[MINOR] docs: Add OAuth2 token refresh guidance#11079
Open
lasdf1234 wants to merge 22 commits into
Open
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
danhuawang
reviewed
May 14, 2026
|
|
||
| | Version | Change | | ||
| | --- | --- | | ||
| | Iceberg 1.11.0+ | Supports disabling token exchange and using client credentials for token renewal, and fixes child `AuthSession` expiration handling so the child session uses its own token lifetime. | |
Contributor
There was a problem hiding this comment.
Do the gravitino IRC upgrade to the 1.11.0? If gravitino IRC is still 1.10, can we clarify it here?
Contributor
Author
There was a problem hiding this comment.
No need. This parameter takes effect on the client side.
danhuawang
reviewed
May 14, 2026
| spark.executor.extraClassPath=${SPARK_HOME}/jars/authmgr-oauth2-runtime-<version>.jar | ||
| ``` | ||
|
|
||
| Example Spark configuration using client credentials token refresh: |
Contributor
There was a problem hiding this comment.
I think we also add an example for spark.sql.catalog.remote_irc_b.rest.auth.oauth2.grant-type password, this type make more sense.
Contributor
Author
There was a problem hiding this comment.
Got spark and flink have both added usage examples
danhuawang
reviewed
May 14, 2026
| spark.sql.catalog.irc=org.apache.iceberg.spark.SparkCatalog | ||
| spark.sql.catalog.irc.type=rest | ||
| spark.sql.catalog.irc.uri=http://localhost:9001/iceberg/ | ||
| spark.sql.catalog.irc.warehouse=<catalog_name> |
Contributor
There was a problem hiding this comment.
Is spark.sql.catalog.gravitino_irc_b_mysql_backend.prefix <catalog_name> required?
Contributor
Author
There was a problem hiding this comment.
Got, this configuration is not related to the main theme of this document.I have removed this config.
danhuawang
reviewed
May 14, 2026
|
|
||
| #### OAuth 2.0 token refresh for Iceberg REST clients | ||
|
|
||
| When Gravitino is used as an Iceberg REST Catalog (IRC), some query engines may hit OAuth 2.0 token refresh issues during long-running sessions. |
Contributor
There was a problem hiding this comment.
during long-running sessions, if the token expiration time is 5s , then it happens in short time. So propose remove long-running .
Contributor
Author
There was a problem hiding this comment.
Got I already revised the document.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
roryqi
reviewed
May 14, 2026
Contributor
roryqi
left a comment
roryqi
left a comment
There was a problem hiding this comment.
You should add the document to iceberg-rest-service.md instead of security.md.
| For the native Apache Iceberg OAuth 2.0 implementation, the following upstream improvement is relevant: | ||
|
|
||
| | Version | Change | | ||
| | --- | --- | |
|
|
||
| ##### Alternative OAuth 2.0 auth manager | ||
|
|
||
| If the native Apache Iceberg OAuth 2.0 implementation does not meet your requirements, you can use the Dremio Iceberg OAuth 2.0 auth manager. |
Contributor
There was a problem hiding this comment.
I can't get your point. When will we need to use Dremio library?
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
roryqi
reviewed
May 14, 2026
|
|
||
| ##### Alternative Dremio Iceberg OAuth 2.0 auth manager | ||
|
|
||
| If version of iceberg on the client side can't be upgraded, you can use the Dremio Iceberg OAuth 2.0 auth manager as an alternative. |
Contributor
There was a problem hiding this comment.
Iceberg library is usually compatible. I don't think this is a good reason.
Contributor
Author
There was a problem hiding this comment.
The content of Dermio has been deleted.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
yuqi1129
reviewed
May 14, 2026
| For the native Apache Iceberg OAuth 2.0 implementation, the following upstream improvement is relevant: | ||
|
|
||
| | Version | Change | | ||
| | --- | --- | |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
roryqi
reviewed
May 14, 2026
| |-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | Iceberg 1.11.0+ | Supports disabling token exchange, using client credentials for token renewal, and fixing child `AuthSession` expiration handling so that child sessions use their own token lifetime. | | ||
|
|
||
| ###### Native Apache Iceberg OAuth 2.0 implementation |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Code Coverage Report
|
roryqi
reviewed
May 14, 2026
| Some query engines may encounter OAuth 2.0 token refresh issues when connecting to Gravitino as an Iceberg REST Catalog (IRC). | ||
| This usually occurs when the identity provider does not support token exchange, or when a child authentication session inherits the parent session's expiration time. | ||
|
|
||
| For the native Apache Iceberg OAuth 2.0 implementation, the following upstream improvement is relevant: |
| ##### OAuth 2.0 token refresh for Iceberg REST clients | ||
|
|
||
| Some query engines may encounter OAuth 2.0 token refresh issues when connecting to Gravitino as an Iceberg REST Catalog (IRC). | ||
| This usually occurs when the identity provider does not support token exchange, or when a child authentication session inherits the parent session's expiration time. |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Add OAuth 2.0 token refresh guidance to
docs/security/how-to-authenticate.md, including Iceberg 1.11.0+ behavior, Spark/Flink token exchange settings, Trino catalog settings, and an alternative Dremio auth manager section for Spark and Flink.Why are the changes needed?
Users need clear guidance for handling OAuth 2.0 token refresh and token exchange behavior when connecting engines to Gravitino Iceberg REST Catalog.
Fixes #11092
Does this PR introduce any user-facing change?
Yes. Documentation now includes OAuth 2.0 token refresh guidance for Spark, Flink, and Trino.
How was this patch tested?
Documentation update only.