Core: ability to create REST catalog with external AuthManager #12655
Conversation
|
@adutra Thanks a lot for putting on this PR! Yes, have a way to inject the AuthManager would be very useful for Polaris Spark client. Polaris provides native support for Iceberg APIs, and it also provides set of APIs that is owned by Polaris. The Spark plugin provided will help Spark talk to Polaris service for both Iceberg APIs and Polaris specific APIs, and we want to be able to use the same RESTClient and Authentication to talk to all those endpoints. In that way, it could help us to save the extra token refresh overhead and maximize the reuse at client side. This PR helps providing a way to inject a authManager, which could be helpful for us to reuse the authentication across all endpoints. @nastra I am wondering what do you think about this ? |
|
setting a custom auth manager impl should already be possible today by providing |
|
It's not a custom vs built-in problem, it's a shared vs non-shared problem. Consider this hypothetical example: let's suppose we have a custom manager that authenticates using OAuth, Okta and the Authorization Code flow. This means that the user will be redirected to their browser for login before being able to use the catalog. If this is happening in a Spark or Trino session, chances are that Spark/Trino will need a token, and the catalog will also need a token. Without the ability to share the same auth manager, the user would be asked to login twice: once for Spark/Trino, once for the RESTCatalog. |
|
@adutra can you please update the description to indicate what changes are proposed and how this is intended to be used. The scenario isn't entirely clear for the Polaris case or what exactly Trino is running into. The comment you linked even states:
|
I am proposing this change because It seems that it would benefit Trino devs (see #12363 (comment)), and I just received yet another request for this feature, this time coming from Apache Polaris devs.