awslife opened a new issue, #10018:
URL: https://github.com/apache/gravitino/issues/10018
### Version
main branch
### Describe what's wrong
In Trino's dynamic catalog management mode, configuring OIDC authentication
for the Gravitino connector fails. The official documentation suggests using
the gravitino.client. prefix to pass client-specific properties (e.g.,
gravitino.client.authType=oauth2).
However, using this prefix causes an IllegalArgumentException ("Invalid
property for client") because the Trino connector does not strip the prefix
before passing the properties to the GravitinoAdminClient. Conversely, if the
prefix is omitted (e.g., authType=oauth2), the Trino engine filters out these
properties during the Coordinator-to-Worker synchronization, resulting in a 401
Unauthorized error on the Worker nodes since they attempt to connect
anonymously.
**Environment:**
- Gravitino Version: 1.1.0
- Component: Trino Connector (trino-connector), Gravitino Java Client
- Trino Environment: Cluster mode (Coordinator + Workers) with
catalog.management=dynamic
**Steps to Reproduce:**
1. Set up a Trino cluster with Coordinator and Worker nodes.
2. Configure the Gravitino connector in Trino using
catalog.management=dynamic.
3. Try to configure OIDC authentication in gravitino.properties using the
documented prefix:
```properties
gravitino.client.authType=oauth2
gravitino.client.oauth2.serverUri=https://...
```
4. Restart the Trino Coordinator.
5. Observe Error 1 (Coordinator crashes):
java.lang.IllegalArgumentException: Invalid property for client:
gravitino.client.authType
6. Remove the gravitino.client. prefix to bypass the above error:
```properties
authType=oauth2
oauth2.serverUri=https://...
```
7. Restart the Trino cluster and execute a query (e.g., SHOW SCHEMAS FROM
my_catalog;).
8. Observe Error 2 (Worker 401 Error): The Coordinator succeeds, but the
Worker throws a 401 Unauthorized error during GET /api/version because the
Trino engine filtered out the unprefixed authentication properties during sync.
**Root Cause Analysis:**
The issue stems from a missing prefix-stripping logic in the Trino Connector
and the strict validation in the Gravitino Java Client:
1. CatalogConnectorManager.java: When creating the GravitinoAdminClient, it
passes the config.getClientConfig() directly without removing the
gravitino.client. prefix.
(Reference: GRAVITINO_CLIENT_CONFIG_PREFIX is defined in
GravitinoConfig.java but is not effectively used to strip keys).
2. GravitinoClientConfiguration.java: The buildFromProperties method
strictly validates keys against a predefined whitelist (VALID_PROPERTIES). It
expects authType, but receives gravitino.client.authType, causing it to throw
an exception.
**Proposed Solution:**
Introduce a prefix-stripping utility in CatalogConnectorManager.java before
initializing the GravitinoAdminClient.
Example fix in CatalogConnectorManager.java:
```java
private Map<String, String> stripClientPrefix(Map<String, String>
properties) {
Map<String, String> cleanedConfig = new HashMap<>();
String prefix = GravitinoConfig.GRAVITINO_CLIENT_CONFIG_PREFIX.getKey();
// "gravitino.client."
for (Map.Entry<String, String> entry : properties.entrySet()) {
String key = entry.getKey();
if (key.startsWith(prefix)) {
cleanedConfig.put(key.substring(prefix.length()),
entry.getValue());
} else {
cleanedConfig.put(key, entry.getValue());
}
}
return cleanedConfig;
}
public void config(GravitinoConfig config, GravitinoAdminClient client) {
// ...
Map<String, String> cleanedClientConfig =
stripClientPrefix(config.getClientConfig());
if (client == null) {
this.gravitinoClient = GravitinoAdminClient.builder(config.getURI())
.withClientConfig(cleanedClientConfig) // Pass the stripped
properties
.build();
}
// ...
}
```
This change allows Trino to safely replicate the gravitino.client.*
properties to Worker nodes, while ensuring the Gravitino Java Client receives
the exact keys it expects.
### Error message and/or stacktrace
Observe Error 1 (Coordinator crashes): java.lang.IllegalArgumentException:
Invalid property for client: gravitino.client.authType
### How to reproduce
1. Set up a Trino cluster with Coordinator and Worker nodes.
2. Configure the Gravitino connector in Trino using
catalog.management=dynamic.
3. Try to configure OIDC authentication in gravitino.properties using the
documented prefix:
```properties
gravitino.client.authType=oauth2
gravitino.client.oauth2.serverUri=https://...
```
4. Restart the Trino Coordinator.
5. Observe Error 1 (Coordinator crashes):
java.lang.IllegalArgumentException: Invalid property for client:
gravitino.client.authType
6. Remove the gravitino.client. prefix to bypass the above error:
```properties
authType=oauth2
oauth2.serverUri=https://...
```
7. Restart the Trino cluster and execute a query (e.g., SHOW SCHEMAS FROM
my_catalog;).
8. Observe Error 2 (Worker 401 Error): The Coordinator succeeds, but the
Worker throws a 401 Unauthorized error during GET /api/version because the
Trino engine filtered out the unprefixed authentication properties during sync.
### Additional context
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
