Skip to content

feat(catalog-rest): introduce AuthManager/AuthSession, rework SigV4 as a wrapping auth manager#2815

Draft
plusplusjiajia wants to merge 1 commit into
apache:mainfrom
plusplusjiajia:feat/rest-auth-manager
Draft

feat(catalog-rest): introduce AuthManager/AuthSession, rework SigV4 as a wrapping auth manager#2815
plusplusjiajia wants to merge 1 commit into
apache:mainfrom
plusplusjiajia:feat/rest-auth-manager

Conversation

@plusplusjiajia

@plusplusjiajia plusplusjiajia commented Jul 12, 2026

Copy link
Copy Markdown
Member

Prototype for the AuthManager direction discussed in the review of #2660 (see the inline thread there). This draft includes #2660's SigV4 commits squashed in.

What it does

Mirrors Java's AuthManager API:

  • AuthManager/AuthSession traits in a new auth/ module: init_session() serves the GET /v1/config handshake, catalog_session(merged_props) serves everything after, so a manager can rebuild its
    session from server-merged properties.
  • Noop/OAuth2/SigV4 managers, selected via a new rest.auth.type property (the legacy rest.sigv4-enabled still works), injectable through RestCatalogBuilder::with_auth_manager.
  • OAuth2 token handling moves out of HttpClient into OAuth2Manager, with the cached token surviving the config handshake.
  • SigV4Manager wraps a delegate session instead of being mutually exclusive with token auth: the delegate's Authorization header is relocated to X-Iceberg-Authorization before signing, so it is covered by
    the signature — matching the Java RESTSigV4AuthSession behavior.
  • Server-supplied rest.signing-* from the config response is honored when building the post-handshake session; rest.auth.sigv4.delegate-auth-type (none/oauth2) explicitly selects the wrapped auth,
    defaulting to inference from token/credential presence; OAuth2Manager is publicly constructible (new() + with_*).

Java references: org.apache.iceberg.rest.auth (AuthManager/AuthSession) and
RESTSigV4AuthSession.

Known prototype simplifications

  • Manager type is fixed from user config; server config can't switch the auth type (same as Java).

@plusplusjiajia plusplusjiajia force-pushed the feat/rest-auth-manager branch from e1ba91d to a97a247 Compare July 12, 2026 05:28

@CTTY CTTY left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @plusplusjiajia , thanks for this contribution! I really like the general direction. To move forward, could you break this down to several smaller PRs? For example you can break it down to 2-3 PRs:

  1. Introduce AuthManager/Session traits and migrate existing oauth2 to use the new traits
  2. Add Sigv4 support


/// How the payload hash is encoded in the `x-amz-content-sha256` header.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum PayloadHashMode {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these should live in sigv4.rs?

warehouse: None,
props: HashMap::new(),
client: None,
custom_auth_manager: None,

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's just name it auth_manager

pub(crate) async fn token(&self) -> Option<String> {
let mut req = self
.request(Method::GET, &self.token_endpoint)
.request(Method::GET, "http://localhost/unused")

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this needed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants