Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth Manager API part 4: RESTClient, HTTPClient #11992

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Auth Manager API part 4: RESTClient, HTTPClient #11992

wants to merge 9 commits into from

Conversation

adutra
Copy link
Contributor

@adutra adutra commented Jan 17, 2025

4th PR for the Auth Manager API. Previous ones:

This PR introduces the required changes to RESTClient and HTTPClient. It also introduces a BaseHTTPClient abstract class to facilitate the creation and execution of HTTPRequests in a consistent way.

The biggest change in actually in TestRESTCatalog, because almost every Mockito.verify() call needs to be adapted.

The AuthManager API is still "unplugged" at this point.

\cc @nastra @danielcweeks

@github-actions github-actions bot added the core label Jan 17, 2025
@adutra adutra mentioned this pull request Jan 17, 2025
Open
danielcweeks
danielcweeks reviewed Jan 22, 2025
View reviewed changes
core/src/main/java/org/apache/iceberg/rest/HTTPClient.java Outdated
this.mapper = objectMapper;
this.authSession = AuthSession.EMPTY;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think defaulting to empty opens up a risk that requests will be made without an explicit session. This somewhat hides the case where we missed a call that should have auth. I would think we would leave this a null and require that a session be used (e.g. validate the auth was set in the execute call). Thoughts @nastra?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that makes sense to enforce/validate that a proper auth session is being used

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are going to run into a chicken and egg problem: to create an auth session I need an HTTP client; but now, to create an HTTP client, I would need an auth session.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that may seem like the case here, but I think we're just saying that you create it initially as set to null, but validate when execute is called that it is not null. You can still create the HTTPClient, but you can't make a request unless there is an active auth session. This just prevents unintentional use of an "empty" auth session (it needs to be intentional).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, now I get it. Let me try your suggestion.

@Fokko Fokko added this to the Iceberg 1.9.0 milestone Jan 25, 2025
nastra
nastra reviewed Jan 28, 2025
View reviewed changes
aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java Outdated
.build())));
id -> {
RESTClient client =
httpClient().withAuthSession(org.apache.iceberg.rest.auth.AuthSession.EMPTY);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wouldn't this create a new http client every time this is called?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed. The child client is lightweight though, but it's probably better to move this call to httpClient().

nastra
nastra reviewed Jan 28, 2025
View reviewed changes
aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java Outdated
@@ -192,7 +192,8 @@ private RESTClient httpClient() {
HTTPClient.builder(properties())
.uri(baseSignerUri())
.withObjectMapper(S3ObjectMapper.mapper())
.build();
.build()
.withAuthSession(org.apache.iceberg.rest.auth.AuthSession.EMPTY);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe worth having a withAuthSession on the builder class itself(similar to withObjectMapper)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Builder method added.

nastra
nastra reviewed Jan 28, 2025
View reviewed changes
aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java Outdated
@@ -338,6 +339,7 @@ public SdkHttpFullRequest sign(
Consumer<Map<String, String>> responseHeadersConsumer = responseHeaders::putAll;
S3SignResponse s3SignResponse =
httpClient()
.withAuthSession(org.apache.iceberg.rest.auth.AuthSession.EMPTY)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this change can be reverted now that the session is set in httpClient()

gaborkaszab
gaborkaszab reviewed Jan 28, 2025
View reviewed changes
aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java Outdated
@@ -84,6 +85,7 @@ private RESTClient httpClient() {

private LoadCredentialsResponse fetchCredentials() {
return httpClient()
.withAuthSession(AuthSession.EMPTY)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just took a quick look because I'm also working on the HttpClient code and was curious about this PR.

This might have been commented, but wouldn't it be possible to pass the AuthSession to the HttpClient during creation, maybe through a Builder? Then we could avoid adding these 'withAuthSession' calls when we use the httpClient.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Different sessions are used depending on the context, so it can't be restricted to a single one.

nastra
nastra reviewed Jan 29, 2025
View reviewed changes
core/src/main/java/org/apache/iceberg/rest/HTTPClient.java Outdated
baseHeaders.forEach(allHeaders::putIfAbsent);
}

Preconditions.checkState(authSession != null, "no AuthSession available");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Preconditions.checkState(authSession != null, "no AuthSession available");
Preconditions.checkState(authSession != null, "Invalid auth session: null");

@adutra
Copy link
Contributor Author

adutra commented Jan 30, 2025

@danielcweeks @nastra is there anything else I need to change?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gaborkaszab gaborkaszab gaborkaszab left review comments

@danielcweeks danielcweeks danielcweeks left review comments

@nastra nastra nastra approved these changes

Assignees
No one assigned
Labels
AWS core GCP
Projects
None yet
Milestone
Iceberg 1.9.0
Development

Successfully merging this pull request may close these issues.
5 participants
@adutra @nastra @danielcweeks @gaborkaszab @Fokko