Re: [PR] Auth Manager API part 6: API enablement [iceberg]

Wed, 12 Mar 2025 08:53:46 -0700 


danielcweeks commented on code in PR #12197:
URL: https://github.com/apache/iceberg/pull/12197#discussion_r1991710873


##########
aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java:
##########
@@ -200,86 +151,40 @@ private RESTClient httpClient() {
     return httpClient;
   }
 
-  private AuthSession authSession() {
-    String token = token().get();
-    if (null != token) {
-      return authSessionCache()
-          .get(
-              token,
-              id -> {
-                // this client will be reused for token refreshes; it must 
contain an empty auth
-                // session in order to avoid interfering with refreshed tokens
-                RESTClient refreshClient =
-                    
httpClient().withAuthSession(org.apache.iceberg.rest.auth.AuthSession.EMPTY);
-                return AuthSession.fromAccessToken(
-                    refreshClient,
-                    tokenRefreshExecutor(),
-                    token,
-                    expiresAtMillis(properties()),
-                    new AuthSession(
-                        ImmutableMap.of(),
-                        AuthConfig.builder()
-                            .token(token)
-                            .credential(credential())
-                            .scope(SCOPE)
-                            .oauth2ServerUri(oauth2ServerUri())
-                            .optionalOAuthParams(optionalOAuthParams())
-                            .build()));
-              });
-    }
-
-    if (credentialProvided()) {
-      return authSessionCache()
-          .get(
-              credential(),
-              id -> {
-                AuthSession session =
-                    new AuthSession(
-                        ImmutableMap.of(),
-                        AuthConfig.builder()
-                            .credential(credential())
-                            .scope(SCOPE)
-                            .oauth2ServerUri(oauth2ServerUri())
-                            .optionalOAuthParams(optionalOAuthParams())
-                            .build());
-                long startTimeMillis = System.currentTimeMillis();
-                // this client will be reused for token refreshes; it must 
contain an empty auth
-                // session in order to avoid interfering with refreshed tokens
-                RESTClient refreshClient =
-                    
httpClient().withAuthSession(org.apache.iceberg.rest.auth.AuthSession.EMPTY);
-                OAuthTokenResponse authResponse =
-                    OAuth2Util.fetchToken(
-                        refreshClient,
-                        session.headers(),
-                        credential(),
-                        SCOPE,
-                        oauth2ServerUri(),
-                        optionalOAuthParams());
-                return AuthSession.fromTokenResponse(
-                    refreshClient, tokenRefreshExecutor(), authResponse, 
startTimeMillis, session);
-              });
+  @VisibleForTesting
+  AuthSession authSession() {
+    if (null == authSession) {
+      synchronized (S3V4RestSignerClient.class) {
+        if (null == authSession) {
+          authManager = AuthManagers.loadAuthManager("s3-signer", 
properties());
+          ImmutableMap.Builder<String, String> properties =
+              ImmutableMap.<String, String>builder()
+                  .putAll(properties())
+                  .putAll(optionalOAuthParams())
+                  .put(OAuth2Properties.OAUTH2_SERVER_URI, oauth2ServerUri())
+                  .put(OAuth2Properties.TOKEN_REFRESH_ENABLED, 
String.valueOf(keepTokenRefreshed()))
+                  .put(OAuth2Properties.SCOPE, SCOPE);
+          String token = token().get();
+          if (null != token) {
+            properties.put(OAuth2Properties.TOKEN, token);
+          }
+
+          if (credentialProvided()) {
+            properties.put(OAuth2Properties.CREDENTIAL, credential());
+          }
+
+          authSession = authManager.catalogSession(httpClient(), 
properties.buildKeepingLast());

Review Comment:
   > But there are FileIO instances that are catalog scoped
   This is where I disagree and it's a matter of the concept vs. the 
implementation.  If you look at what we're doing here, it's basically saying 
that there are no distinguishing characteristics for a particular table's 
FileIO, we can just use the same FileIO for access.  This is an optimization 
for naive implementations that don't provide catalog managed table access, but 
the table access comes through a table's FileIO.
   
   > I would propose to move forward on this PR, and then clarify "session 
path/access" on the dev mailing list.
   
   @jbonofre I think it'll be faster to resolve this if we can come to a 
agreement here, but I don't agree that we should move forward until there is 
agreement.  I would love to here what @nastra thinks, but I would propose that 
we do the following:
   
   Add a new method that matches the `catalogSession`'s signature (or whatever 
makes sense in this context) so that we can have a table session (or token 
session like was previously, but that my be too OAuth specific).  This can 
likely share the same implementation from the catalog session.  I'm not arguing 
that the implementation/logic is wrong, but we're not following the concepts we 
set out with for how io/access should work.
   
   
     



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to