Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for session timeout property and token refresh setting configuration in Iceberg REST catalog #25160

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support for session timeout property and token refresh setting configuration in Iceberg REST catalog #25160

wants to merge 1 commit into from

Conversation

varpa89
Copy link

@varpa89 varpa89 commented Feb 26, 2025

Description

RestSessionCatalog can be configured by changing authentication session time to live and enable/disable token refresh mechanics. This change allows to configure these properties from Trino and pass to RestSessionCatalog replacing defaults

iceberg.rest-catalog.session-timeout sets duration to keep authentication session in cache iceberg.rest-catalog.oauth2.token-refresh-enabled controls whether a token should be refreshed if information about its expiration time is available

Additional context and related issues

Trino has multiple options to communicate with Iceberg Rest Catalog in OAUTH2 mode: fill credentials or token when configuring a catalog

Another case can be used when we have enabled Oauth2 for Trino itself and it would be useful to reuse the authentication when communicating with the Iceberg Rest Catalog

Trino's driver has an option extraCredentials that also can be used via X-Trino-Extra-Credential header

Technically it already works, but the problem is that RestSessionCatalog stores this token into the cache, and cache ttl is 1 hour by default. This period can be longer than token's ttl and in this case the Rest Catalog will return 401 error.

private static Cache<String, AuthSession> newSessionCache(Map<String, String> properties) {
  long expirationIntervalMs =
      PropertyUtil.propertyAsLong(
          properties,
          CatalogProperties.AUTH_SESSION_TIMEOUT_MS,
          CatalogProperties.AUTH_SESSION_TIMEOUT_MS_DEFAULT);

  return Caffeine.newBuilder()
      .expireAfterAccess(Duration.ofMillis(expirationIntervalMs))
      .removalListener(
          (RemovalListener<String, AuthSession>)
              (id, auth, cause) -> {
                if (auth != null) {
                  auth.stopRefreshing();
                }
              })
      .build();
}

Cache ttl can be configured and it was discussed here

Another problem is that RestSessionCatalog also tries to refresh the token, but there is an another problem described here. RestSessionCatalog has a property that can just disable token refresh

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
(x) Release notes are required. Please propose a release note for me.
() Release notes are required, with the following suggested text:

@cla-bot cla-bot
Copy link

cla-bot bot commented Feb 26, 2025

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@github-actions github-actions bot added docs iceberg Iceberg connector labels Feb 26, 2025
ebyhr
ebyhr reviewed Feb 26, 2025
View reviewed changes
Copy link
Member

@ebyhr ebyhr left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you follow our commit message guideline?
https://trino.io/development/process.html#pull-request-and-commit-guidelines-

Also, please submit CLA.

...ino-iceberg/src/test/java/io/trino/plugin/iceberg/catalog/rest/TestOAuth2SecurityConfig.java Outdated
assertThat(expected.credentialOrTokenPresent()).isTrue();
assertThat(expected.scopePresentOnlyWithCredential()).isFalse();
assertThat(expected.isTokenRefreshEnabled()).isFalse();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assertion is redundant. The following assertFullMapping covers the value.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed

@ebyhr ebyhr requested a review from mayankvadariya February 26, 2025 12:31
@cla-bot cla-bot
Copy link

cla-bot bot commented Feb 26, 2025

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@varpa89
Copy link
Author

varpa89 commented Feb 26, 2025

Could you follow our commit message guideline? https://trino.io/development/process.html#pull-request-and-commit-guidelines-

Also, please submit CLA.

Thank you. Modified the commit message. CLA also submitted, waiting an approve

@varpa89
Add support for session timeout and token refresh in Iceberg REST cat…
4c95b4c 
…alog

Allow configuring authentication session time-to-live and token refresh
mechanics in RestSessionCatalog. This enables Trino to pass these properties
to RestSessionCatalog instead of using default values.

- `iceberg.rest-catalog.session-timeout` sets the duration for keeping an
  authentication session in cache.
- `iceberg.rest-catalog.oauth2.token-refresh-enabled` controls whether a token
  should be refreshed if its expiration time is available.
@cla-bot cla-bot
Copy link

cla-bot bot commented Feb 26, 2025

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@varpa89
Copy link
Author

varpa89 commented Mar 3, 2025

Hi! How do I know if my CLA was accepted or not?

@mayankvadariya
Copy link
Contributor

These CLAs are added in batches, you would be able to see your GH handle in https://github.com/trinodb/cla/commits/master/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebyhr ebyhr ebyhr left review comments

@mayankvadariya mayankvadariya Awaiting requested review from mayankvadariya

Assignees
No one assigned
Labels
docs iceberg Iceberg connector
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@varpa89 @mayankvadariya @ebyhr