Re: [PR] Auth Manager API part 6: API enablement [iceberg]

Wed, 12 Mar 2025 01:43:08 -0700 


adutra commented on code in PR #12197:
URL: https://github.com/apache/iceberg/pull/12197#discussion_r1990955877


##########
aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java:
##########
@@ -200,86 +151,40 @@ private RESTClient httpClient() {
     return httpClient;
   }
 
-  private AuthSession authSession() {
-    String token = token().get();
-    if (null != token) {
-      return authSessionCache()
-          .get(
-              token,
-              id -> {
-                // this client will be reused for token refreshes; it must 
contain an empty auth
-                // session in order to avoid interfering with refreshed tokens
-                RESTClient refreshClient =
-                    
httpClient().withAuthSession(org.apache.iceberg.rest.auth.AuthSession.EMPTY);
-                return AuthSession.fromAccessToken(
-                    refreshClient,
-                    tokenRefreshExecutor(),
-                    token,
-                    expiresAtMillis(properties()),
-                    new AuthSession(
-                        ImmutableMap.of(),
-                        AuthConfig.builder()
-                            .token(token)
-                            .credential(credential())
-                            .scope(SCOPE)
-                            .oauth2ServerUri(oauth2ServerUri())
-                            .optionalOAuthParams(optionalOAuthParams())
-                            .build()));
-              });
-    }
-
-    if (credentialProvided()) {
-      return authSessionCache()
-          .get(
-              credential(),
-              id -> {
-                AuthSession session =
-                    new AuthSession(
-                        ImmutableMap.of(),
-                        AuthConfig.builder()
-                            .credential(credential())
-                            .scope(SCOPE)
-                            .oauth2ServerUri(oauth2ServerUri())
-                            .optionalOAuthParams(optionalOAuthParams())
-                            .build());
-                long startTimeMillis = System.currentTimeMillis();
-                // this client will be reused for token refreshes; it must 
contain an empty auth
-                // session in order to avoid interfering with refreshed tokens
-                RESTClient refreshClient =
-                    
httpClient().withAuthSession(org.apache.iceberg.rest.auth.AuthSession.EMPTY);
-                OAuthTokenResponse authResponse =
-                    OAuth2Util.fetchToken(
-                        refreshClient,
-                        session.headers(),
-                        credential(),
-                        SCOPE,
-                        oauth2ServerUri(),
-                        optionalOAuthParams());
-                return AuthSession.fromTokenResponse(
-                    refreshClient, tokenRefreshExecutor(), authResponse, 
startTimeMillis, session);
-              });
+  @VisibleForTesting
+  AuthSession authSession() {
+    if (null == authSession) {
+      synchronized (S3V4RestSignerClient.class) {
+        if (null == authSession) {
+          authManager = AuthManagers.loadAuthManager("s3-signer", 
properties());
+          ImmutableMap.Builder<String, String> properties =
+              ImmutableMap.<String, String>builder()
+                  .putAll(properties())
+                  .putAll(optionalOAuthParams())
+                  .put(OAuth2Properties.OAUTH2_SERVER_URI, oauth2ServerUri())
+                  .put(OAuth2Properties.TOKEN_REFRESH_ENABLED, 
String.valueOf(keepTokenRefreshed()))
+                  .put(OAuth2Properties.SCOPE, SCOPE);
+          String token = token().get();
+          if (null != token) {
+            properties.put(OAuth2Properties.TOKEN, token);
+          }
+
+          if (credentialProvided()) {
+            properties.put(OAuth2Properties.CREDENTIAL, credential());
+          }
+
+          authSession = authManager.catalogSession(httpClient(), 
properties.buildKeepingLast());

Review Comment:
   My point was rather around the fact that that are FileIO instances that are 
table scoped:
   
   
https://github.com/apache/iceberg/blob/363040817ea189af90a9fadbbde6cad0192b51bd/core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java#L941
   
   But there are FileIO instances that are catalog scoped:
   
   
https://github.com/apache/iceberg/blob/363040817ea189af90a9fadbbde6cad0192b51bd/core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java#L224
   
   It is therefore imho not correct to state that a FIleIO "is scoped to a 
table, not a catalog".
   
   This component (`S3V4RestSignerClient`) should therefore make no assumptions 
about whether it is being created with catalog or table scope. It should be 
able to operate normally regardless of that. Also, it cannot know which table 
it is being created for.
   
   That is why i think the only method that makes sense here is 
`catalogSession`. It simply creates an AuthSession from a Map of properties, 
which can contain configuration for a catalog, or for a table.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to