OpenAPI: Standardize credentials in loadTable/loadView responses

nastra · nastra · commit d8c748ffe288 · 2024-09-11T16:19:17.000+02:00
diff --git a/open-api/rest-catalog-open-api.py b/open-api/rest-catalog-open-api.py
@@ -1168,6 +1168,12 @@ class ViewUpdate(BaseModel):
     ]
 
 
+class Credentials(BaseModel):
+    __root__: Union[ADLSCredentials, GCSCredentials, S3Credentials] = Field(
+        ..., discriminator='type'
+    )
+
+
 class LoadTableResult(BaseModel):
     """
     Result used when a table is successfully loaded.
@@ -1195,6 +1201,11 @@ class LoadTableResult(BaseModel):
      - `s3.session-token`: if present, this value should be used for as the session token
      - `s3.remote-signing-enabled`: if `true` remote signing should be performed as described in the `s3-signer-open-api.yaml` specification
 
+    ## Credentials
+
+    Credentials for ADLS / GCS / S3 are provided through the `credentials` field. Clients should first check whether the
+    respective credentials exist in the `credentials` field before checking the `config` for credentials.
+
     """
 
     metadata_location: Optional[str] = Field(
@@ -1203,6 +1214,7 @@ class LoadTableResult(BaseModel):
         description='May be null if the table is staged as part of a transaction',
     )
     metadata: TableMetadata
+    credentials: Optional[Credentials] = None
     config: Optional[Dict[str, str]] = None
 
 
@@ -1311,10 +1323,16 @@ class LoadViewResult(BaseModel):
 
     - `token`: Authorization bearer token to use for view requests if OAuth2 security is enabled
 
+    ## Credentials
+
+    Credentials for ADLS / GCS / S3 are provided through the `credentials` field. Clients should first check whether the
+    respective credentials exist in the `credentials` field before checking the `config` for credentials.
+
     """
 
     metadata_location: str = Field(..., alias='metadata-location')
     metadata: ViewMetadata
+    credentials: Optional[Credentials] = None
     config: Optional[Dict[str, str]] = None
 
 
@@ -1398,6 +1416,28 @@ class Schema(StructType):
     )
 
 
+class ADLSCredentials(BaseModel):
+    type: Literal['adls']
+    account_name: Optional[str] = Field(None, alias='account-name')
+    account_key: Optional[str] = Field(None, alias='account-key')
+    sas_token: Optional[str] = Field(None, alias='sas-token')
+    expires_at_ms: Optional[int] = Field(None, alias='expires-at-ms')
+
+
+class GCSCredentials(BaseModel):
+    type: Literal['gcs']
+    token: str
+    expires_at_ms: int = Field(..., alias='expires-at-ms')
+
+
+class S3Credentials(BaseModel):
+    type: Literal['s3']
+    access_key_id: str = Field(..., alias='access-key-id')
+    secret_access_key: str = Field(..., alias='secret-access-key')
+    session_token: str = Field(..., alias='session-token')
+    expires_at_ms: int = Field(..., alias='expires-at-ms')
+
+
 class CompletedPlanningResult(ScanTasks):
     """
     Completed server-side planning result
@@ -1430,12 +1470,16 @@ class CompletedPlanningWithIDResult(CompletedPlanningResult):
 TableMetadata.update_forward_refs()
 ViewMetadata.update_forward_refs()
 AddSchemaUpdate.update_forward_refs()
+Credentials.update_forward_refs()
 ScanTasks.update_forward_refs()
 FetchPlanningResult.update_forward_refs()
 PlanTableScanResult.update_forward_refs()
 CreateTableRequest.update_forward_refs()
 CreateViewRequest.update_forward_refs()
 ReportMetricsRequest.update_forward_refs()
+ADLSCredentials.update_forward_refs()
+GCSCredentials.update_forward_refs()
+S3Credentials.update_forward_refs()
 CompletedPlanningResult.update_forward_refs()
 FetchScanTasksResult.update_forward_refs()
 CompletedPlanningWithIDResult.update_forward_refs()
diff --git a/open-api/rest-catalog-open-api.yaml b/open-api/rest-catalog-open-api.yaml
@@ -3103,6 +3103,81 @@ components:
         uuid:
           type: string
 
+    ADLSCredentials:
+      type: object
+      allOf:
+        - $ref: '#/components/schemas/Credentials'
+      required:
+        - type
+      properties:
+        type:
+          type: string
+          enum: [ "adls" ]
+        account-name:
+          type: string
+        account-key:
+          type: string
+        sas-token:
+          type: string
+        expires-at-ms:
+          type: integer
+          format: int64
+
+    GCSCredentials:
+      type: object
+      allOf:
+        - $ref: '#/components/schemas/Credentials'
+      required:
+        - type
+        - token
+        - expires-at-ms
+      properties:
+        type:
+          type: string
+          enum: [ "gcs" ]
+        token:
+          type: string
+        expires-at-ms:
+          type: integer
+          format: int64
+
+    S3Credentials:
+      type: object
+      allOf:
+        - $ref: '#/components/schemas/Credentials'
+      required:
+        - type
+        - access-key-id
+        - secret-access-key
+        - session-token
+        - expires-at-ms
+      properties:
+        type:
+          type: string
+          enum: [ "s3" ]
+        access-key-id:
+          type: string
+        secret-access-key:
+          type: string
+        session-token:
+          type: string
+        expires-at-ms:
+          type: integer
+          format: int64
+
+    Credentials:
+      type: object
+      discriminator:
+        propertyName: type
+        mapping:
+          adls: '#/components/schemas/ADLSCredentials'
+          gcs: '#/components/schemas/GCSCredentials'
+          s3: '#/components/schemas/S3Credentials'
+      oneOf:
+        - $ref: '#/components/schemas/ADLSCredentials'
+        - $ref: '#/components/schemas/GCSCredentials'
+        - $ref: '#/components/schemas/S3Credentials'
+
     LoadTableResult:
       description: |
         Result used when a table is successfully loaded.
@@ -3129,6 +3204,11 @@ components:
          - `s3.secret-access-key`: secret for credentials that provide access to data in S3 
          - `s3.session-token`: if present, this value should be used for as the session token 
          - `s3.remote-signing-enabled`: if `true` remote signing should be performed as described in the `s3-signer-open-api.yaml` specification
+
+        ## Credentials
+
+        Credentials for ADLS / GCS / S3 are provided through the `credentials` field. Clients should first check whether the
+        respective credentials exist in the `credentials` field before checking the `config` for credentials.
       type: object
       required:
         - metadata
@@ -3138,6 +3218,8 @@ components:
           description: May be null if the table is staged as part of a transaction
         metadata:
           $ref: '#/components/schemas/TableMetadata'
+        credentials:
+          $ref: '#/components/schemas/Credentials'
         config:
           type: object
           additionalProperties:
@@ -3395,6 +3477,10 @@ components:
 
         - `token`: Authorization bearer token to use for view requests if OAuth2 security is enabled
 
+        ## Credentials
+
+        Credentials for ADLS / GCS / S3 are provided through the `credentials` field. Clients should first check whether the
+        respective credentials exist in the `credentials` field before checking the `config` for credentials.
       type: object
       required:
         - metadata-location
@@ -3404,6 +3490,8 @@ components:
           type: string
         metadata:
           $ref: '#/components/schemas/ViewMetadata'
+        credentials:
+          $ref: '#/components/schemas/Credentials'
         config:
           type: object
           additionalProperties:
