Auth Manager API part 3: OAuth2 Manager #11844
Conversation
adutra
force-pushed
the
auth-manager-3
branch
2 times, most recently
from
6c3453c to
e502b8b
Compare
adutra
force-pushed
the
auth-manager-3
branch
from
e502b8b to
b88d99d
Compare
| @@ -42,6 +57,9 @@ public static AuthManager loadAuthManager(String name, Map<String, String> prope | |||
| case AuthProperties.AUTH_TYPE_BASIC: | |||
| impl = AuthProperties.AUTH_MANAGER_IMPL_BASIC; | |||
| break; | |||
| case AuthProperties.AUTH_TYPE_OAUTH2: | |||
| impl = AuthProperties.AUTH_MANAGER_IMPL_OAUTH2; | |||
| break; | |||
| default: | |||
| impl = authType; | |||
There was a problem hiding this comment.
can we also define something like AUTH_IMPL = "rest.auth.type"; that could be used here for any custom auth manager/provider we want to bring in?
There was a problem hiding this comment.
That's precisely the intent here; if you have a custom manager, you would activate it with rest.auth.type=my.custom.AuthManager. Is that OK for you?
There was a problem hiding this comment.
Yes that works! I wasn't sure whether you were planning on having authType for as a name of the type
There was a problem hiding this comment.
There will be aliases for built-in managers, e.g. you can activate the built-in oauth2 manager with either:
rest.auth.type = oauth2
rest.auth.type = org.apache.iceberg.rest.auth.OAuth2Manager
But for custom ones, you must provide the FQDN of your implementation.
| * @param executor the executor to use for eviction tasks; if null, the cache will use the | ||
| * {@linkplain ForkJoinPool#commonPool() common pool}. The executor will not be closed when | ||
| * this cache is closed. | ||
| * @param nanoTimeSupplier the supplier for nano time; if null, the cache will use {@link |
There was a problem hiding this comment.
Is there a reason we would need to expose this?
There was a problem hiding this comment.
No, not really, I can turn this constructor into package-private. It's meant only for tests.
core/src/main/java/org/apache/iceberg/rest/auth/AuthConfig.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/apache/iceberg/rest/auth/RefreshingAuthManager.java
Show resolved
Hide resolved
core/src/test/java/org/apache/iceberg/rest/auth/TestAuthSessionCache.java
Outdated
Show resolved
Hide resolved
| * @param sessionTimeout the session timeout. Sessions will become eligible for eviction after | ||
| * this duration of inactivity. | ||
| */ | ||
| public AuthSessionCache(Duration sessionTimeout) { |
There was a problem hiding this comment.
It looks like we should also make this package private. The other issue is that we shouldn't be using the common pool by default. This should probably be provided by the OAuth2Manager or if we expect there to be only one per manager, then just create a named pool for handling refreshes. We definitely don't want to rely on or possibly tie up the common pool.
There was a problem hiding this comment.
@danielcweeks we are already using the common pool. The session cache currently is created as follows:
iceberg/core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java
Lines 1144 to 1154 in a2b8008
As you can see, we are not providing an executor explicitly, so evictions are being done on the common pool.
There was a problem hiding this comment.
Re: turning this constructor package-private: this won't fly, as SigV4 will also need to create caches, so this constructor needs to be public.
|
@adutra Just one last comment on the thread pool, but other than that this look good to go. |
3rd PR for the Auth Manager API. Previous ones:
This PR introduces the
OAuth2Manageralong with session caching and credentials refreshing. It is still "unplugged" though. Most of theOAuth2Managercode reflects one-to-one what's currently hard-coded inRESTSessionCatalog(and it's still there).\cc @nastra @danielcweeks