Add StorageCredential to ResolvingFileIO

nastra · nastra · commit 7d755811baeb · 2025-04-02T08:11:03.000+02:00
diff --git a/aws/src/main/java/org/apache/iceberg/aws/s3/S3FileIO.java b/aws/src/main/java/org/apache/iceberg/aws/s3/S3FileIO.java
@@ -567,7 +567,8 @@ private boolean recoverObject(ObjectVersion version, String bucket) {
   @Override
   public void setCredentials(List<StorageCredential> credentials) {
     Preconditions.checkArgument(credentials != null, "Invalid storage credentials: null");
-    this.storageCredentials = credentials;
+    // copy credentials into a modifiable collection for Kryo serde
+    this.storageCredentials = Lists.newArrayList(credentials);
   }
 
   @Override
@@ -584,6 +585,6 @@ private Map<String, String> storageCredentialConfig() {
     Preconditions.checkState(
         s3Credentials.size() <= 1, "Invalid S3 Credentials: only one S3 credential should exist");
 
-    return s3Credentials.isEmpty() ? ImmutableMap.of() : s3Credentials.get(0).config();
+    return s3Credentials.isEmpty() ? Map.of() : s3Credentials.get(0).config();
   }
 }
diff --git a/aws/src/test/java/org/apache/iceberg/aws/s3/TestS3FileIO.java b/aws/src/test/java/org/apache/iceberg/aws/s3/TestS3FileIO.java
@@ -459,6 +459,29 @@ public void testS3FileIOWithEmptyPropsKryoSerialization() throws IOException {
     assertThat(roundTripSerializedFileIO.properties()).isEqualTo(testS3FileIO.properties());
   }
 
+  @Test
+  public void fileIOWithStorageCredentialsKryoSerialization() throws IOException {
+    S3FileIO fileIO = new S3FileIO();
+    fileIO.setCredentials(
+        ImmutableList.of(StorageCredential.create("prefix", Map.of("key1", "val1"))));
+    fileIO.initialize(Map.of());
+
+    assertThat(TestHelpers.KryoHelpers.roundTripSerialize(fileIO).credentials())
+        .isEqualTo(fileIO.credentials());
+  }
+
+  @Test
+  public void fileIOWithStorageCredentialsJavaSerialization()
+      throws IOException, ClassNotFoundException {
+    S3FileIO fileIO = new S3FileIO();
+    fileIO.setCredentials(
+        ImmutableList.of(StorageCredential.create("prefix", Map.of("key1", "val1"))));
+    fileIO.initialize(Map.of());
+
+    assertThat(TestHelpers.roundTripSerialize(fileIO).credentials())
+        .isEqualTo(fileIO.credentials());
+  }
+
   @Test
   public void testS3FileIOJavaSerialization() throws IOException, ClassNotFoundException {
     FileIO testS3FileIO = new S3FileIO();
@@ -543,6 +566,55 @@ public void testInputFileWithManifest() throws IOException {
     verify(s3mock, never()).headObject(any(HeadObjectRequest.class));
   }
 
+  @Test
+  public void resolvingFileIOLoadWithStorageCredentials()
+      throws IOException, ClassNotFoundException {
+    StorageCredential credential = StorageCredential.create("prefix", Map.of("key1", "val1"));
+    List<StorageCredential> storageCredentials = ImmutableList.of(credential);
+    ResolvingFileIO resolvingFileIO = new ResolvingFileIO();
+    resolvingFileIO.setCredentials(storageCredentials);
+    resolvingFileIO.initialize(ImmutableMap.of());
+
+    FileIO result =
+        DynMethods.builder("io")
+            .hiddenImpl(ResolvingFileIO.class, String.class)
+            .build(resolvingFileIO)
+            .invoke("s3://foo/bar");
+    assertThat(result)
+        .isInstanceOf(S3FileIO.class)
+        .asInstanceOf(InstanceOfAssertFactories.type(S3FileIO.class))
+        .extracting(S3FileIO::credentials)
+        .isEqualTo(storageCredentials);
+
+    // make sure credentials are still present after kryo serde
+    ResolvingFileIO io = TestHelpers.KryoHelpers.roundTripSerialize(resolvingFileIO);
+    assertThat(io.credentials()).isEqualTo(storageCredentials);
+    result =
+        DynMethods.builder("io")
+            .hiddenImpl(ResolvingFileIO.class, String.class)
+            .build(io)
+            .invoke("s3://foo/bar");
+    assertThat(result)
+        .isInstanceOf(S3FileIO.class)
+        .asInstanceOf(InstanceOfAssertFactories.type(S3FileIO.class))
+        .extracting(S3FileIO::credentials)
+        .isEqualTo(storageCredentials);
+
+    // make sure credentials are still present after java serde
+    io = TestHelpers.roundTripSerialize(resolvingFileIO);
+    assertThat(io.credentials()).isEqualTo(storageCredentials);
+    result =
+        DynMethods.builder("io")
+            .hiddenImpl(ResolvingFileIO.class, String.class)
+            .build(io)
+            .invoke("s3://foo/bar");
+    assertThat(result)
+        .isInstanceOf(S3FileIO.class)
+        .asInstanceOf(InstanceOfAssertFactories.type(S3FileIO.class))
+        .extracting(S3FileIO::credentials)
+        .isEqualTo(storageCredentials);
+  }
+
   @Test
   public void noStorageCredentialConfigured() {
     S3FileIO fileIO = new S3FileIO();
diff --git a/core/src/main/java/org/apache/iceberg/io/ResolvingFileIO.java b/core/src/main/java/org/apache/iceberg/io/ResolvingFileIO.java
@@ -34,6 +34,7 @@
 import org.apache.iceberg.relocated.com.google.common.annotations.VisibleForTesting;
 import org.apache.iceberg.relocated.com.google.common.base.Joiner;
 import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
+import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
 import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
 import org.apache.iceberg.relocated.com.google.common.collect.Iterators;
 import org.apache.iceberg.relocated.com.google.common.collect.Lists;
@@ -48,7 +49,8 @@
  * Delegate FileIO implementations must implement the {@link DelegateFileIO} mixin interface,
  * otherwise initialization will fail.
  */
-public class ResolvingFileIO implements HadoopConfigurable, DelegateFileIO {
+public class ResolvingFileIO
+    implements HadoopConfigurable, DelegateFileIO, SupportsStorageCredentials {
   private static final Logger LOG = LoggerFactory.getLogger(ResolvingFileIO.class);
   private static final int BATCH_SIZE = 100_000;
   private static final String FALLBACK_IMPL = "org.apache.iceberg.hadoop.HadoopFileIO";
@@ -71,6 +73,7 @@ public class ResolvingFileIO implements HadoopConfigurable, DelegateFileIO {
   private final transient StackTraceElement[] createStack;
   private SerializableMap<String, String> properties;
   private SerializableSupplier<Configuration> hadoopConf;
+  private List<StorageCredential> storageCredentials = List.of();
 
   /**
    * No-arg constructor to load the FileIO dynamically.
@@ -172,6 +175,11 @@ DelegateFileIO io(String location) {
         }
       }
 
+      if (io instanceof SupportsStorageCredentials
+          && !((SupportsStorageCredentials) io).credentials().equals(storageCredentials)) {
+        ((SupportsStorageCredentials) io).setCredentials(storageCredentials);
+      }
+
       return io;
     }
 
@@ -186,7 +194,7 @@ DelegateFileIO io(String location) {
             // ResolvingFileIO is keeping track of the creation stacktrace, so no need to do the
             // same in S3FileIO.
             props.put("init-creation-stacktrace", "false");
-            fileIO = CatalogUtil.loadFileIO(key, props, conf);
+            fileIO = CatalogUtil.loadFileIO(key, props, conf, storageCredentials);
           } catch (IllegalArgumentException e) {
             if (key.equals(FALLBACK_IMPL)) {
               // no implementation to fall back to, throw the exception
@@ -199,7 +207,8 @@ DelegateFileIO io(String location) {
                   FALLBACK_IMPL,
                   e);
               try {
-                fileIO = CatalogUtil.loadFileIO(FALLBACK_IMPL, properties, conf);
+                fileIO =
+                    CatalogUtil.loadFileIO(FALLBACK_IMPL, properties, conf, storageCredentials);
               } catch (IllegalArgumentException suppressed) {
                 LOG.warn(
                     "Failed to load FileIO implementation: {} (fallback)",
@@ -268,4 +277,16 @@ public Iterable<FileInfo> listPrefix(String prefix) {
   public void deletePrefix(String prefix) {
     io(prefix).deletePrefix(prefix);
   }
+
+  @Override
+  public void setCredentials(List<StorageCredential> credentials) {
+    Preconditions.checkArgument(credentials != null, "Invalid storage credentials: null");
+    // copy credentials into a modifiable collection for Kryo serde
+    this.storageCredentials = Lists.newArrayList(credentials);
+  }
+
+  @Override
+  public List<StorageCredential> credentials() {
+    return ImmutableList.copyOf(storageCredentials);
+  }
 }
diff --git a/core/src/main/java/org/apache/iceberg/io/StorageCredential.java b/core/src/main/java/org/apache/iceberg/io/StorageCredential.java
@@ -18,12 +18,14 @@
  */
 package org.apache.iceberg.io;
 
+import java.io.Serializable;
 import java.util.Map;
 import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
 import org.immutables.value.Value;
 
 @Value.Immutable
-public interface StorageCredential {
+public interface StorageCredential extends Serializable {
+
   String prefix();
 
   Map<String, String> config();
@@ -33,4 +35,8 @@ default void validate() {
     Preconditions.checkArgument(!prefix().isEmpty(), "Invalid prefix: must be non-empty");
     Preconditions.checkArgument(!config().isEmpty(), "Invalid config: must be non-empty");
   }
+
+  static StorageCredential create(String prefix, Map<String, String> config) {
+    return ImmutableStorageCredential.builder().prefix(prefix).config(config).build();
+  }
 }
diff --git a/core/src/main/java/org/apache/iceberg/io/SupportsStorageCredentials.java b/core/src/main/java/org/apache/iceberg/io/SupportsStorageCredentials.java
@@ -20,6 +20,10 @@
 
 import java.util.List;
 
+/**
+ * This interface is intended as an extension for {@link FileIO} implementations to be able to
+ * provide and retrieve storage credentials
+ */
 public interface SupportsStorageCredentials {
 
   void setCredentials(List<StorageCredential> credentials);
diff --git a/core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java b/core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java
@@ -55,7 +55,6 @@
 import org.apache.iceberg.io.CloseableGroup;
 import org.apache.iceberg.io.FileIO;
 import org.apache.iceberg.io.FileIOTracker;
-import org.apache.iceberg.io.ImmutableStorageCredential;
 import org.apache.iceberg.io.StorageCredential;
 import org.apache.iceberg.metrics.MetricsReporter;
 import org.apache.iceberg.metrics.MetricsReporters;
@@ -975,16 +974,13 @@ private FileIO newFileIO(
       return ioBuilder.apply(context, properties);
     } else {
       String ioImpl = properties.getOrDefault(CatalogProperties.FILE_IO_IMPL, DEFAULT_FILE_IO_IMPL);
-      List<StorageCredential> credentials =
+      return CatalogUtil.loadFileIO(
+          ioImpl,
+          properties,
+          conf,
           storageCredentials.stream()
-              .map(
-                  c ->
-                      ImmutableStorageCredential.builder()
-                          .prefix(c.prefix())
-                          .config(c.config())
-                          .build())
-              .collect(Collectors.toList());
-      return CatalogUtil.loadFileIO(ioImpl, properties, conf, credentials);
+              .map(c -> StorageCredential.create(c.prefix(), c.config()))
+              .collect(Collectors.toList()));
     }
   }
 
diff --git a/core/src/test/java/org/apache/iceberg/TestCatalogUtil.java b/core/src/test/java/org/apache/iceberg/TestCatalogUtil.java
@@ -30,14 +30,12 @@
 import org.apache.iceberg.catalog.TableIdentifier;
 import org.apache.iceberg.hadoop.HadoopFileIO;
 import org.apache.iceberg.io.FileIO;
-import org.apache.iceberg.io.ImmutableStorageCredential;
 import org.apache.iceberg.io.InputFile;
 import org.apache.iceberg.io.OutputFile;
 import org.apache.iceberg.io.StorageCredential;
 import org.apache.iceberg.io.SupportsStorageCredentials;
 import org.apache.iceberg.metrics.MetricsReport;
 import org.apache.iceberg.metrics.MetricsReporter;
-import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
 import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
 import org.apache.iceberg.relocated.com.google.common.collect.Maps;
 import org.junit.jupiter.api.Test;
@@ -164,26 +162,21 @@ public void loadCustomFileIO_configurable() {
   @Test
   public void loadCustomFileIOSupportingStorageCredentials() {
     StorageCredential gcsCredential =
-        ImmutableStorageCredential.builder()
-            .prefix("gs://custom-uri")
-            .config(
-                ImmutableMap.of(
-                    "gcs.oauth2.token", "gcsToken", "gcs.oauth2.token-expires-at", "1000"))
-            .build();
+        StorageCredential.create(
+            "gs://custom-uri",
+            Map.of("gcs.oauth2.token", "gcsToken", "gcs.oauth2.token-expires-at", "1000"));
     StorageCredential s3Credential =
-        ImmutableStorageCredential.builder()
-            .prefix("s3://custom-uri")
-            .config(
-                ImmutableMap.of(
-                    "s3.access-key-id",
-                    "keyId",
-                    "s3.secret-access-key",
-                    "accessKey",
-                    "s3.session-token",
-                    "sessionToken"))
-            .build();
-
-    List<StorageCredential> storageCredentials = ImmutableList.of(gcsCredential, s3Credential);
+        StorageCredential.create(
+            "s3://custom-uri",
+            Map.of(
+                "s3.access-key-id",
+                "keyId",
+                "s3.secret-access-key",
+                "accessKey",
+                "s3.session-token",
+                "sessionToken"));
+
+    List<StorageCredential> storageCredentials = List.of(gcsCredential, s3Credential);
     FileIO fileIO =
         CatalogUtil.loadFileIO(
             TestFileIOWithStorageCredentials.class.getName(),
diff --git a/core/src/test/java/org/apache/iceberg/io/TestResolvingIO.java b/core/src/test/java/org/apache/iceberg/io/TestResolvingIO.java
@@ -29,14 +29,17 @@
 
 import java.io.IOException;
 import java.util.List;
+import java.util.Map;
 import java.util.UUID;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
+import org.apache.iceberg.CatalogUtil;
 import org.apache.iceberg.TestHelpers;
 import org.apache.iceberg.hadoop.HadoopFileIO;
+import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
 import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
@@ -182,4 +185,39 @@ public void delegateFileIOWithAndWithoutMixins() {
     // being null is ok here as long as the code doesn't throw an exception
     assertThat(resolvingFileIO.newInputFile("/file")).isNull();
   }
+
+  @Test
+  public void resolvingFileIOWithStorageCredentialsKryoSerialization() throws IOException {
+    StorageCredential credential = StorageCredential.create("prefix", Map.of("key1", "val1"));
+    List<StorageCredential> storageCredentials = ImmutableList.of(credential);
+    ResolvingFileIO resolvingFileIO =
+        (ResolvingFileIO)
+            CatalogUtil.loadFileIO(
+                ResolvingFileIO.class.getName(),
+                ImmutableMap.of(),
+                new Configuration(),
+                storageCredentials);
+
+    assertThat(TestHelpers.KryoHelpers.roundTripSerialize(resolvingFileIO).credentials())
+        .isEqualTo(storageCredentials)
+        .isEqualTo(resolvingFileIO.credentials());
+  }
+
+  @Test
+  public void resolvingFileIOWithStorageCredentialsJavaSerialization()
+      throws IOException, ClassNotFoundException {
+    StorageCredential credential = StorageCredential.create("prefix", Map.of("key1", "val1"));
+    List<StorageCredential> storageCredentials = ImmutableList.of(credential);
+    ResolvingFileIO resolvingFileIO =
+        (ResolvingFileIO)
+            CatalogUtil.loadFileIO(
+                ResolvingFileIO.class.getName(),
+                ImmutableMap.of(),
+                new Configuration(),
+                storageCredentials);
+
+    assertThat(TestHelpers.roundTripSerialize(resolvingFileIO).credentials())
+        .isEqualTo(storageCredentials)
+        .isEqualTo(resolvingFileIO.credentials());
+  }
 }
diff --git a/core/src/test/java/org/apache/iceberg/io/TestStorageCredential.java b/core/src/test/java/org/apache/iceberg/io/TestStorageCredential.java
diff --git a/gcp/src/main/java/org/apache/iceberg/gcp/gcs/GCSFileIO.java b/gcp/src/main/java/org/apache/iceberg/gcp/gcs/GCSFileIO.java
diff --git a/gcp/src/test/java/org/apache/iceberg/gcp/gcs/GCSFileIOTest.java b/gcp/src/test/java/org/apache/iceberg/gcp/gcs/GCSFileIOTest.java

Original file line number	Diff line number	Diff line change
`@@ -567,7 +567,8 @@ private boolean recoverObject(ObjectVersion version, String bucket) {`
`567`	`567`	`@Override`
`568`	`568`	`public void setCredentials(List<StorageCredential> credentials) {`
`569`	`569`	`Preconditions.checkArgument(credentials != null, "Invalid storage credentials: null");`
`570`		`- this.storageCredentials = credentials;`
	`570`	`+ // copy credentials into a modifiable collection for Kryo serde`
	`571`	`+ this.storageCredentials = Lists.newArrayList(credentials);`
`571`	`572`	`}`
`572`	`573`
`573`	`574`	`@Override`
`@@ -584,6 +585,6 @@ private Map<String, String> storageCredentialConfig() {`
`584`	`585`	`Preconditions.checkState(`
`585`	`586`	`s3Credentials.size() <= 1, "Invalid S3 Credentials: only one S3 credential should exist");`
`586`	`587`
`587`		`- return s3Credentials.isEmpty() ? ImmutableMap.of() : s3Credentials.get(0).config();`
	`588`	`+ return s3Credentials.isEmpty() ? Map.of() : s3Credentials.get(0).config();`
`588`	`589`	`}`
`589`	`590`	`}`