CORE: Inject OAuth2 Token from TableSession #12635
Conversation
| @@ -414,6 +416,10 @@ public Table loadTable(SessionContext context, TableIdentifier identifier) { | |||
| authManager.tableSession(finalIdentifier, tableConf, contextualSession); | |||
| TableMetadata tableMetadata; | |||
|
|
|||
| if (tableSession instanceof OAuth2Util.AuthSession) { | |||
There was a problem hiding this comment.
I don't think I fully follow why this change is needed. If a REST server supports a sub-scoped table token, then the server would return this via the token field in LoadTableResponse#config and so you would end up having a properly configured tableSession (which already takes in the tableConf with the potentially sub-scoped table token).
There was a problem hiding this comment.
Since we are already getting a tableSession that's dedicated to interact with the table from the REST server. will it make more sense to pass it down to VendedCredentialsProvider instead of expecting LoadTableResponse.config() to include that property? This is just a proposal, I'm still trying to figure out how iceberg should interact with a REST server, Apache Polaris in our case.
There was a problem hiding this comment.
Since we are already getting a
tableSessionthat's dedicated to interact with the table from the REST server. will it make more sense to pass it down toVendedCredentialsProviderinstead of expectingLoadTableResponse.config()to include that property?
this is already being done today in
iceberg/aws/src/main/java/org/apache/iceberg/aws/AwsClientProperties.java
Lines 203 to 206 in 7d0395d
There was a problem hiding this comment.
right. but when loadTable is called, the token from the tableSession does not get included in the property that initiates tableFileIO. This PR is proposing to include that token in the properties so the VendedCredentialsProvider can use it to initiate the http client.
There was a problem hiding this comment.
@wolflex888 I'm not sure I'm following here. The oauth token that is potentially sub-scoped to the loaded table is passed to the Table FileIO instance in https://github.com/apache/iceberg/blob/main/core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java#L973-L980
Originally, we are expecting
loadTablefrom the REST Service to returntokenas part of the config inLoadTableResponse. The token should have access to the table the application is interacting with.In this PR, I am proposing to inject the token from
tableSessionthat's created withinRestSessionCatalog.loadTable. This make sense sinceRestSessionCatalogalready make a request to the REST service for a token that is dedicated to interact with the table. We can use it to interact with the server instead of getting another one from the endpoint.