[#5621] feat(core): support credential cache for Gravitino server #5995
Conversation
|
|
||
| @Override | ||
| public int hashCodeIgnoreUser() { | ||
| return 9999; |
| if (o == null || !(o instanceof CatalogCredentialContext)) { | ||
| return false; | ||
| } | ||
| return true; |
There was a problem hiding this comment.
Do we need more checks before returning true?
| public Credential getCredential(CredentialCacheKey credentialCacheKey) { | ||
| String credentialType = credentialCacheKey.getCredentialType(); | ||
| CredentialContext context = credentialCacheKey.getCredentialContext(); | ||
| LOG.info("try get credential, credential type: {}, context: {}", credentialType, context); |
There was a problem hiding this comment.
Remove this in the final version?
| // Set expire time after add a credential in the cache. | ||
| @Override | ||
| public long expireAfterCreate( | ||
| @NonNull T key, @NonNull Credential credential, long currentTime) { |
There was a problem hiding this comment.
Curious about the @NonNull annotation ...
Can we use it extensively for validation of null params?
| * @param propertiesSuppliers The properties suppliers. | ||
| * @return A set of credential providers. | ||
| */ | ||
| public static Set<String> getCredentialProvidersByOrder( |
There was a problem hiding this comment.
We are emphasizing "by order" because there will be a variant which is not by order?
FANNG1
changed the title
|
@tengqm @jerryshao @yuqi1129 @orenccl , it's ready to review now, please help to review thanks |
| @@ -22,6 +22,8 @@ | |||
| public class CredentialConstants { | |||
| public static final String CREDENTIAL_PROVIDER_TYPE = "credential-provider-type"; | |||
| public static final String CREDENTIAL_PROVIDERS = "credential-providers"; | |||
| public static final String CREDENTIAL_CACHE_EXPIRE_IN_SECS = "credential-cache-expire-in-secs"; | |||
There was a problem hiding this comment.
I feel that this property may not so useful, you can refer to Spark's token refresh config, set a ratio when to refresh the token.
There was a problem hiding this comment.
I don't think we should refresh tokens periodic, the ideal implement may prefetch credentials according to the access rate of the credential, but this make cache complicated, I prefer to optimize it latter.
There was a problem hiding this comment.
use credential-cache-expire-ratio
| public void initialize(Map<String, String> catalogProperties) { | ||
| CredentialConfig credentialConfig = new CredentialConfig(catalogProperties); | ||
| long cache_size = credentialConfig.get(CredentialConfig.CREDENTIAL_CACHE_MAZ_SIZE); | ||
| long cache_expire_time = credentialConfig.get(CredentialConfig.CREDENTIAL_CACHE_EXPIRE_IN_SECS); |
There was a problem hiding this comment.
Why do you use this naming style?
| .longConf() | ||
| .createWithDefault(DEFAULT_CREDENTIAL_CACHE_EXPIRE_IN_SECS); | ||
|
|
||
| public static final ConfigEntry<Long> CREDENTIAL_CACHE_MAZ_SIZE = |
| PathBasedCredentialContext context2 = | ||
| new PathBasedCredentialContext("user2", ImmutableSet.of("path1"), ImmutableSet.of("path2")); | ||
| PathBasedCredentialContext context3 = | ||
| new PathBasedCredentialContext("user3", ImmutableSet.of("path3"), ImmutableSet.of("path4")); |
There was a problem hiding this comment.
Would it be better to set user1 in context3 to test only different path?
Would it be better to name them context, contextWithDiffUser, and contextWithDiffPath?
This approach seems much clearer and eliminates the need for comments.
However, I’m fine with the current approach.
|
@jerryshao @orenccl @tengqm please help to review again |
|
Overall LGTM. |
|
|
||
| // Set expire time after add a credential in the cache. | ||
| @Override | ||
| public long expireAfterCreate(T key, Credential credential, long currentTime) { |
There was a problem hiding this comment.
Is the currentTime here millisecond or nanosecond?
There was a problem hiding this comment.
According the API it's nanosecond. currentTime – the current time, in nanoseconds
In test, the value of currentTime is odd, and according to the API, seems we should calculate the time by ourself.
Note: The currentTime is supplied by the configured Ticker and by default does not relate to system or wall-clock time. When calculating the duration based on a timestamp, the current time should be obtained independently.
|
Thanks @jerryshao @tengqm @orenccl for reviewing |
FANNG1
changed the title
…er (apache#5995) ### What changes were proposed in this pull request? add credential cache for Gravitino server, not support for Iceberg rest server yet. ### Why are the changes needed? Fix: apache#4398 ### Does this PR introduce _any_ user-facing change? no ### How was this patch tested? testing in local env, get credential from Gravitino server and see whether it's fetched from remote or local cache
What changes were proposed in this pull request?
add credential cache for Gravitino server, not support for Iceberg rest server yet.
Why are the changes needed?
Fix: #5621
Does this PR introduce any user-facing change?
no
How was this patch tested?
testing in local env, get credential from Gravitino server and see whether it's fetched from remote or local cache