Skip to content

AWS: Prevent excessive creation of auth sessions in S3V4RestSignerClient #13215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

AWS: Prevent excessive creation of auth sessions in S3V4RestSignerClient #13215

wants to merge 4 commits into from

Conversation

adutra
Copy link
Contributor

@adutra adutra commented Jun 2, 2025

This PR fixes an oversight in S3V4RestSignerClient introduced by the switch to the AuthManager API: the session cache was previously a static field, but became an instance field. As a result, too many token fetches are being observed when using request signing.

@github-actions github-actions bot added the AWS label Jun 2, 2025
@adutra
Copy link
Contributor Author

adutra commented Jun 2, 2025

@nastra @danielcweeks @c-thiel FYI

@adutra adutra force-pushed the signer-auth-manager-static branch 2 times, most recently from d6e7493 to f72358f Compare June 2, 2025 10:42
nastra
nastra reviewed Jun 2, 2025
View reviewed changes
aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java Outdated
}
}
}

return authSession;
}

static {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we move this further to the top?

@adutra
Copy link
Contributor Author

adutra commented Jun 2, 2025

Heads up: I need more changes to make this work properly.

@adutra adutra force-pushed the signer-auth-manager-static branch from f72358f to 58342c0 Compare June 2, 2025 12:16
@github-actions github-actions bot added the core label Jun 2, 2025
@adutra
Copy link
Contributor Author

adutra commented Jun 2, 2025
edited
Loading

Heads up: I need more changes to make this work properly.

Done, this is now ready for review.

FYI we needed to implement session caching for sessions obtained via the AuthManager#tableSession(RESTClient, Map<String,String>). This method was introduced precisely for request signers, but the default impl does not cache returned sessions.

adutra
adutra commented Jun 2, 2025
View reviewed changes
core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Manager.java
sessionCache = newSessionCache(name, properties);
}

if (config.token() != null) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is basically the same logic as in catalogSession(), but with caching enabled.

@stevenzwu stevenzwu added this to the Iceberg 1.10.0 milestone Jun 2, 2025
nastra
nastra reviewed Jun 3, 2025
View reviewed changes
aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java Outdated
@VisibleForTesting
AuthSession authSession() {
if (null == authSession) {
private AuthManager authManager() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you please move the authManager() method just below authSession() as it's causing a diff that adds visual overhead during review

adutra added a commit to adutra/iceberg-auth-manager that referenced this pull request Jun 3, 2025
@adutra
feat(oauth): Standalone sessions should be cached
35e3527 
See apache/iceberg#13215 for context.

In Iceberg 1.9.0, "standalone" sessions created by the S3 request signer client weren't cached, and an AuthManager was created for each signer instance. This is a performance degradation compared to the situation pre-AuthManager, where sessions were cached by the signer itself, and the cache was a static field.

In Iceberg 1.10.0, this should be fixed, but also requires this AuthManager to implement proper caching of sessions created by the signer client.
adutra added a commit to adutra/iceberg-auth-manager that referenced this pull request Jun 3, 2025
@adutra
feat(oauth): Standalone sessions should be cached
818eafd 
See apache/iceberg#13215 for context.

In Iceberg 1.9.0, "standalone" sessions created by the S3 request signer client weren't cached, and an AuthManager was created for each signer instance. This is a performance degradation compared to the situation pre-AuthManager, where sessions were cached by the signer itself, and the cache was a static field.

In Iceberg 1.10.0, this should be fixed, but also requires this AuthManager to implement proper caching of sessions created by the signer client.
@adutra adutra mentioned this pull request Jun 3, 2025
Merged
adutra added a commit to dremio/iceberg-auth-manager that referenced this pull request Jun 3, 2025
@adutra
feat(oauth): Standalone sessions should be cached (#79)
5d8a265 
See apache/iceberg#13215 for context.

In Iceberg 1.9.0, "standalone" sessions created by the S3 request signer client weren't cached, and an AuthManager was created for each signer instance. This is a performance degradation compared to the situation pre-AuthManager, where sessions were cached by the signer itself, and the cache was a static field.

In Iceberg 1.10.0, this should be fixed, but also requires this AuthManager to implement proper caching of sessions created by the signer client.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nastra nastra nastra left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
AWS core
Projects
None yet
Milestone
Iceberg 1.10.0
Development

Successfully merging this pull request may close these issues.
3 participants
@adutra @nastra @stevenzwu