Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS: Fix Catalog URI within VendedCredentialsProvider #12612

Merged
merged 19 commits into from
Apr 1, 2025
+76 −45
Merged

AWS: Fix Catalog URI within VendedCredentialsProvider #12612

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
b240283
correct URI in VendedCredentialsProvider
Mar 21, 2025
589d1a8
fix uri within VendedCredentialsProvider
Mar 22, 2025
065c331
spotless
Mar 22, 2025
240e607
pass in all properties and resolve endpoint in vended credentials
Mar 26, 2025
63e8c63
spotless
Mar 26, 2025
7e1fece
modify tests
Mar 26, 2025
050fd91
add missing condition check
Mar 27, 2025
6a86de7
add checks in invalidOrMissingUrl
Mar 27, 2025
5fa5ea9
add catalog uri check
Mar 28, 2025
2b72dd0
Merge branch 'main' into vended-credentials-provider-uri
Mar 28, 2025
b9e2fb5
spotless
Mar 28, 2025
4deddbd
fix tests
Mar 28, 2025
9b16f2d
spotless
Mar 28, 2025
e6be4c4
remove restutil resolve endpoint
Mar 28, 2025
f0804eb
fix catalog uri errors in aws client properties test
Apr 1, 2025
ee6929b
fix tests
Apr 1, 2025
28f218b
fix endpoint tests
Apr 1, 2025
1ddd6f2
Apply suggestions from code review
nastra Apr 1, 2025
ab59591
Update AwsClientPropertiesTest.java
nastra Apr 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 1 addition & 6 deletions aws/src/main/java/org/apache/iceberg/aws/AwsClientProperties.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,13 @@

import java.io.Serializable;
import java.util.Map;
import java.util.Optional;
import org.apache.iceberg.CatalogProperties;
import org.apache.iceberg.aws.s3.VendedCredentialsProvider;
import org.apache.iceberg.common.DynClasses;
import org.apache.iceberg.common.DynMethods;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import org.apache.iceberg.relocated.com.google.common.base.Strings;
import org.apache.iceberg.rest.RESTUtil;
import org.apache.iceberg.rest.auth.OAuth2Properties;
import org.apache.iceberg.util.PropertyUtil;
import org.apache.iceberg.util.SerializableMap;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
Expand Down Expand Up @@ -198,12 +196,9 @@ public <T extends S3CrtAsyncClientBuilder> void applyClientCredentialConfigurati
public AwsCredentialsProvider credentialsProvider(
String accessKeyId, String secretAccessKey, String sessionToken) {
if (refreshCredentialsEnabled && !Strings.isNullOrEmpty(refreshCredentialsEndpoint)) {
clientCredentialsProviderProperties.putAll(allProperties);
clientCredentialsProviderProperties.put(
VendedCredentialsProvider.URI, refreshCredentialsEndpoint);
Optional.ofNullable(allProperties.get(OAuth2Properties.TOKEN))
.ifPresent(
token ->
clientCredentialsProviderProperties.putIfAbsent(OAuth2Properties.TOKEN, token));
return credentialsProvider(VendedCredentialsProvider.class.getName());
}

Expand Down
14 changes: 11 additions & 3 deletions aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,13 @@
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.apache.iceberg.CatalogProperties;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import org.apache.iceberg.relocated.com.google.common.base.Strings;
import org.apache.iceberg.rest.ErrorHandlers;
import org.apache.iceberg.rest.HTTPClient;
import org.apache.iceberg.rest.RESTClient;
import org.apache.iceberg.rest.RESTUtil;
import org.apache.iceberg.rest.auth.AuthManager;
import org.apache.iceberg.rest.auth.AuthManagers;
import org.apache.iceberg.rest.auth.AuthSession;
Expand All @@ -47,17 +49,23 @@ public class VendedCredentialsProvider implements AwsCredentialsProvider, SdkAut
private volatile HTTPClient client;
private final Map<String, String> properties;
private final CachedSupplier<AwsCredentials> credentialCache;
private final String catalogEndpoint;
private final String credentialsEndpoint;
private AuthManager authManager;
private AuthSession authSession;

private VendedCredentialsProvider(Map<String, String> properties) {
Preconditions.checkArgument(null != properties, "Invalid properties: null");
Preconditions.checkArgument(null != properties.get(URI), "Invalid URI: null");
Preconditions.checkArgument(null != properties.get(URI), "Invalid credentials endpoint: null");
Preconditions.checkArgument(
null != properties.get(CatalogProperties.URI), "Invalid catalog endpoint: null");
this.properties = properties;
this.credentialCache =
CachedSupplier.builder(() -> credentialFromProperties().orElseGet(this::refreshCredential))
.cachedValueName(VendedCredentialsProvider.class.getName())
.build();
this.catalogEndpoint = properties.get(CatalogProperties.URI);
Copy link
Contributor

@nastra nastra Mar 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please update Preconditions.checkArgument(null != properties.get(URI), "Invalid URI: null"); to Preconditions.checkArgument(null != properties.get(URI), "Invalid credentials endpoint: null"); and also add Preconditions.checkArgument(null != properties.get(CatalogProperties.URI), "Invalid catalog endpoint: null");.

Please also update invalidOrMissingUri() and add a check where the catalog URI isn't provided

this.credentialsEndpoint = RESTUtil.resolveEndpoint(catalogEndpoint, properties.get(URI));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is already being done in AwsClientProperties, so it should only do this.credentialsEndpoint = properties.get(URI)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is corrected.

}

@Override
Expand All @@ -82,7 +90,7 @@ private RESTClient httpClient() {
synchronized (this) {
if (null == client) {
authManager = AuthManagers.loadAuthManager("s3-credentials-refresh", properties);
HTTPClient httpClient = HTTPClient.builder(properties).uri(properties.get(URI)).build();
HTTPClient httpClient = HTTPClient.builder(properties).uri(catalogEndpoint).build();
authSession = authManager.catalogSession(httpClient, properties);
client = httpClient.withAuthSession(authSession);
}
Expand All @@ -95,7 +103,7 @@ private RESTClient httpClient() {
private LoadCredentialsResponse fetchCredentials() {
return httpClient()
.get(
properties.get(URI),
credentialsEndpoint,
null,
LoadCredentialsResponse.class,
Map.of(),
Expand Down
40 changes: 23 additions & 17 deletions aws/src/test/java/org/apache/iceberg/aws/s3/TestVendedCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@

import java.time.Instant;
import java.time.temporal.ChronoUnit;
import org.apache.iceberg.CatalogProperties;
import org.apache.iceberg.exceptions.RESTException;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
import org.apache.iceberg.rest.HttpMethod;
Expand All @@ -48,7 +49,12 @@
public class TestVendedCredentialsProvider {

private static final int PORT = 3232;
private static final String URI = String.format("http://127.0.0.1:%d/v1/credentials", PORT);
private static final String CREDENTIALS_URI =
String.format("http://127.0.0.1:%d/v1/credentials", PORT);
Copy link
Contributor

@danielcweeks danielcweeks Mar 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically you can point to any URI, but I think we need to include a test pointing to a path consistent with the spec (e.g. /v1/{prefix}/namespaces/{namespace}/tables/{table}/credentials) and we should test both absolute and relative (which I believe this change will address as well.)

private static final String CATALOG_URI = String.format("http://127.0.0.1:%d/v1", PORT);
private static final ImmutableMap<String, String> PROPERTIES =
ImmutableMap.of(
VendedCredentialsProvider.URI, CREDENTIALS_URI, CatalogProperties.URI, CATALOG_URI);
private static ClientAndServer mockServer;

@BeforeAll
Expand All @@ -73,7 +79,13 @@ public void invalidOrMissingUri() {
.hasMessage("Invalid properties: null");
assertThatThrownBy(() -> VendedCredentialsProvider.create(ImmutableMap.of()))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("Invalid URI: null");
.hasMessage("Invalid credentials URI: null");
assertThatThrownBy(
() ->
VendedCredentialsProvider.create(
ImmutableMap.of("credentials.uri", "/credentials/uri")))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("Invalid catalog endpoint: null");

try (VendedCredentialsProvider provider =
VendedCredentialsProvider.create(
Expand All @@ -95,8 +107,7 @@ public void noS3Credentials() {
.withStatusCode(200);
mockServer.when(mockRequest).respond(mockResponse);

try (VendedCredentialsProvider provider =
VendedCredentialsProvider.create(ImmutableMap.of(VendedCredentialsProvider.URI, URI))) {
try (VendedCredentialsProvider provider = VendedCredentialsProvider.create(PROPERTIES)) {
assertThatThrownBy(provider::resolveCredentials)
.isInstanceOf(IllegalStateException.class)
.hasMessage("Invalid S3 Credentials: empty");
Expand Down Expand Up @@ -124,8 +135,7 @@ public void accessKeyIdAndSecretAccessKeyWithoutToken() {
response(LoadCredentialsResponseParser.toJson(response)).withStatusCode(200);
mockServer.when(mockRequest).respond(mockResponse);

try (VendedCredentialsProvider provider =
VendedCredentialsProvider.create(ImmutableMap.of(VendedCredentialsProvider.URI, URI))) {
try (VendedCredentialsProvider provider = VendedCredentialsProvider.create(PROPERTIES)) {
assertThatThrownBy(provider::resolveCredentials)
.isInstanceOf(IllegalStateException.class)
.hasMessage("Invalid S3 Credentials: s3.session-token not set");
Expand Down Expand Up @@ -155,8 +165,7 @@ public void expirationNotSet() {
response(LoadCredentialsResponseParser.toJson(response)).withStatusCode(200);
mockServer.when(mockRequest).respond(mockResponse);

try (VendedCredentialsProvider provider =
VendedCredentialsProvider.create(ImmutableMap.of(VendedCredentialsProvider.URI, URI))) {
try (VendedCredentialsProvider provider = VendedCredentialsProvider.create(PROPERTIES)) {
assertThatThrownBy(provider::resolveCredentials)
.isInstanceOf(IllegalStateException.class)
.hasMessage("Invalid S3 Credentials: s3.session-token-expires-at-ms not set");
Expand Down Expand Up @@ -187,8 +196,7 @@ public void nonExpiredToken() {
response(LoadCredentialsResponseParser.toJson(response)).withStatusCode(200);
mockServer.when(mockRequest).respond(mockResponse);

try (VendedCredentialsProvider provider =
VendedCredentialsProvider.create(ImmutableMap.of(VendedCredentialsProvider.URI, URI))) {
try (VendedCredentialsProvider provider = VendedCredentialsProvider.create(PROPERTIES)) {
AwsCredentials awsCredentials = provider.resolveCredentials();

verifyCredentials(awsCredentials, credential);
Expand Down Expand Up @@ -226,8 +234,7 @@ public void expiredToken() {
response(LoadCredentialsResponseParser.toJson(response)).withStatusCode(200);
mockServer.when(mockRequest).respond(mockResponse);

try (VendedCredentialsProvider provider =
VendedCredentialsProvider.create(ImmutableMap.of(VendedCredentialsProvider.URI, URI))) {
try (VendedCredentialsProvider provider = VendedCredentialsProvider.create(PROPERTIES)) {
AwsCredentials awsCredentials = provider.resolveCredentials();
verifyCredentials(awsCredentials, credential);

Expand Down Expand Up @@ -294,8 +301,7 @@ public void multipleS3Credentials() {
response(LoadCredentialsResponseParser.toJson(response)).withStatusCode(200);
mockServer.when(mockRequest).respond(mockResponse);

try (VendedCredentialsProvider provider =
VendedCredentialsProvider.create(ImmutableMap.of(VendedCredentialsProvider.URI, URI))) {
try (VendedCredentialsProvider provider = VendedCredentialsProvider.create(PROPERTIES)) {
assertThatThrownBy(provider::resolveCredentials)
.isInstanceOf(IllegalStateException.class)
.hasMessage("Invalid S3 Credentials: only one S3 credential should exist");
Expand Down Expand Up @@ -346,7 +352,7 @@ public void nonExpiredTokenInProperties() {
VendedCredentialsProvider.create(
ImmutableMap.of(
VendedCredentialsProvider.URI,
URI,
CREDENTIALS_URI,
S3FileIOProperties.ACCESS_KEY_ID,
"randomAccessKeyFromProperties",
S3FileIOProperties.SECRET_ACCESS_KEY,
Expand Down Expand Up @@ -398,7 +404,7 @@ public void expiredTokenInProperties() {
VendedCredentialsProvider.create(
ImmutableMap.of(
VendedCredentialsProvider.URI,
URI,
CREDENTIALS_URI,
S3FileIOProperties.ACCESS_KEY_ID,
"randomAccessKeyFromProperties",
S3FileIOProperties.SECRET_ACCESS_KEY,
Expand Down Expand Up @@ -451,7 +457,7 @@ public void invalidTokenInProperties() {
VendedCredentialsProvider.create(
ImmutableMap.of(
VendedCredentialsProvider.URI,
URI,
CREDENTIALS_URI,
S3FileIOProperties.ACCESS_KEY_ID,
"randomAccessKeyFromProperties",
S3FileIOProperties.SECRET_ACCESS_KEY,
Expand Down