Skip to content

AWS: Fix OAuth2 additional params inclusion#13718

Merged
nastra merged 4 commits intoapache:mainfrom
adutra:oauth-additional-params-fix
Aug 5, 2025
Merged

AWS: Fix OAuth2 additional params inclusion#13718
nastra merged 4 commits intoapache:mainfrom
adutra:oauth-additional-params-fix

Conversation

@adutra
Copy link
Contributor

@adutra adutra commented Aug 1, 2025
edited
Loading

#12197 accidentally changed the other of additional params inclusion in the S3 signer properties.

This creates a regression when users have a custom scope, since custom scopes are included in the additional params. Such custom scopes are not being included anymore.

This change fixes this.

@adutra
AWS: Fix OAuth2 additional params inclusion
a2e41ed 
apache#12197 accidentally changed the other of additional params inclusion in the S3 signer properties.

This creates a regression when users have a custom scope, since custom scopes are included in the additional params. Such custom scopes are not being included anymore.

This changes fixes this.

Compare before:

https://github.com/apache/iceberg/blame/57ec405a651b99d5fce3f3b4bec217d24bc98d20/aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java#L221-L227

With after:

https://github.com/apache/iceberg/blame/071d5606bc6199a0be9b3f274ec7fbf111d88821/aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java#L163-L166
@github-actions github-actions bot added the AWS label Aug 1, 2025
@adutra
Copy link
Contributor Author

adutra commented Aug 1, 2025

@nastra FYI

adutra
adutra commented Aug 1, 2025
View reviewed changes
aws/src/test/java/org/apache/iceberg/aws/s3/signer/TestS3V4RestSignerClient.java Outdated
"12345",
"scope",
"sign")),
"catalog")),
Copy link
Contributor Author

@adutra adutra Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I manually validated this against pre-AuthManager code: the scope is in fact never sign. It's
catalog by default, unless overridden by the user.

This happens because there is always a scope included in optionalOAuthParams():

iceberg/core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java

Lines 140 to 142 in 67e181e

optionalParamBuilder.put(
OAuth2Properties.SCOPE,
properties.getOrDefault(OAuth2Properties.SCOPE, OAuth2Properties.CATALOG_SCOPE));

This test is new and was wrong when I created it.

Copy link
Contributor

@nastra nastra Aug 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so when is the scope actually set to sign for the S3 signer then? Maybe this was already a regression with #9839, which we should fix. It seems a bit weird that this always defaults to the catalog scope even though the signer has its own default scope

Copy link
Contributor Author

@adutra adutra Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can confirm that the scope is never sign in 1.8.0 and 1.9.0, unless the user explicitly sets the scope to sign.

Copy link
Contributor Author

@adutra adutra Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at #9839, it seems indeed that that PR introduced a regression. I will fix.

@stevenzwu stevenzwu added this to the Iceberg 1.10.0 milestone Aug 1, 2025
@c-thiel
Copy link
Contributor

c-thiel commented Aug 1, 2025

@adutra thanks for the fix and @stevenzwu thanks for including it in the 1.10.0 milestone. I also tested the code manually and verified that the singer now picks up user specified scopes again.

@github-actions github-actions bot added the core label Aug 1, 2025
adutra
adutra commented Aug 1, 2025
View reviewed changes
aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java
.put(OAuth2Properties.OAUTH2_SERVER_URI, oauth2ServerUri())
.put(OAuth2Properties.TOKEN_REFRESH_ENABLED, String.valueOf(keepTokenRefreshed()))
.put(OAuth2Properties.SCOPE, SCOPE);
.put(OAuth2Properties.SCOPE, SCOPE)
Copy link
Contributor Author

@adutra adutra Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The call to .put(OAuth2Properties.SCOPE, SCOPE) here is imo useless since the scope will be overridden by .putAll(optionalOAuthParams()) – but it doesn't hurt to keep it.

nastra
nastra reviewed Aug 4, 2025
View reviewed changes
aws/src/test/java/org/apache/iceberg/aws/s3/signer/TestS3V4RestSignerClient.java
OAuth2Properties.CREDENTIAL,
"user:12345",
OAuth2Properties.SCOPE,
"custom"),
Copy link
Contributor

@nastra nastra Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we have a test that verifies that the default scope is sign when no custom scope is defined?

@nastra nastra merged commit c12a724 into apache:main Aug 5, 2025
42 checks passed
@adutra adutra deleted the oauth-additional-params-fix branch August 5, 2025 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nastra nastra nastra approved these changes

Assignees

No one assigned

Labels

AWS core

Projects

None yet

Milestone

Iceberg 1.10.0

Development

Successfully merging this pull request may close these issues.

4 participants

@adutra @c-thiel @nastra @stevenzwu