-
Notifications
You must be signed in to change notification settings - Fork 516
feat(catalog-rest): introduce AuthManager/AuthSession, rework SigV4 as a wrapping auth manager #2815
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
feat(catalog-rest): introduce AuthManager/AuthSession, rework SigV4 as a wrapping auth manager #2815
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| // Licensed to the Apache Software Foundation (ASF) under one | ||
| // or more contributor license agreements. See the NOTICE file | ||
| // distributed with this work for additional information | ||
| // regarding copyright ownership. The ASF licenses this file | ||
| // to you under the Apache License, Version 2.0 (the | ||
| // "License"); you may not use this file except in compliance | ||
| // with the License. You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, | ||
| // software distributed under the License is distributed on an | ||
| // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| // KIND, either express or implied. See the License for the | ||
| // specific language governing permissions and limitations | ||
| // under the License. | ||
|
|
||
| //! Pluggable authentication for the REST catalog, mirroring Iceberg Java's | ||
| //! `AuthManager`/`AuthSession` API. | ||
|
|
||
| mod oauth2; | ||
| mod sigv4; | ||
|
|
||
| use std::collections::HashMap; | ||
| use std::fmt::Debug; | ||
| use std::sync::Arc; | ||
|
|
||
| use async_trait::async_trait; | ||
| use iceberg::Result; | ||
| pub use oauth2::OAuth2Manager; | ||
| use reqwest::Request; | ||
| pub use sigv4::SigV4AuthManager; | ||
|
|
||
| /// `rest.auth.type` value disabling authentication. | ||
| pub const AUTH_TYPE_NONE: &str = "none"; | ||
| /// `rest.auth.type` value selecting OAuth2 token authentication. | ||
| pub const AUTH_TYPE_OAUTH2: &str = "oauth2"; | ||
| /// `rest.auth.type` value selecting AWS SigV4 request signing. | ||
| pub const AUTH_TYPE_SIGV4: &str = "sigv4"; | ||
|
|
||
| /// Creates the [`AuthSession`]s used to authenticate REST catalog requests. | ||
| /// | ||
| /// A manager is created once per catalog, either from the `rest.auth.type` | ||
| /// property or injected through `RestCatalogBuilder::with_auth_manager`, and | ||
| /// lives for the lifetime of the catalog. | ||
| #[async_trait] | ||
| pub trait AuthManager: Debug + Send + Sync { | ||
| /// Session used for the initial `/v1/config` handshake, built from the | ||
| /// user-supplied configuration. | ||
| async fn init_session(&self) -> Result<Arc<dyn AuthSession>>; | ||
|
|
||
| /// Session used for all subsequent catalog requests, given the properties | ||
| /// merged from the user configuration and the server's config response. | ||
| /// | ||
| /// Implementations may carry state (e.g. a cached token) over from the | ||
| /// init session. | ||
| async fn catalog_session( | ||
| &self, | ||
| props: &HashMap<String, String>, | ||
| ) -> Result<Arc<dyn AuthSession>>; | ||
| } | ||
|
|
||
| /// Authenticates outgoing REST catalog requests. | ||
| #[async_trait] | ||
| pub trait AuthSession: Debug + Send + Sync { | ||
| /// Applies authentication to the request (adds headers, signs, ...). | ||
| async fn authenticate(&self, request: &mut Request) -> Result<()>; | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. IMO it would help to introduce a small wrapper around |
||
|
|
||
| /// Drops any cached credentials so the next request re-authenticates. | ||
| async fn invalidate(&self) -> Result<()> { | ||
| Ok(()) | ||
| } | ||
|
|
||
| /// Proactively refreshes cached credentials (e.g. re-exchanges an OAuth2 | ||
| /// client credential for a new token), leaving them intact on failure. | ||
| async fn refresh(&self) -> Result<()> { | ||
| Ok(()) | ||
| } | ||
| } | ||
|
|
||
| /// [`AuthManager`] that performs no authentication. | ||
| #[derive(Debug)] | ||
| pub struct NoopAuthManager; | ||
|
|
||
| /// [`AuthSession`] that performs no authentication. | ||
| #[derive(Debug)] | ||
| struct NoopSession; | ||
|
|
||
| #[async_trait] | ||
| impl AuthManager for NoopAuthManager { | ||
| async fn init_session(&self) -> Result<Arc<dyn AuthSession>> { | ||
| Ok(Arc::new(NoopSession)) | ||
| } | ||
|
|
||
| async fn catalog_session( | ||
| &self, | ||
| _props: &HashMap<String, String>, | ||
| ) -> Result<Arc<dyn AuthSession>> { | ||
| Ok(Arc::new(NoopSession)) | ||
| } | ||
| } | ||
|
|
||
| #[async_trait] | ||
| impl AuthSession for NoopSession { | ||
| async fn authenticate(&self, _request: &mut Request) -> Result<()> { | ||
| Ok(()) | ||
| } | ||
| } | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add other methods like
fn contextual_session()andfn table_session()too?We'll need to extend the trait eventually, and since it's public it would otherwise become a breaking change.
Both of the methods will take a parent
AuthSessionand can get a default implementation likeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also note that the
fn contextual_session()would take something like a SessionContext which I'm only introducing in #2836. I can split it into its own PR so we can get it in faster.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just realized that we can still extend the trait later with methods like this that have a default implementation... never mind my above comment 🤦
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy to extend it as a follow-up because the
fn contextual_session()will be relevant for my goal to ship #2774 🙂