talatuyarer opened a new pull request, #13212: URL: https://github.com/apache/iceberg/pull/13212
This PR introduces a dedicated GoogleAuthManager for the Iceberg REST client, enabling robust and streamlined authentication with Google Cloud Platform (GCP) services by delegating authentication to GCP's auth library. ***Why add a specific GoogleAuthManager?*** Currently, Iceberg's AuthManager and the generic OAuth2Manager provide a good baseline for authentication. However, connecting to services on Google Cloud often uses specific patterns that a generic manager doesn't fully simplify. This new GoogleAuthManager makes life easier for folks using Iceberg with GCP-based REST catalogs. The existing OAuth2Manager is great for standard OAuth2 flows (like client credentials) but it does not support [authorization code workflow](https://datatracker.ietf.org/doc/html/rfc6749#section-6). The GoogleAuthManager introduces authentication methods that are more convenient and conventional for GCP users, differing from the generic OAuth2 flow: - Application Default Credentials (ADC) Support: Provides out-of-the-box, zero-configuration authentication when the Iceberg client runs within GCP environments (e.g., Compute Engine, GKE, Cloud Functions). This is a significant usability improvement over manually setting up OAuth2 parameters. - Service Account Key File Support: Allows users to authenticate by directly providing a path to a GCP service account JSON key file. This is a common and secure way to authenticate applications with GCP services, and is more specific than the generic token or client secret mechanisms. - Configurable OAuth Scopes: While the generic OAuth2Manager also supports scopes, GoogleAuthManager defaults to scopes commonly used for GCP services (https://www.googleapis.com/auth/cloud-platform) and allows easy customization via the gcp.auth.scopes property. While our current OAuth2Manager can be used with tokens from service accounts, it doesn't natively understand the ADC discovery process or how to directly consume a service account JSON file for its credentials. This dedicated manager ensures that Iceberg can authenticate with GCP-backed REST catalog services in the most efficient, secure, and user-friendly manner, aligning with common GCP practices. The GoogleAuthManager bridges this gap for a more seamless Iceberg Rest experience on GCP. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
