Auth Manager API part 2: AuthManager #11809
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
| package org.apache.iceberg.rest.auth; | ||
|
|
||
| import java.util.Map; | ||
| import org.apache.iceberg.catalog.SessionCatalog; | ||
| import org.apache.iceberg.catalog.TableIdentifier; | ||
| import org.apache.iceberg.rest.RESTClient; | ||
|
|
||
| /** | ||
| * Manager for authentication sessions. This interface is used to create sessions for the catalog, | ||
| * the tables/views, and any other context that requires authentication. | ||
| * | ||
| * <p>Managers are usually stateful and may require initialization and cleanup. The manager is | ||
| * created by the catalog and is closed when the catalog is closed. | ||
| */ | ||
| public interface AuthManager extends AutoCloseable { | ||
|
|
||
| /** | ||
| * Returns a temporary session to use for contacting the configuration endpoint only. Note that | ||
| * the returned session will be closed after the configuration endpoint is contacted, and should | ||
| * not be cached. | ||
| * | ||
| * <p>The provided REST client is a short-lived client; it should only be used to fetch initial | ||
| * credentials, if required, and must be discarded after that. | ||
| * | ||
| * <p>This method cannot return null. By default, it returns the catalog session. | ||
| */ | ||
| default AuthSession initSession(RESTClient initClient, Map<String, String> properties) { | ||
| return mainSession(initClient, properties); | ||
| } | ||
|
|
||
| /** | ||
| * Returns a long-lived session whose lifetime is tied to the owning catalog. This session serves | ||
| * as the parent session for all other sessions (contextual and table-specific). It is closed when | ||
| * the owning catalog is closed. | ||
| * | ||
| * <p>The provided REST client is a long-lived, shared client; if required, implementors may store | ||
| * it and reuse it for all subsequent requests to the authorization server, e.g. for renewing or | ||
| * refreshing credentials. It is not necessary to close it when {@link #close()} is called. | ||
| * | ||
| * <p>This method cannot return null. | ||
| * | ||
| * <p>It is not required to cache the returned session internally, as the catalog will keep it | ||
| * alive for the lifetime of the catalog. | ||
| */ | ||
| AuthSession mainSession(RESTClient sharedClient, Map<String, String> properties); | ||
|
|
||
| /** | ||
| * Returns a session for a specific context. | ||
| * | ||
| * <p>If the context requires a specific {@link AuthSession}, this method should return a new | ||
| * {@link AuthSession} instance, otherwise it should return the parent session. | ||
| * | ||
| * <p>This method cannot return null. By default, it returns the parent session. | ||
| * | ||
| * <p>Implementors should cache contextual sessions internally, as the catalog will not cache | ||
| * them. Also, the owning catalog never closes contextual sessions; implementations should manage | ||
| * their lifecycle themselves and close them when they are no longer needed. | ||
| */ | ||
| default AuthSession contextualSession(SessionCatalog.SessionContext context, AuthSession parent) { | ||
| return parent; | ||
| } | ||
|
|
||
| /** | ||
| * Returns a new session targeting a specific table or view. The properties are the ones returned | ||
| * by the table/view endpoint. | ||
| * | ||
| * <p>If the table or view requires a specific {@link AuthSession}, this method should return a | ||
| * new {@link AuthSession} instance, otherwise it should return the parent session. | ||
| * | ||
| * <p>This method cannot return null. By default, it returns the parent session. | ||
| * | ||
| * <p>Implementors should cache table sessions internally, as the catalog will not cache them. | ||
| * Also, the owning catalog never closes table sessions; implementations should manage their | ||
| * lifecycle themselves and close them when they are no longer needed. | ||
| */ | ||
| default AuthSession tableSession( | ||
| TableIdentifier table, Map<String, String> properties, AuthSession parent) { | ||
| return parent; | ||
| } | ||
|
|
||
| /** | ||
| * Closes the manager and releases any resources. | ||
| * | ||
| * <p>This method is called when the owning catalog is closed. | ||
| */ | ||
| @Override | ||
| default void close() { | ||
|
There was a problem hiding this comment. is there any value in having a default impl that doesn't do anything? I feel like this should be just left to the actual auth manager implementations |
||
| // Do nothing | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
| package org.apache.iceberg.rest.auth; | ||
|
|
||
| import java.util.Locale; | ||
| import java.util.Map; | ||
| import org.apache.iceberg.common.DynConstructors; | ||
| import org.slf4j.Logger; | ||
| import org.slf4j.LoggerFactory; | ||
|
|
||
| public class AuthManagers { | ||
|
|
||
| private static final Logger LOG = LoggerFactory.getLogger(AuthManagers.class); | ||
|
|
||
| private AuthManagers() {} | ||
|
|
||
| public static AuthManager loadAuthManager(String name, Map<String, String> properties) { | ||
|
|
||
|
|
||
| String authType = | ||
| properties.getOrDefault(AuthProperties.AUTH_TYPE, AuthProperties.AUTH_TYPE_NONE); | ||
|
|
||
| String impl; | ||
| switch (authType.toLowerCase(Locale.ROOT)) { | ||
| case AuthProperties.AUTH_TYPE_NONE: | ||
| impl = AuthProperties.AUTH_MANAGER_IMPL_NONE; | ||
| break; | ||
| case AuthProperties.AUTH_TYPE_BASIC: | ||
| impl = AuthProperties.AUTH_MANAGER_IMPL_BASIC; | ||
| break; | ||
| default: | ||
| impl = authType; | ||
| } | ||
|
|
||
| LOG.info("Loading AuthManager implementation: {}", impl); | ||
| DynConstructors.Ctor<AuthManager> ctor; | ||
| try { | ||
| ctor = | ||
| DynConstructors.builder(AuthManager.class) | ||
| .loader(AuthManagers.class.getClassLoader()) | ||
| .impl(impl, String.class) // with name | ||
| .impl(impl) // without name | ||
|
There was a problem hiding this comment. This seems unnecessary. I couldn't find other places where we try for multiple constructors. I think we lean toward one convention (though I may have missed examples). There was a problem hiding this comment. I took this idea from There was a problem hiding this comment. There are specific tests for this feature in There was a problem hiding this comment. Do we use the name anywhere? Seems like if we use it, we should require it. If we don't use it, we should just get rid of it. Overall, I prefer having an opinionated path as opposed to providing lots of options. There was a problem hiding this comment. Okay I kept only the constructor with name. |
||
| .buildChecked(); | ||
| } catch (NoSuchMethodException e) { | ||
| throw new IllegalArgumentException( | ||
| String.format( | ||
| "Cannot initialize AuthManager implementation %s: %s", impl, e.getMessage()), | ||
| e); | ||
| } | ||
|
|
||
| AuthManager authManager; | ||
| try { | ||
| authManager = ctor.newInstance(name); | ||
| } catch (ClassCastException e) { | ||
| throw new IllegalArgumentException( | ||
| String.format("Cannot initialize AuthManager, %s does not implement AuthManager", impl), | ||
| e); | ||
| } | ||
|
|
||
| return authManager; | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
| package org.apache.iceberg.rest.auth; | ||
|
|
||
| public final class AuthProperties { | ||
|
|
||
| private AuthProperties() {} | ||
|
|
||
| public static final String AUTH_TYPE = "rest.auth.type"; | ||
|
|
||
| public static final String AUTH_TYPE_NONE = "none"; | ||
| public static final String AUTH_TYPE_BASIC = "basic"; | ||
|
|
||
| public static final String AUTH_MANAGER_IMPL_NONE = | ||
| "org.apache.iceberg.rest.auth.NoopAuthManager"; | ||
| public static final String AUTH_MANAGER_IMPL_BASIC = | ||
| "org.apache.iceberg.rest.auth.BasicAuthManager"; | ||
|
|
||
| public static final String BASIC_USERNAME = "rest.auth.basic.username"; | ||
| public static final String BASIC_PASSWORD = "rest.auth.basic.password"; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
| package org.apache.iceberg.rest.auth; | ||
|
|
||
| import org.apache.iceberg.rest.HTTPRequest; | ||
|
|
||
| /** | ||
| * An authentication session that can be used to authenticate outgoing HTTP requests. | ||
| * | ||
| * <p>Authentication sessions are usually immutable, but may hold resources that need to be released | ||
| * when the session is no longer needed. Implementations should override {@link #close()} to release | ||
| * any resources. | ||
| */ | ||
| public interface AuthSession extends AutoCloseable { | ||
|
There was a problem hiding this comment. The naming issue from the previous PR is still pending. @nastra and myself agreed recently on There was a problem hiding this comment. I talked with @danielcweeks and we probably want to go with what you have here as we should eventually deprecate the |
||
|
|
||
| /** An empty session that does nothing. */ | ||
| AuthSession EMPTY = request -> request; | ||
|
|
||
| /** | ||
| * Authenticates the given request and returns a new request with the necessary authentication. | ||
| */ | ||
| HTTPRequest authenticate(HTTPRequest request); | ||
|
|
||
| /** | ||
| * Closes the session and releases any resources. This method is called when the session is no | ||
| * longer needed. Note that since sessions may be cached, this method may not be called | ||
| * immediately after the session is no longer needed, but rather when the session is evicted from | ||
| * the cache, or the cache itself is closed. | ||
| */ | ||
| @Override | ||
| default void close() { | ||
| // Do nothing | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
| package org.apache.iceberg.rest.auth; | ||
|
|
||
| import java.util.Map; | ||
| import org.apache.iceberg.relocated.com.google.common.base.Preconditions; | ||
| import org.apache.iceberg.rest.HTTPHeaders; | ||
| import org.apache.iceberg.rest.RESTClient; | ||
|
|
||
| /** An auth manager that adds static BASIC authentication data to outgoing HTTP requests. */ | ||
| public final class BasicAuthManager implements AuthManager { | ||
|
|
||
| @Override | ||
| public AuthSession mainSession(RESTClient sharedClient, Map<String, String> properties) { | ||
| Preconditions.checkArgument( | ||
| properties.containsKey(AuthProperties.BASIC_USERNAME), | ||
| "Invalid username: missing required property %s", | ||
| AuthProperties.BASIC_USERNAME); | ||
| Preconditions.checkArgument( | ||
| properties.containsKey(AuthProperties.BASIC_PASSWORD), | ||
| "Invalid password: missing required property %s", | ||
| AuthProperties.BASIC_PASSWORD); | ||
| String username = properties.get(AuthProperties.BASIC_USERNAME); | ||
| String password = properties.get(AuthProperties.BASIC_PASSWORD); | ||
| String credentials = username + ":" + password; | ||
| return DefaultAuthSession.of(HTTPHeaders.of(OAuth2Util.basicAuthHeaders(credentials))); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
| package org.apache.iceberg.rest.auth; | ||
|
|
||
| import org.apache.iceberg.rest.HTTPHeaders; | ||
| import org.apache.iceberg.rest.HTTPRequest; | ||
| import org.apache.iceberg.rest.ImmutableHTTPRequest; | ||
| import org.immutables.value.Value; | ||
|
|
||
| /** | ||
| * Default implementation of {@link AuthSession}. It authenticates requests by setting the provided | ||
| * headers on the request. | ||
| * | ||
| * <p>Most {@link AuthManager} implementations should make use of this class, unless they need to | ||
| * retain state when creating sessions, or if they need to modify the request in a different way. | ||
| */ | ||
| @Value.Style(redactedMask = "****") | ||
| @Value.Immutable | ||
| @SuppressWarnings({"ImmutablesStyle", "SafeLoggingPropagation"}) | ||
| public interface DefaultAuthSession extends AuthSession { | ||
|
|
||
| /** Headers containing authentication data to set on the request. */ | ||
| HTTPHeaders headers(); | ||
|
|
||
| @Override | ||
| default HTTPRequest authenticate(HTTPRequest request) { | ||
| HTTPHeaders headers = request.headers().putIfAbsent(headers()); | ||
| return headers.equals(request.headers()) | ||
| ? request | ||
| : ImmutableHTTPRequest.builder().from(request).headers(headers).build(); | ||
| } | ||
|
|
||
| static DefaultAuthSession of(HTTPHeaders headers) { | ||
| return ImmutableDefaultAuthSession.builder().headers(headers).build(); | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like
catalogSessionmakes more sense here instead ofmainSessionThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah sorry I forgot to start this discussion :-)
But wdyt about components like the signer and the credential refreshers? They will also use the auth manager. But in those places, it doesn't make sense to talk about a "catalog" session. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not too concerned about using
catalogSessionin other places because it actually reflects the session provided to the catalog.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reverted to
catalogSession.