add refresh credentials property to loadTableResult #2341
Conversation
jasonf20
force-pushed
the
loadTableResponse-refresh-credential-properties
branch
from
bb55a80 to
eb3e360
Compare
.../service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java
Outdated
Show resolved
Hide resolved
.../service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java
Outdated
Show resolved
Hide resolved
jasonf20
force-pushed
the
loadTableResponse-refresh-credential-properties
branch
from
5c92bdd to
99075da
Compare
.../service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java
Outdated
Show resolved
Hide resolved
|
Please address CI failures :) |
There was a problem hiding this comment.
LGTM overall 👍 Thanks for working on this @jasonf20 !
Do we have existing integration tests for the credential refresh endpoint? If not, could you add a test in RestCatalogMinIOSpecialIT (probably). I suppose we could use the test REST Client to validate refresh credential responses. I know this is specific to the S3 storage integration, but it will hit the common call path and we can validate Azure AccessConfig in unit tests. WDYT?
| public String credentialsPath(TableIdentifier ident) { | ||
| return SLASH.join( | ||
| "v1", | ||
| prefix, | ||
| "namespaces", | ||
| RESTUtil.encodeNamespace(ident.namespace()), | ||
| "tables", | ||
| RESTUtil.encodeString(ident.name()), | ||
| "credentials"); |
There was a problem hiding this comment.
Just to confirm: relative URIs are correct in this case, right?
There was a problem hiding this comment.
Yes, from what I understand the recent version of the client automatically appends the base URI if a relative path is returned from the server.
.../service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java
Outdated
Show resolved
Hide resolved
polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCache.java
Outdated
Show resolved
Hide resolved
...core/src/main/java/org/apache/polaris/core/storage/gcp/GcpCredentialsStorageIntegration.java
Outdated
Show resolved
Hide resolved
| Boolean.class, | ||
| AwsClientProperties.REFRESH_CREDENTIALS_ENABLED, | ||
| "whether to enable automatic refresh of credentials", | ||
| true, |
There was a problem hiding this comment.
I do not think this property is a credential property (logically)
There was a problem hiding this comment.
From my understanding of the client code:
- The
AwsClientFactoryis initialized ahead of time with generic properties retrieved from the "configuration" endpoint. This doesn't include specific endpoints for credential refresh per table and/or access keys. - Later on when loading the fileIO per table, the base properties + additional table properties provided from the
List<Credential>are added here.
For the property to be available in Credential.config() down the line this needs to be set to true.
There was a problem hiding this comment.
Thanks for the code pointer! In this case, it does make sense to mark these properties as "credentials", but please add a code comment for future readers to be aware of what Iceberg java clients expect.
There was a problem hiding this comment.
I had another look at this. I think I was wrong since it also passes in tableConf which if set initializes a new fileIO with those properties, so this can be false. I'll update those.
There was a problem hiding this comment.
Thanks for your diligence! 🙂
polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java
Outdated
Show resolved
Hide resolved
polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java
Outdated
Show resolved
Hide resolved
polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java
Outdated
Show resolved
Hide resolved
polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisStorageIntegration.java
Outdated
Show resolved
Hide resolved
.../test/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegrationTest.java
Outdated
Show resolved
Hide resolved
|
@dimas-b I've added the integration test and unit test for azure as you suggested and made other fixes based on your comments. |
polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisCredentialVendor.java
Show resolved
Hide resolved
polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisStorageIntegration.java
Show resolved
Hide resolved
polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCache.java
Outdated
Show resolved
Hide resolved
| EnumSet<AccessDelegationMode> delegationModes, | ||
| String prefix, | ||
| TableIdentifier tableIdentifier) { | ||
| return delegationModes.contains(AccessDelegationMode.VENDED_CREDENTIALS) |
There was a problem hiding this comment.
This logic is ok from my POV, but I wonder if other community members prefer a feature flag to switch the new behaviour on/off.
Please send an email about this to the dev ML.
There was a problem hiding this comment.
Actually, I'll send the dev email myself :)
There was a problem hiding this comment.
singhpk234
left a comment
singhpk234
left a comment
There was a problem hiding this comment.
Mostly LGTM as well 👍 ! we are very close :) !
| AWS_REFRESH_CREDENTIALS_ENDPOINT( | ||
| String.class, | ||
| AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT, | ||
| "the endpoint to use for refreshing credentials", |
There was a problem hiding this comment.
ideally we are not refreshing the credentials, we are getting brand new one how about we say something like
https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml#L119
|
@jasonf20 : Could you add an entry about this change to |
…ndpoint is included
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
| * @param allowedWriteLocations a set of allowed to write locations | ||
| * @param refreshCredentialsEndpoint an optional endpoint to use for refreshing credentials. If | ||
| * supported by the storage type it will be returned to the client in the appropriate | ||
| * properties. The endpoint may be relative to the base URI and the client is responsible for |
There was a problem hiding this comment.
can we return anything except relative path ? my understanding is base uri is always catalog uri https://github.com/apache/iceberg/blob/main/aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java#L92 is this statement in intentionally open ended since spec is not explicit ?
There was a problem hiding this comment.
At one point the client required full paths, now it works with partial paths. I'm not sure if the spec identifies one as the correct method over the other so I left it like this. If one is definitely the "correct" way I can update the comment.
There was a problem hiding this comment.
@jasonf20 : do you know the Iceberg version / PR where relative paths started working?
There was a problem hiding this comment.
It was linked in the previous PR. #1164 (comment)
Seems like it's since 1.8.0
There was a problem hiding this comment.
Oh no this made a lot of things super tricky, i checked iceberg python for refresh keyword but i didn't any prs for that so i am assuming that it doesn't support, taking only the iceberg java sdk reference
if we always send relative url it only works for >= 1.8
fails for < 1.8
I know there is a header that the java sdk sends which has SDK version X-Client-Version header we may want to salvage this now on when to return the absolute vs relative, https://github.com/apache/iceberg/blob/main/core/src/main/java/org/apache/iceberg/rest/HTTPClient.java#L77
seems like the only broken release would be 1.7
Its a bit surprising to me, but i think for now we can park this by just documenting this gotcha, WDYT @dimas-b ?
There was a problem hiding this comment.
Getting full URI is a bit trickier - as discussed in #1164.
From my POV, let's merge this "as is" and open a GH issue that it does not work properly for Iceberg < 1.8. When someone has time, let's improve.
Getting this feature enabled for Iceberg clients >= 1.8 is valuable, I think.
There was a problem hiding this comment.
Since old client version behave differently, I think we ought to have a feature flag now... just in case someone runs into client incompatibility issues and wants to disable credential refresh properties completely (i.e. revert to old Polaris behaviour). WDYT?
There was a problem hiding this comment.
That would be ideal IMHO (specially now), but i think the jobs without us sending the credentials endpoint would still have failed because my understanding is we would have not made the /credentials call unless the creds in loadTable expires https://github.com/apache/iceberg/blob/main/aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java#L63, its just we might see an HTTP error rather than the creds expired exception.
But agree, we might want to have a feature flag to fallback to the old behaviour if we unexpectedly fail.
There was a problem hiding this comment.
I don't think a feature flag is needed.
- The client is already broken, if they reach the need to refresh credentials it already fails today.
- A feature flag will not solve the problem. Enabling it will fix the issue for some and create a different issue for others, so you'll never be able to enable it anymore than you can without the flag.
- Clients can simply upgrade to 1.8.0 to get a working version. Their current version doesn't work anyway so they can upgrade at their own time when this becomes important to them.
- If you would like we can remove the
refresh_credentials_enabledproperty and let the client set that one in his catalog settings. That way he can control if this gets used or not. This would be better than a flag and is controlled client side. not server side.
There was a problem hiding this comment.
I've added a commit that does 4.
|
Looks like we already have @dimas-b ;) review, we were parallely reviewing, we good to go from my end ! |
|
Oops, CI failure 😅 |
fixed |
CHANGELOG.md
Outdated
| - Added refresh credentials endpoint configuration to LoadTableResponse for AWS, Azure, and GCP. Enabling | ||
| automatic storage credential refresh per table on the client side. |
There was a problem hiding this comment.
Lets call out the client version limitation here and the suggestion to the caller to set the client side override to enable this.
There was a problem hiding this comment.
since the release is imminent, if the round trip cycle is slow, I suppose we can still merge this PR and later adjust the changelog between @singhpk234 and myself :) Let's give it a few more hours.
There was a problem hiding this comment.
I updated the changelog. Seems a little verbose now for a changelog but It's probably fine.
p.s. I believe you should be able to push changes to my branch yourself since I have the "Allow edits and access to secrets by maintainers" checkbox enabled. But I never tried using that myself.
CHANGELOG.md
Outdated
| automatic storage credential refresh per table on the client side. | ||
| automatic storage credential refresh per table on the client side. Java client version >= 1.8.0 is required. | ||
| The endpoint path is always returned when using vended credentials, but the client must configure | ||
| REFRESH\_ENDPOINT\_ENABLED = "true" in the catalog properties for the client to use the endpoint. |
There was a problem hiding this comment.
the properties are unfortunately different for the all the cloud providers, not sure if we wanna call this out, just saying enabled never the less refresh-credentials-enabled should be endpoint
how about we say that clients must enable refresh-credentials flag for their respective cloud provider ?
There was a problem hiding this comment.
Yea that's less verbose. I changed it to that.
singhpk234
left a comment
singhpk234
left a comment
There was a problem hiding this comment.
LGTM, thanks @jasonf20 for all the effort !
Appreciate your contribution :), much needed capability !
|
Thanks for your reviews @dimas-b @singhpk234 ! |
| - Added refresh credentials endpoint configuration to LoadTableResponse for AWS, Azure, and GCP. Enabling | ||
| automatic storage credential refresh per table on the client side. Java client version >= 1.8.0 is required. | ||
| The endpoint path is always returned when using vended credentials, but clients must enable the |
There was a problem hiding this comment.
We will need to document this. Unfortunately, the best place to doc this is a page for storage setting and credential vending, which doesn't exist yet. Here is the issue filed long time ago, #1325. Not a blocker for this PR though.
github-project-automation
bot
moved this from Ready to merge
to Done
in Basic Kanban Board
* Integration tests for Catalog Federation (apache#2344) Adds a Junit5 integration test for catalog federation. * Fix merge conflict in CatalogFederationIntegrationTest (apache#2420) apache#2344 added a new test for catalog federation, but it looks like an undetected conflict with concurrent changes related to authentication have broken the test in main. * chore(deps): update registry.access.redhat.com/ubi9/openjdk-21-runtime docker tag to v1.23-6.1755674729 (apache#2416) * 2334 (apache#2427) * Fix TableIdentifier in TaskFileIOSupplier (apache#2304) we cant just convert a `TaskEntity` to a `IcebergTableLikeEntity` as the `getTableIdentifier()` method will not return a correct value by using the name of the task and its parent namespace (which is empty?). task handlers instead need to pass in the `TableIdentifier` that they already inferred via `TaskEntity.readData`. * Fix NPE in CreateCatalog (apache#2435) * Doc fix: Access control page update (apache#2424) * 2418 * 2418 * fix(deps): update dependency software.amazon.awssdk:bom to v2.32.29 (apache#2443) * Optimize PolicyCatalog.listPolicies (apache#2370) this is a follow-up to apache#2290 the optimization is to use `listEntities` instead of `loadEntities` when there is `policyType` filter to apply * Add PolarisDiagnostics field to BaseMetaStoreManager (apache#2381) * Add PolarisDiagnostics field to BaseMetaStoreManager the ultimate goal is removing the `PolarisCallContext` parameter from every `PolarisMetaStoreManager` interface method, so we make steps towards reducing its usage first. * Add feature flag to disallow custom S3 endpoints (apache#2442) * Add new realm-level flag: `ALLOW_SETTING_S3_ENDPOINTS` (default: true) * Enforce in `PolarisServiceImpl.validateStorageConfig()` Fixes apache#2436 * Deprecate ActiveRolesProvider for removal (apache#2404) * Client: fix openapi verbose output, remove doc generate, and skip test generations (apache#2439) * Fix various issue in client code generation * Use logger instead of print * Add back exclude on __pycache__ as CI is not via Makefile * Add back exclude on __pycache__ as CI is not via Makefile * Add user principal tag in metrics (apache#2445) * Added API change to enable tag * Added test * Added production readiness check * fix(deps): update dependency io.opentelemetry.semconv:opentelemetry-semconv to v1.36.0 (apache#2454) * fix(deps): update dependency com.google.cloud:google-cloud-storage-bom to v2.56.0 (apache#2447) * fix(deps): update dependency gradle.plugin.org.jetbrains.gradle.plugin.idea-ext:gradle-idea-ext to v1.3 (apache#2428) * Build: Make jandex dependency used for index generation managed (apache#2431) Also allows specifying the jandex index version for the build. This is a preparation step contributing to apache#2204, once a jandex fix for reproducible builds is available. Co-authored-by: Alexandre Dutra <adutra@apache.org> * Built: improve reproducible archive files (apache#2432) As part of the effort for apache#2204, this change fixes a few aspects around reproducible builds: Some Gradle projects produce archive files, but don't get the necessary Gradle archive-tasks settings applied: one not-published project but also the tarball&zip of the distribution. This change moves the logic to the new build-plugin `polaris-reproducible`. Another change is to have some Quarkus generated jar files adhere to the same conventions, which are constant timestamps for the zip entries and a deterministic order of the entries. That's sadly not a full fix, as the classes that are generated or instumented by Quarkus differ in each build. Contributes to apache#2204 * Remove commons-lang3 dependency (apache#2456) outside of tests we can replace the functionality with jdk11 and guava. also stop using `org.assertj.core.util` as its a non-public api. * add refresh credentials property to loadTableResult (apache#2341) * add refresh credentials property to loadTableResult * IcebergCatalogAdapterTest: Added test to ensure refresh credentials endpoint is included * delegate refresh credential endpoint configuration to storage integration * GCP: Add refresh credential properties * fix(deps): update dependency io.opentelemetry.semconv:opentelemetry-semconv to v1.37.0 (apache#2458) * Add Delegator to all API Implementations (apache#2434) Per the Dev ML, implements the Delegator pattern to add Events instrumentation to all Polaris APIs. * Prefer java.util.Base64 over commons-codec (apache#2463) `java.util.Base64` is available since java8 and we are already using it in a few other spots. in a follow-up we might be able to get rid of our `commons-codec` dependency completely. * Service: Move tests to the right package (apache#2469) * Update versions in runtime LICENSE and NOTICE (apache#2468) * fix(deps): update dependency com.adobe.testing:s3mock-testcontainers to v4.8.0 (apache#2475) * fix(deps): update dependency com.gradleup.shadow:shadow-gradle-plugin to v9.1.0 (apache#2476) * Service: Remove hadoop-common from polaris-runtime-service (apache#2462) * Service: Always validate allowed locations from Storage Config (apache#2473) * Add Community Sync Meeting 20250828 (apache#2477) * Update dependency software.amazon.awssdk:bom to v2.33.0 (apache#2483) * Remove PolarisCallContext.getDiagServices (apache#2415) * Remove PolarisCallContext.getDiagServices usage * Remove diagnostics from PolarisCallContext * Feature: Expose resetCredentials via a new reset api to allow root user to reset credentials for an existing principal with custom values (apache#2197) * Add type-check to PolarisEntity subclass ctors (apache#2302) currently one can freely "cast" any `PolarisEntity` to a more specific type via their constructors. this can lead to subtle bugs like we fixed in a29f800 by adding type checks we discover a few more places where we need to be more careful about how we construct new or handle existing entities. note that we can add a check for `PolarisEntitySubType` in a followup, but it requires more fixes currently. * Fix CI (apache#2489) Fix undetected merge conflict after apache#2197 + apache#2415 + apache#2434 * Use local diagnostics in TransactionWorkspaceMetaStoreManager * Add resetCredentials to PolarisPrincipalsEventServiceDelegator * Core: Prevent AIOOBE for negative codes in PolarisEntityType, PolarisPrivilege, ReturnStatus (apache#2490) * feat(idgen): Start Implementation of NoSQL with the ID Generation Framework (apache#2131) Create an ID Generation Framework. Related to apache#650 & apache#844 Co-authored-by: Robert Stupp <snazy@snazy.de> Co-authored-by: Dmitri Bourlatchkov <dmitri.bourlatchkov@gmail.com> * perf(refactor): optimizing JdbcBasePersistenceImpl.listEntities (apache#2465) - Reduced Column Selection: Only 6 columns instead of 16 - Eliminated Object Creation Overhead: Direct conversion to EntityNameLookupRecord without intermediate PolarisBaseEntity * Add Polaris Events to Persistence (apache#1844) * AWS CloudWatch Event Sink Implementation (apache#1965) * Fix failing CI (apache#2498) * Update actions/stale digest to 3a9db7e (apache#2499) * Core: Prevent AIOOBE for negative policy codes in PredefinedPolicyType (apache#2486) * Service: Add location tests for views (apache#2496) * Update docker.io/jaegertracing/all-in-one Docker tag to v1.73.0 (apache#2500) * Update dependency io.netty:netty-codec-http2 to v4.2.5.Final (apache#2495) * Update actions/setup-python action to v6 (apache#2502) * Update the Release Guide about the Helm Chart package (apache#2179) * Update the Release Guide about the Helm Chart package * Update release-guide.md Co-authored-by: Pierre Laporte <pierre@pingtimeout.fr> * Add missing commit message * Whitespace * Use Helm GPG plugin to sign the Helm chart * Fix directories during Helm chart copy to SVN * Add Helm index to SVN * Use long name for svn checkout * Ensure the Helm index is updated after the chart is moved to SVN dist release * Do not publish any Docker image before the vote succeeds * Typos * Revert "Do not publish any Docker image before the vote succeeds" This reverts commit 5617e65. * Don't mention Helm values.yaml in the release guide as it doesn't contain version details --------- Co-authored-by: Pierre Laporte <pierre@pingtimeout.fr> * Update dependency com.azure:azure-sdk-bom to v1.2.38 (apache#2503) * Update registry.access.redhat.com/ubi9/openjdk-21-runtime Docker tag to v1.23-6.1756793420 (apache#2504) * Remove commons-codec dependency (apache#2474) follow-up to f8ad77a we can simply use guava instead and eliminate the extra dependency * CLI: Remove SCRIPT_DIR and default config location to user home (apache#2448) * Remove readInternalProperties helpers (apache#2506) the functionality is already provided by the `PrincipalEntity` * Add Events for Generic Table APIs (apache#2481) This PR adds the Events instrumentation for the Generic Tables Service APIs, surrounding the default delegated call to the business logic APIs. * Disable custom namespace locations (apache#2422) When we create a namespace or alter its location, we must confirm that this location is within the parent location. This PR introduces introduces a check similar to the one we have for tables, where custom locations are prohibited by default. This functionality is gated behind a new behavior change flag `ALLOW_NAMESPACE_CUSTOM_LOCATION`. In addition to allowing us to revert to the old behavior, this flag allows some tests relying on arbitrarily-located namespaces to pass (such as those from upstream Iceberg). Fixes: apache#2417 * fix for IcebergAllowedLocationTest (apache#2511) * Remove unused config from SparkSessionBuilder (apache#2512) Tests pass without it. * Add Events for Policy Service APIs (apache#2479) * Remove PolarisTestMetaStoreManager.jsonNode helper (apache#2513) * Update dependency software.amazon.awssdk:bom to v2.33.4 (apache#2517) * Update dependency com.nimbusds:nimbus-jose-jwt to v10.5 (apache#2514) * Update dependency io.opentelemetry:opentelemetry-bom to v1.54.0 (apache#2515) * Update dependency io.micrometer:micrometer-bom to v1.15.4 (apache#2519) * Port missed OSS change * NoSQL: adopt to updated test packages * NoSQL: adapt to removed PolarisDiagnostics param * NoSQL: fix libs.versions.toml * NoSQL: include jandex plugin related changes from OSS * NoSQL: changes for delete/set principal client-ID+secret * Last merged commit c6176dc --------- Co-authored-by: Pooja Nilangekar <poojan@umd.edu> Co-authored-by: Eric Maynard <eric.maynard+oss@snowflake.com> Co-authored-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: Yong Zheng <yongzheng0809@gmail.com> Co-authored-by: Christopher Lambert <xn137@gmx.de> Co-authored-by: Honah (Jonas) J. <honahx@apache.org> Co-authored-by: Dmitri Bourlatchkov <dmitri.bourlatchkov@gmail.com> Co-authored-by: Alexandre Dutra <adutra@apache.org> Co-authored-by: fivetran-kostaszoumpatianos <kostas.zoumpatianos@fivetran.com> Co-authored-by: Jason <jasonf20@gmail.com> Co-authored-by: Adnan Hemani <adnan.h@berkeley.edu> Co-authored-by: Yufei Gu <yufei@apache.org> Co-authored-by: JB Onofré <jbonofre@apache.org> Co-authored-by: fivetran-arunsuri <103934371+fivetran-arunsuri@users.noreply.github.com> Co-authored-by: Adam Christian <105929021+adam-christian-software@users.noreply.github.com> Co-authored-by: Artur Rakhmatulin <artur.rakhmatulin@gmail.com> Co-authored-by: Pierre Laporte <pierre@pingtimeout.fr>
5 participants
Rebased version of #1164