Allow OAuth2 authenticated user tokens to be used with Iceberg REST catalogs#29758
Open
louis-pie wants to merge 1 commit into
Open
Allow OAuth2 authenticated user tokens to be used with Iceberg REST catalogs#29758louis-pie wants to merge 1 commit into
louis-pie wants to merge 1 commit into
Conversation
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
louis-pie
force-pushed
the
iceberg-rest-oauth-token-exchange
branch
3 times, most recently
from
7e98272 to
b3ad793
Compare
|
Duplicated with #29538 |
louis-pie
changed the title
louis-pie
force-pushed
the
iceberg-rest-oauth-token-exchange
branch
from
b3ad793 to
666d29e
Compare
louis-pie
changed the title
louis-pie
force-pushed
the
iceberg-rest-oauth-token-exchange
branch
from
666d29e to
4756b3c
Compare
louis-pie
changed the title
louis-pie
force-pushed
the
iceberg-rest-oauth-token-exchange
branch
from
4756b3c to
7d10652
Compare
Store the authenticated access token under a tamper-proof internal$authenticated: extra credential key. Iceberg REST catalogs with session=USER and security=OAUTH2 use the authenticated `token` or `credential` for per-user REST catalog requests. Cache a RESTSessionCatalog per user with JWT exp-based TTL. Strip internal credentials from worker task updates. Reject client-submitted internal$ credentials at the coordinator.
louis-pie
force-pushed
the
iceberg-rest-oauth-token-exchange
branch
from
7d10652 to
5432c5a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allow OAuth2 authenticated user tokens to be used with Iceberg REST catalogs.
Description
This change adds one optional Trino OAuth2 setting:
When set, the OAuth2 authenticator stores the authenticated access token in
Identity.extraCredentialsunder both the configured name and a tamper-proofinternal$authenticated:<name>key. The Iceberg REST connector reads only the authenticated key, preventing clients from spoofing OAuth2 session credentials.Iceberg REST catalogs configured with:
use the authenticated session extra credential named
token(for direct forwarding) orcredential(for token exchange) when static catalog OAuth2 credentials are not configured.Security model
ExtraCredentials): formalizes theinternal$prefix convention for server-placed credentials. Clients submittinginternal$-prefixed extra credentials are rejected at the coordinator.internal$-prefixed credentials are filtered fromTaskUpdateRequestso they never leave the coordinator.Per-user catalog caching
When
session=USER, the factory caches aRESTSessionCatalogper distinct set of authenticated credentials. Cache entries expire based on the JWTexpclaim (parsed with lightweight base64/string matching — no jjwt dependency) or fall back to the configurableiceberg.rest-catalog.session-timeout. The cache is bounded to 1000 entries with expired-entry eviction.Two supported authorization patterns
access-token-extra-credential-name=token.access-token-extra-credential-name=credential.Not a breaking change
The new coordinator setting is unset by default. Existing OAuth2 authentication and Iceberg REST catalog configurations behave as before. Static
iceberg.rest-catalog.oauth2.tokenandiceberg.rest-catalog.oauth2.credentialvalues continue to take precedence over session credentials.Module-level validation
session=USERrequiressecurity=OAUTH2(rejects at startup otherwise).security=OAUTH2withoutsession=USERrequires a staticcredentialortoken(previously failed at query time with an opaque Iceberg error).Additional context and related issues
Trino stores and forwards the authenticated access token. It does not perform token exchange itself — that responsibility belongs to the Iceberg REST OAuth2 client and the catalog's authorization server.
The
SIGV4andGOOGLEsecurity modes are unaffected; they use the existing no-op security properties provider.Release notes
( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text: