0AyanamiRei commented on PR #61324: URL: https://github.com/apache/doris/pull/61324#issuecomment-4169571113
I reviewed the IAM auth changes against `master` and found three actionable issues: 1. **[P1] Refresh credentials by real expiry, not fixed one hour** (`be/src/runtime/aws_msk_iam_auth.cpp`) `get_credentials()` currently sets `_credentials_expiry = now + 1h`. Temporary credentials (especially STS/AssumeRole) can expire earlier than one hour, so token generation may continue using stale credentials after actual expiration. This can break long-running Routine Load jobs. 2. **[P2] Match SASL mode case-insensitively before enabling IAM callback** (`be/src/runtime/aws_msk_iam_auth.cpp`) IAM callback activation checks exact strings (`"SASL_SSL"`, `"OAUTHBEARER"`) while FE validation is case-insensitive. A config like `property.security.protocol='sasl_ssl'` may pass FE but skip callback registration in BE, causing OAuth token refresh/auth failures. 3. **[P2] Enforce credential source for internal IAM configs in FE** (`fe/fe-core/src/main/java/org/apache/doris/load/routineload/kafka/KafkaDataSourceProperties.java`) Current FE validation only enforces `aws.access_key` + `aws.secret_key` pairing for public endpoints. Internal IAM configs can pass FE with no credential source, but BE later fails with “no credentials configured”, resulting in accepted-but-unrunnable jobs. Please fix these to align FE/BE behavior and avoid runtime auth failures. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
