Re: [PR] REST: AuthManager API [iceberg]

Mon, 21 Oct 2024 06:01:57 -0700 


adutra commented on code in PR #10753:
URL: https://github.com/apache/iceberg/pull/10753#discussion_r1808778342


##########
core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java:
##########
@@ -273,35 +227,11 @@ public void initialize(String name, Map<String, String> 
unresolved) {
       this.endpoints = ImmutableSet.copyOf(config.endpoints());
     }
 
-    this.sessions = newSessionCache(mergedProps);
-    this.tableSessions = newSessionCache(mergedProps);
-    this.keepTokenRefreshed =
-        PropertyUtil.propertyAsBoolean(
-            mergedProps,
-            OAuth2Properties.TOKEN_REFRESH_ENABLED,
-            OAuth2Properties.TOKEN_REFRESH_ENABLED_DEFAULT);
     this.client = clientBuilder.apply(mergedProps);
     this.paths = ResourcePaths.forCatalogProperties(mergedProps);
 
-    String token = mergedProps.get(OAuth2Properties.TOKEN);
-    this.catalogAuth =
-        new AuthSession(
-            baseHeaders,
-            AuthConfig.builder()
-                .credential(credential)
-                .scope(scope)
-                .oauth2ServerUri(oauth2ServerUri)
-                .optionalOAuthParams(optionalOAuthParams)
-                .build());
-    if (authResponse != null) {
-      this.catalogAuth =
-          AuthSession.fromTokenResponse(
-              client, tokenRefreshExecutor(name), authResponse, 
startTimeMillis, catalogAuth);
-    } else if (token != null) {
-      this.catalogAuth =
-          AuthSession.fromAccessToken(
-              client, tokenRefreshExecutor(name), token, 
expiresAtMillis(mergedProps), catalogAuth);
-    }
+    authManager.initialize(name, client, mergedProps);

Review Comment:
   I agree that, on the paper, that would look nicer, but the devil is in the 
details: consider for instance the case where `credential` is provided. The 
auth manager would have to exchange the provided credentials for an access 
token using the `client_credentials` grant. Now, if we have two distinct auth 
managers, _both_ would have to perform this roundtrip since they would not be 
able to share any state; this would result in two tokens being requested in a 
row.
   
   Do you think that this extra network roundtrip would be acceptable? If so, 
then yes, we can split in two instances.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to