Re: [PR] Add token refresh and token exchange OAuth2 flows to polaris-synchronizer tool. [polaris-tools]

via GitHub Mon, 21 Apr 2025 09:11:43 -0700


pingtimeout commented on code in PR #8:
URL: https://github.com/apache/polaris-tools/pull/8#discussion_r2052653845



##########
polaris-synchronizer/api/src/main/java/org/apache/polaris/tools/sync/polaris/auth/AuthenticationSessionWrapper.java:
##########
@@ -0,0 +1,109 @@
+package org.apache.polaris.tools.sync.polaris.auth;
+
+import org.apache.iceberg.rest.HTTPClient;
+import org.apache.iceberg.rest.RESTClient;
+import org.apache.iceberg.rest.auth.AuthConfig;
+import org.apache.iceberg.rest.auth.OAuth2Properties;
+import org.apache.iceberg.rest.auth.OAuth2Util;
+import org.apache.iceberg.util.ThreadPools;
+
+import java.util.Map;
+import java.util.Set;
+import java.util.UUID;
+
+/**
+ * Wraps {@link OAuth2Util.AuthSession} to provide supported authentication 
flows.
+ */
+public class AuthenticationSessionWrapper {
+
+    /**
+     * Order of token exchange preference copied over from {@link 
org.apache.iceberg.rest.RESTSessionCatalog}.
+     */
+    private static final Set<String> TOKEN_PREFERENCE_ORDER =
+            Set.of(
+                    OAuth2Properties.ID_TOKEN_TYPE,
+                    OAuth2Properties.ACCESS_TOKEN_TYPE,
+                    OAuth2Properties.JWT_TOKEN_TYPE,
+                    OAuth2Properties.SAML2_TOKEN_TYPE,
+                    OAuth2Properties.SAML1_TOKEN_TYPE);

Review Comment:
   This line is not working as intended.  You need to use a `LinkedHashSet` if 
you want a `Set` that preserves insertion order.  In this case, a regular 
`List` would also work just fine.
   
   Here is an example that demonstrates that `Set.of(...)` does not preserve 
insertion order.
   
   ```
   jshell> Set<Integer> s = Set.of(1, 5, 2, 4, 3)
   s ==> [5, 4, 3, 2, 1]
   ```



##########
polaris-synchronizer/api/src/main/java/org/apache/polaris/tools/sync/polaris/auth/AuthenticationSessionWrapper.java:
##########
@@ -0,0 +1,109 @@
+package org.apache.polaris.tools.sync.polaris.auth;
+
+import org.apache.iceberg.rest.HTTPClient;
+import org.apache.iceberg.rest.RESTClient;
+import org.apache.iceberg.rest.auth.AuthConfig;
+import org.apache.iceberg.rest.auth.OAuth2Properties;
+import org.apache.iceberg.rest.auth.OAuth2Util;
+import org.apache.iceberg.util.ThreadPools;
+
+import java.util.Map;
+import java.util.Set;
+import java.util.UUID;
+
+/**
+ * Wraps {@link OAuth2Util.AuthSession} to provide supported authentication 
flows.
+ */
+public class AuthenticationSessionWrapper {
+
+    /**
+     * Order of token exchange preference copied over from {@link 
org.apache.iceberg.rest.RESTSessionCatalog}.
+     */
+    private static final Set<String> TOKEN_PREFERENCE_ORDER =
+            Set.of(
+                    OAuth2Properties.ID_TOKEN_TYPE,
+                    OAuth2Properties.ACCESS_TOKEN_TYPE,
+                    OAuth2Properties.JWT_TOKEN_TYPE,
+                    OAuth2Properties.SAML2_TOKEN_TYPE,
+                    OAuth2Properties.SAML1_TOKEN_TYPE);
+
+    private final OAuth2Util.AuthSession authSession;
+
+    public AuthenticationSessionWrapper(Map<String, String> properties) {
+        this.authSession = this.newAuthSession(properties);
+    }
+
+    /**
+     * Initializes a new authentication session. Biases in order of 
client_credentials,
+     * token exchange, regular access token.
+     * @param properties properties to initialize the session with
+     * @return an authentication session, with token refresh if applicable
+     */
+    private OAuth2Util.AuthSession newAuthSession(Map<String, String> 
properties) {
+
+        RESTClient restClient = HTTPClient.builder(Map.of())
+                .uri(properties.get(OAuth2Properties.OAUTH2_SERVER_URI))
+                .build();
+
+        OAuth2Util.AuthSession parent = new OAuth2Util.AuthSession(
+                Map.of(),
+                AuthConfig.builder()
+                        
.credential(properties.get(OAuth2Properties.CREDENTIAL))
+                        .scope(properties.get(OAuth2Properties.SCOPE))
+                        
.oauth2ServerUri(properties.get(OAuth2Properties.OAUTH2_SERVER_URI))
+                        .token(properties.get(OAuth2Properties.TOKEN))
+                        // actor token type is always access token, Polaris 
needs an actor token for token exchange
+                        .tokenType(OAuth2Properties.ACCESS_TOKEN_TYPE)
+                        
.optionalOAuthParams(OAuth2Util.buildOptionalParam(properties))
+                        .build()
+        );
+
+        // This is for client_credentials flow
+        if (properties.containsKey(OAuth2Properties.CREDENTIAL)) {
+            return OAuth2Util.AuthSession.fromCredential(
+                    restClient,
+                    ThreadPools.newScheduledPool(UUID.randomUUID() + 
"-token-refresh", 1),

Review Comment:
   nit: It could be useful to add a comment here (and below) for code 
maintainability.  It looks like the thread pool with never be shut down, and 
therefore that the application can never terminate.  But the Iceberg 
documentation states that threads created by 
`ThreadPools.newScheduledPool(...)` will be daemon threads.  



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Add token refresh and token exchange OAuth2 flows to polaris-synchronizer tool. [polaris-tools]

Reply via email to