getDelegatedCredential() != null) {
+            return;
+        }
+        DelegatedCredential.Type type = 
delegatedCredentialType(request.getCredentialType());
+        if (type == null) {
+            return;
+        }
+        OptionalLong expiresAtMillis = response.getCredentialExpiresAtMillis();
+        response.setDelegatedCredential(new DelegatedCredential(type,
+                new String(request.getCredential(), StandardCharsets.UTF_8), 
expiresAtMillis));

Review Comment:
   The credential arrives as a byte[] from the MySQL auth packet and ultimately 
has to reach Iceberg's 
     `SessionCatalog.SessionContext.credentials()`, which is a `Map<String, 
String>` — so the token must become a String at the Iceberg boundary 
regardless. Holding it as` byte[]/char[] t`hrough DelegatedCredential would 
only defer that conversion by a few frames without removing the heap copy, so 
the defense-in-depth gain is marginal here. We do keep the blast radius small: 
   DelegatedCredential.toString() redacts the token, it is never logged, and it 
lives only for the connection's lifetime. I'd prefer tokeep it as String for 
consistency with the existing credential flow, and can revisit if we later move 
the whole chain off String.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to