Auth Manager API part 3: OAuth2 Manager#11844
Conversation
adutra
force-pushed
the
auth-manager-3
branch
2 times, most recently
from
6c3453c to
e502b8b
Compare
adutra
force-pushed
the
auth-manager-3
branch
from
e502b8b to
b88d99d
Compare
| impl = AuthProperties.AUTH_MANAGER_IMPL_OAUTH2; | ||
| break; | ||
| default: | ||
| impl = authType; |
There was a problem hiding this comment.
can we also define something like AUTH_IMPL = "rest.auth.type"; that could be used here for any custom auth manager/provider we want to bring in?
There was a problem hiding this comment.
That's precisely the intent here; if you have a custom manager, you would activate it with rest.auth.type=my.custom.AuthManager. Is that OK for you?
There was a problem hiding this comment.
Yes that works! I wasn't sure whether you were planning on having authType for as a name of the type
There was a problem hiding this comment.
There will be aliases for built-in managers, e.g. you can activate the built-in oauth2 manager with either:
rest.auth.type = oauth2
rest.auth.type = org.apache.iceberg.rest.auth.OAuth2Manager
But for custom ones, you must provide the FQDN of your implementation.
| * @param executor the executor to use for eviction tasks; if null, the cache will use the | ||
| * {@linkplain ForkJoinPool#commonPool() common pool}. The executor will not be closed when | ||
| * this cache is closed. | ||
| * @param nanoTimeSupplier the supplier for nano time; if null, the cache will use {@link |
There was a problem hiding this comment.
Is there a reason we would need to expose this?
There was a problem hiding this comment.
No, not really, I can turn this constructor into package-private. It's meant only for tests.
core/src/main/java/org/apache/iceberg/rest/auth/AuthConfig.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/apache/iceberg/rest/auth/RefreshingAuthManager.java
Show resolved
Hide resolved
core/src/test/java/org/apache/iceberg/rest/auth/TestAuthSessionCache.java
Outdated
Show resolved
Hide resolved
| * @param sessionTimeout the session timeout. Sessions will become eligible for eviction after | ||
| * this duration of inactivity. | ||
| */ | ||
| public AuthSessionCache(Duration sessionTimeout) { |
There was a problem hiding this comment.
It looks like we should also make this package private. The other issue is that we shouldn't be using the common pool by default. This should probably be provided by the OAuth2Manager or if we expect there to be only one per manager, then just create a named pool for handling refreshes. We definitely don't want to rely on or possibly tie up the common pool.
There was a problem hiding this comment.
@danielcweeks we are already using the common pool. The session cache currently is created as follows:
iceberg/core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java
Lines 1144 to 1154 in a2b8008
As you can see, we are not providing an executor explicitly, so evictions are being done on the common pool.
There was a problem hiding this comment.
Re: turning this constructor package-private: this won't fly, as SigV4 will also need to create caches, so this constructor needs to be public.
There was a problem hiding this comment.
@danielcweeks I searched for all Caffeine caches in Iceberg's repo and found 25 occurrences. Only one occurrence sets the executor, the one in CachingCatalog:
Consequently, all the others are using the common pool for asynchronous tasks such as eviction.
There was a problem hiding this comment.
@danielcweeks do you maintain that you want me to use a different pool here?
There was a problem hiding this comment.
Yes, we previously had refresh in a dedicated threadpool, so I don't think the other caffeine examples are what we should point to.
Also, we don't want to rely on the common pool for something important like token refresh. If something ties up the thread pool, we may miss the window to refresh. Also, we don't want to tie up the thread pool with refresh threads if something goes wrong.
There was a problem hiding this comment.
This is not about token refresh, this is about auth session eviction.
But fair enough. I'll do it.
|
@adutra Just one last comment on the thread pool, but other than that this look good to go. |
| .setNameFormat(name + "-auth-session-evict-%d") | ||
| .setDaemon(true) | ||
| .build(); | ||
| return Executors.newCachedThreadPool(threadFactory); |
There was a problem hiding this comment.
I think this is the best executor for this kind of task, as we don't want a core thread kept alive if there isn't anything to do.
There was a problem hiding this comment.
We should be using a dedicated pool from our ThreadPools utility. I would suggest: ThreadPools::newExitingWorkerPool(String namePrefix, int poolSize) with a named pool like we had previously.
There was a problem hiding this comment.
OK, switched to ThreadPools.newExitingWorkerPool.
4 participants
3rd PR for the Auth Manager API. Previous ones:
This PR introduces the
OAuth2Manageralong with session caching and credentials refreshing. It is still "unplugged" though. Most of theOAuth2Managercode reflects one-to-one what's currently hard-coded inRESTSessionCatalog(and it's still there).\cc @nastra @danielcweeks