wgtmac commented on code in PR #479: URL: https://github.com/apache/iceberg-cpp/pull/479#discussion_r2693103582
########## src/iceberg/catalog/rest/auth/auth_manager.h: ########## @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_session.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" +#include "iceberg/table_identifier.h" + +/// \file iceberg/catalog/rest/auth/auth_manager.h +/// \brief Authentication manager interface for REST catalog. + +namespace iceberg::rest { +class HttpClient; Review Comment: Remove this by include `type_fwd.h`. ########## src/iceberg/catalog/rest/auth/auth_properties.h: ########## @@ -0,0 +1,84 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <string_view> + +/// \file iceberg/catalog/rest/auth/auth_properties.h +/// \brief Property keys and constants for REST catalog authentication. + +namespace iceberg::rest::auth { + +/// \brief Property keys and constants for authentication configuration. +/// +/// This struct defines all the property keys used to configure authentication +/// for the REST catalog. It follows the same naming conventions as Java Iceberg. +struct AuthProperties { + /// \brief Property key for specifying the authentication type. + static constexpr std::string_view kAuthType = "rest.auth.type"; + + /// \brief Authentication type: no authentication. + static constexpr std::string_view kAuthTypeNone = "none"; + + /// \brief Authentication type: HTTP Basic authentication. + static constexpr std::string_view kAuthTypeBasic = "basic"; + + /// \brief Authentication type: OAuth2 authentication. + static constexpr std::string_view kAuthTypeOAuth2 = "oauth2"; + + /// \brief Authentication type: AWS SigV4 authentication. + static constexpr std::string_view kAuthTypeSigV4 = "sigv4"; + + /// \brief Property key for Basic auth username. + static constexpr std::string_view kBasicUsername = "rest.auth.basic.username"; + + /// \brief Property key for Basic auth password. + static constexpr std::string_view kBasicPassword = "rest.auth.basic.password"; + + /// \brief Property key for OAuth2 token (bearer token). + static constexpr std::string_view kOAuth2Token = "token"; + + /// \brief Property key for OAuth2 credential (client_id:client_secret). + static constexpr std::string_view kOAuth2Credential = "credential"; + + /// \brief Property key for OAuth2 scope. + static constexpr std::string_view kOAuth2Scope = "scope"; + + /// \brief Property key for OAuth2 server URI. + static constexpr std::string_view kOAuth2ServerUri = "oauth2-server-uri"; + + /// \brief Property key for enabling token refresh. + static constexpr std::string_view kOAuth2TokenRefreshEnabled = "token-refresh-enabled"; + + /// \brief Default OAuth2 scope for catalog operations. + static constexpr std::string_view kOAuth2DefaultScope = "catalog"; + + /// \brief Property key for SigV4 region. + static constexpr std::string_view kSigV4Region = "rest.auth.sigv4.region"; + + /// \brief Property key for SigV4 service name. + static constexpr std::string_view kSigV4Service = "rest.auth.sigv4.service"; + + /// \brief Property key for SigV4 delegate auth type. + static constexpr std::string_view kSigV4DelegateAuthType = + "rest.auth.sigv4.delegate-auth-type"; Review Comment: ```suggestion /// \brief Property key for specifying the authentication type. static constexpr std::string_view kAuthType = "rest.auth.type"; /// \brief Authentication type: no authentication. static constexpr std::string_view kAuthTypeNone = "none"; /// \brief Authentication type: HTTP Basic authentication. static constexpr std::string_view kAuthTypeBasic = "basic"; /// \brief Authentication type: OAuth2 authentication. static constexpr std::string_view kAuthTypeOAuth2 = "oauth2"; /// \brief Authentication type: AWS SigV4 authentication. static constexpr std::string_view kAuthTypeSigV4 = "sigv4"; /// \brief Property key for Basic auth username. static constexpr std::string_view kBasicUsername = "rest.auth.basic.username"; /// \brief Property key for Basic auth password. static constexpr std::string_view kBasicPassword = "rest.auth.basic.password"; /// \brief Property key for OAuth2 token (bearer token). static constexpr std::string_view kOAuth2Token = "token"; /// \brief Property key for OAuth2 credential (client_id:client_secret). static constexpr std::string_view kOAuth2Credential = "credential"; /// \brief Property key for OAuth2 scope. static constexpr std::string_view kOAuth2Scope = "scope"; /// \brief Property key for OAuth2 server URI. static constexpr std::string_view kOAuth2ServerUri = "oauth2-server-uri"; /// \brief Property key for enabling token refresh. static constexpr std::string_view kOAuth2TokenRefreshEnabled = "token-refresh-enabled"; /// \brief Default OAuth2 scope for catalog operations. static constexpr std::string_view kOAuth2DefaultScope = "catalog"; /// \brief Property key for SigV4 region. static constexpr std::string_view kSigV4Region = "rest.auth.sigv4.region"; /// \brief Property key for SigV4 service name. static constexpr std::string_view kSigV4Service = "rest.auth.sigv4.service"; /// \brief Property key for SigV4 delegate auth type. static constexpr std::string_view kSigV4DelegateAuthType = "rest.auth.sigv4.delegate-auth-type"; ``` Let's put properties in the same catalog more compact? ########## src/iceberg/catalog/rest/auth/auth_session.h: ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/iceberg_rest_export.h" + +/// \file iceberg/catalog/rest/auth/auth_session.h +/// \brief Authentication session interface for REST catalog. + +namespace iceberg::rest::auth { + +/// \brief An authentication session that can authenticate outgoing HTTP requests. +/// +/// Authentication sessions are typically immutable, but may hold resources that need +/// to be released when the session is no longer needed (e.g., token refresh threads). +/// Implementations should override Close() to release any such resources. +/// +/// This interface is modeled after Java Iceberg's AuthSession interface. +class ICEBERG_REST_EXPORT AuthSession { + public: + virtual ~AuthSession() = default; + + /// \brief Authenticate the given request headers. + /// + /// This method adds authentication information (e.g., Authorization header) + /// to the provided headers map. The implementation should be idempotent. + /// + /// \param headers The headers map to add authentication information to. Review Comment: ```suggestion /// \param[in,out] headers The headers map to add authentication information to. ``` ########## src/iceberg/catalog/rest/auth/auth_session.h: ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/iceberg_rest_export.h" + +/// \file iceberg/catalog/rest/auth/auth_session.h +/// \brief Authentication session interface for REST catalog. + +namespace iceberg::rest::auth { + +/// \brief An authentication session that can authenticate outgoing HTTP requests. +/// +/// Authentication sessions are typically immutable, but may hold resources that need +/// to be released when the session is no longer needed (e.g., token refresh threads). +/// Implementations should override Close() to release any such resources. +/// +/// This interface is modeled after Java Iceberg's AuthSession interface. +class ICEBERG_REST_EXPORT AuthSession { + public: + virtual ~AuthSession() = default; + + /// \brief Authenticate the given request headers. + /// + /// This method adds authentication information (e.g., Authorization header) + /// to the provided headers map. The implementation should be idempotent. + /// + /// \param headers The headers map to add authentication information to. + virtual void Authenticate(std::unordered_map<std::string, std::string>& headers) = 0; + + /// \brief Close the session and release any resources. + /// + /// This method is called when the session is no longer needed. For stateful + /// sessions (e.g., OAuth2 with token refresh), this should stop any background + /// threads and release resources. + /// + /// Note: Since sessions may be cached, this method may not be called immediately + /// after the session is no longer needed, but rather when the session is evicted + /// from the cache or the cache itself is closed. + virtual void Close() {} + + /// \brief Get a shared pointer to an empty session that does nothing. + /// + /// The empty session is a singleton that simply returns the request unchanged. + /// It is useful as a default or placeholder session. + /// + /// \return A shared pointer to the empty session singleton. + static std::shared_ptr<AuthSession> Empty(); Review Comment: Return a singleton? But if we return std::unique_ptr by AuthManager, here we can only return unique_ptr. ########## src/iceberg/catalog/rest/auth/auth_manager.h: ########## @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_session.h" Review Comment: Remove this to use forward declaration. ########## src/iceberg/catalog/rest/auth/auth_manager.h: ########## @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_session.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" +#include "iceberg/table_identifier.h" + +/// \file iceberg/catalog/rest/auth/auth_manager.h +/// \brief Authentication manager interface for REST catalog. + +namespace iceberg::rest { +class HttpClient; +} // namespace iceberg::rest + +namespace iceberg::rest::auth { + +/// \brief Manager for authentication sessions. +/// +/// This interface is used to create sessions for the catalog, tables/views, +/// and any other context that requires authentication. +/// +/// Managers are typically stateful and may require initialization and cleanup. +/// The manager is created by the catalog and is closed when the catalog is closed. +/// +/// This interface is modeled after Java Iceberg's AuthManager interface. +class ICEBERG_REST_EXPORT AuthManager { + public: + virtual ~AuthManager() = default; + + /// \brief Return a temporary session for contacting the configuration endpoint. + /// + /// This session is used only during catalog initialization to fetch server + /// configuration. The returned session will be closed after the configuration + /// endpoint is contacted and should not be cached. + /// + /// The provided HTTP client is a short-lived client; it should only be used + /// to fetch initial credentials if required, and must be discarded after that. + /// + /// By default, it returns the catalog session. + /// + /// \param init_client A short-lived HTTP client for initialization. + /// \param properties Configuration properties. + /// \return A session for initialization, or an error if session creation fails. + virtual Result<std::shared_ptr<AuthSession>> InitSession( + HttpClient* init_client, + const std::unordered_map<std::string, std::string>& properties); + + /// \brief Return a long-lived session for catalog operations. + /// + /// This session's lifetime is tied to the owning catalog. It serves as the + /// parent session for all other sessions (contextual and table-specific). + /// It is closed when the owning catalog is closed. + /// + /// The provided HTTP client is a long-lived, shared client. Implementors may + /// store it and reuse it for subsequent requests to the authorization server + /// (e.g., for renewing or refreshing credentials). It is not necessary to + /// close it when Close() is called. + /// + /// It is not required to cache the returned session internally, as the catalog + /// will keep it alive for the lifetime of the catalog. + /// + /// \param shared_client A long-lived, shared HTTP client. + /// \param properties Configuration properties (merged with server config). + /// \return A session for catalog operations, or an error if session creation fails + /// (e.g., missing required credentials, network failure during token fetch). + virtual Result<std::shared_ptr<AuthSession>> CatalogSession( + HttpClient* shared_client, + const std::unordered_map<std::string, std::string>& properties) = 0; + + /// \brief Return a session for a specific table or view. + /// + /// If the table or view requires a specific AuthSession (e.g., vended credentials), + /// this method should return a new AuthSession instance. Otherwise, it should + /// return the parent session. + /// + /// By default, it returns the parent session. + /// + /// Implementors should cache table sessions internally, as the catalog will not + /// cache them. Also, the owning catalog never closes table sessions; implementations + /// should manage their lifecycle and close them when they are no longer needed. + /// + /// \param table The table identifier. + /// \param properties Properties returned by the table/view endpoint. + /// \param parent The parent session (typically the catalog session). + /// \return A session for the table, or an error if session creation fails. + virtual Result<std::shared_ptr<AuthSession>> TableSession( + const TableIdentifier& table, + const std::unordered_map<std::string, std::string>& properties, + std::shared_ptr<AuthSession> parent); + + /// \brief Close the manager and release any resources. + /// + /// This method is called when the owning catalog is closed. Implementations + /// should release any resources held by the manager, such as cached sessions + /// or background threads. + virtual void Close() {} Review Comment: ```suggestion virtual Status Close() { return {}; } ``` Let's return Status just in case. ########## src/iceberg/catalog/rest/auth/auth_session.h: ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/iceberg_rest_export.h" + +/// \file iceberg/catalog/rest/auth/auth_session.h +/// \brief Authentication session interface for REST catalog. + +namespace iceberg::rest::auth { + +/// \brief An authentication session that can authenticate outgoing HTTP requests. +/// +/// Authentication sessions are typically immutable, but may hold resources that need +/// to be released when the session is no longer needed (e.g., token refresh threads). +/// Implementations should override Close() to release any such resources. +/// +/// This interface is modeled after Java Iceberg's AuthSession interface. Review Comment: ```suggestion ``` Let's remove comment like this. ########## src/iceberg/catalog/rest/auth/auth_managers.h: ########## @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <functional> +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_manager.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" + +/// \file iceberg/catalog/rest/auth/auth_managers.h +/// \brief Factory for creating authentication managers. + +namespace iceberg::rest::auth { + +/// \brief Factory function type for creating AuthManager instances. +/// +/// \param name The name of the manager (used for logging). +/// \param properties Configuration properties. +/// \return A unique pointer to the created AuthManager. +using AuthManagerFactory = std::function<std::unique_ptr<AuthManager>( + const std::string& name, + const std::unordered_map<std::string, std::string>& properties)>; + +/// \brief Factory class for loading authentication managers. +/// +/// This class provides a registry-based approach to create AuthManager instances +/// based on the configured authentication type. It supports built-in types +/// (none, basic, oauth2) and allows registration of custom types. +/// +/// This class is modeled after Java Iceberg's AuthManagers class. Review Comment: ```suggestion ``` ########## src/iceberg/catalog/rest/auth/auth_managers.h: ########## @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <functional> +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_manager.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" + +/// \file iceberg/catalog/rest/auth/auth_managers.h +/// \brief Factory for creating authentication managers. + +namespace iceberg::rest::auth { + +/// \brief Factory function type for creating AuthManager instances. +/// +/// \param name The name of the manager (used for logging). +/// \param properties Configuration properties. +/// \return A unique pointer to the created AuthManager. +using AuthManagerFactory = std::function<std::unique_ptr<AuthManager>( + const std::string& name, Review Comment: ```suggestion std::string_view name, ``` ########## src/iceberg/catalog/rest/auth/auth_managers.h: ########## @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <functional> +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_manager.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" + +/// \file iceberg/catalog/rest/auth/auth_managers.h +/// \brief Factory for creating authentication managers. + +namespace iceberg::rest::auth { + +/// \brief Factory function type for creating AuthManager instances. +/// +/// \param name The name of the manager (used for logging). +/// \param properties Configuration properties. +/// \return A unique pointer to the created AuthManager. +using AuthManagerFactory = std::function<std::unique_ptr<AuthManager>( + const std::string& name, + const std::unordered_map<std::string, std::string>& properties)>; + +/// \brief Factory class for loading authentication managers. +/// +/// This class provides a registry-based approach to create AuthManager instances +/// based on the configured authentication type. It supports built-in types +/// (none, basic, oauth2) and allows registration of custom types. +/// +/// This class is modeled after Java Iceberg's AuthManagers class. +class ICEBERG_REST_EXPORT AuthManagers { + public: + /// \brief Load an authentication manager based on configuration. + /// + /// This method reads the "rest.auth.type" property to determine which + /// AuthManager implementation to create. Supported types include: + /// - "none": NoopAuthManager (no authentication) + /// - "basic": BasicAuthManager (HTTP Basic authentication) + /// - "oauth2": OAuth2AuthManager (OAuth2 authentication) + /// - "sigv4": SigV4AuthManager (AWS Signature V4) + /// + /// If no auth type is specified, the method will infer the type based on + /// other properties (e.g., presence of "credential" or "token" implies oauth2). + /// If no auth-related properties are found, it defaults to "none". + /// + /// \param name A name for the manager (used for logging). + /// \param properties Configuration properties. + /// \return A unique pointer to the created AuthManager, or an error. + static Result<std::unique_ptr<AuthManager>> Load( + const std::string& name, + const std::unordered_map<std::string, std::string>& properties); + + /// \brief Register a custom authentication manager factory. + /// + /// This allows users to extend the supported authentication types by + /// registering their own AuthManager implementations. + /// + /// \param auth_type The authentication type name (e.g., "custom"). + /// \param factory The factory function to create the AuthManager. + static void Register(const std::string& auth_type, AuthManagerFactory factory); Review Comment: ```suggestion static void Register(std::string_view auth_type, AuthManagerFactory factory); ``` ########## src/iceberg/catalog/rest/auth/auth_manager.h: ########## @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_session.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" +#include "iceberg/table_identifier.h" + +/// \file iceberg/catalog/rest/auth/auth_manager.h +/// \brief Authentication manager interface for REST catalog. + +namespace iceberg::rest { +class HttpClient; +} // namespace iceberg::rest + +namespace iceberg::rest::auth { + +/// \brief Manager for authentication sessions. +/// +/// This interface is used to create sessions for the catalog, tables/views, +/// and any other context that requires authentication. +/// +/// Managers are typically stateful and may require initialization and cleanup. +/// The manager is created by the catalog and is closed when the catalog is closed. +/// +/// This interface is modeled after Java Iceberg's AuthManager interface. Review Comment: ```suggestion ``` ########## src/iceberg/catalog/rest/auth/auth_manager.h: ########## @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_session.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" +#include "iceberg/table_identifier.h" + +/// \file iceberg/catalog/rest/auth/auth_manager.h +/// \brief Authentication manager interface for REST catalog. + +namespace iceberg::rest { +class HttpClient; +} // namespace iceberg::rest + +namespace iceberg::rest::auth { + +/// \brief Manager for authentication sessions. +/// +/// This interface is used to create sessions for the catalog, tables/views, +/// and any other context that requires authentication. +/// +/// Managers are typically stateful and may require initialization and cleanup. +/// The manager is created by the catalog and is closed when the catalog is closed. +/// +/// This interface is modeled after Java Iceberg's AuthManager interface. +class ICEBERG_REST_EXPORT AuthManager { + public: + virtual ~AuthManager() = default; + + /// \brief Return a temporary session for contacting the configuration endpoint. + /// + /// This session is used only during catalog initialization to fetch server + /// configuration. The returned session will be closed after the configuration + /// endpoint is contacted and should not be cached. + /// + /// The provided HTTP client is a short-lived client; it should only be used + /// to fetch initial credentials if required, and must be discarded after that. + /// + /// By default, it returns the catalog session. + /// + /// \param init_client A short-lived HTTP client for initialization. + /// \param properties Configuration properties. + /// \return A session for initialization, or an error if session creation fails. + virtual Result<std::shared_ptr<AuthSession>> InitSession( + HttpClient* init_client, + const std::unordered_map<std::string, std::string>& properties); + + /// \brief Return a long-lived session for catalog operations. + /// + /// This session's lifetime is tied to the owning catalog. It serves as the + /// parent session for all other sessions (contextual and table-specific). + /// It is closed when the owning catalog is closed. + /// + /// The provided HTTP client is a long-lived, shared client. Implementors may + /// store it and reuse it for subsequent requests to the authorization server + /// (e.g., for renewing or refreshing credentials). It is not necessary to + /// close it when Close() is called. + /// + /// It is not required to cache the returned session internally, as the catalog + /// will keep it alive for the lifetime of the catalog. + /// + /// \param shared_client A long-lived, shared HTTP client. + /// \param properties Configuration properties (merged with server config). + /// \return A session for catalog operations, or an error if session creation fails + /// (e.g., missing required credentials, network failure during token fetch). + virtual Result<std::shared_ptr<AuthSession>> CatalogSession( Review Comment: ditto ########## src/iceberg/catalog/rest/auth/auth_session.h: ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/iceberg_rest_export.h" + +/// \file iceberg/catalog/rest/auth/auth_session.h +/// \brief Authentication session interface for REST catalog. + +namespace iceberg::rest::auth { + +/// \brief An authentication session that can authenticate outgoing HTTP requests. +/// +/// Authentication sessions are typically immutable, but may hold resources that need +/// to be released when the session is no longer needed (e.g., token refresh threads). +/// Implementations should override Close() to release any such resources. +/// +/// This interface is modeled after Java Iceberg's AuthSession interface. +class ICEBERG_REST_EXPORT AuthSession { + public: + virtual ~AuthSession() = default; + + /// \brief Authenticate the given request headers. + /// + /// This method adds authentication information (e.g., Authorization header) + /// to the provided headers map. The implementation should be idempotent. + /// + /// \param headers The headers map to add authentication information to. + virtual void Authenticate(std::unordered_map<std::string, std::string>& headers) = 0; + + /// \brief Close the session and release any resources. + /// + /// This method is called when the session is no longer needed. For stateful + /// sessions (e.g., OAuth2 with token refresh), this should stop any background + /// threads and release resources. + /// + /// Note: Since sessions may be cached, this method may not be called immediately + /// after the session is no longer needed, but rather when the session is evicted + /// from the cache or the cache itself is closed. + virtual void Close() {} Review Comment: Return status ########## src/iceberg/catalog/rest/auth/auth_manager.h: ########## @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_session.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" +#include "iceberg/table_identifier.h" + +/// \file iceberg/catalog/rest/auth/auth_manager.h +/// \brief Authentication manager interface for REST catalog. + +namespace iceberg::rest { +class HttpClient; +} // namespace iceberg::rest + +namespace iceberg::rest::auth { + +/// \brief Manager for authentication sessions. +/// +/// This interface is used to create sessions for the catalog, tables/views, +/// and any other context that requires authentication. +/// +/// Managers are typically stateful and may require initialization and cleanup. +/// The manager is created by the catalog and is closed when the catalog is closed. +/// +/// This interface is modeled after Java Iceberg's AuthManager interface. +class ICEBERG_REST_EXPORT AuthManager { + public: + virtual ~AuthManager() = default; + + /// \brief Return a temporary session for contacting the configuration endpoint. + /// + /// This session is used only during catalog initialization to fetch server + /// configuration. The returned session will be closed after the configuration + /// endpoint is contacted and should not be cached. + /// + /// The provided HTTP client is a short-lived client; it should only be used + /// to fetch initial credentials if required, and must be discarded after that. + /// + /// By default, it returns the catalog session. + /// + /// \param init_client A short-lived HTTP client for initialization. + /// \param properties Configuration properties. + /// \return A session for initialization, or an error if session creation fails. + virtual Result<std::shared_ptr<AuthSession>> InitSession( + HttpClient* init_client, + const std::unordered_map<std::string, std::string>& properties); + + /// \brief Return a long-lived session for catalog operations. + /// + /// This session's lifetime is tied to the owning catalog. It serves as the + /// parent session for all other sessions (contextual and table-specific). + /// It is closed when the owning catalog is closed. + /// + /// The provided HTTP client is a long-lived, shared client. Implementors may + /// store it and reuse it for subsequent requests to the authorization server + /// (e.g., for renewing or refreshing credentials). It is not necessary to + /// close it when Close() is called. + /// + /// It is not required to cache the returned session internally, as the catalog + /// will keep it alive for the lifetime of the catalog. + /// + /// \param shared_client A long-lived, shared HTTP client. + /// \param properties Configuration properties (merged with server config). + /// \return A session for catalog operations, or an error if session creation fails + /// (e.g., missing required credentials, network failure during token fetch). + virtual Result<std::shared_ptr<AuthSession>> CatalogSession( + HttpClient* shared_client, + const std::unordered_map<std::string, std::string>& properties) = 0; + + /// \brief Return a session for a specific table or view. + /// + /// If the table or view requires a specific AuthSession (e.g., vended credentials), + /// this method should return a new AuthSession instance. Otherwise, it should + /// return the parent session. + /// + /// By default, it returns the parent session. + /// + /// Implementors should cache table sessions internally, as the catalog will not + /// cache them. Also, the owning catalog never closes table sessions; implementations + /// should manage their lifecycle and close them when they are no longer needed. + /// + /// \param table The table identifier. + /// \param properties Properties returned by the table/view endpoint. + /// \param parent The parent session (typically the catalog session). + /// \return A session for the table, or an error if session creation fails. + virtual Result<std::shared_ptr<AuthSession>> TableSession( Review Comment: Is it better to return `Result<std::unique_ptr<AuthSession>>` from all these functions? IMO, the created session is not supposed to be shared by different catalogs or tables. In most cases, they are short-lived. The main blocker might be here because by default parent session should be returned as is. Should we change the signature as: ```cpp virtual Result<std::unique_ptr<AuthSession>> TableSession( const TableIdentifier& table_identifier, const std::unordered_map<std::string, std::string>& properties, std::unique_ptr<AuthSession>&& parent); ``` ########## src/iceberg/catalog/rest/auth/auth_session.h: ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/iceberg_rest_export.h" + +/// \file iceberg/catalog/rest/auth/auth_session.h +/// \brief Authentication session interface for REST catalog. + +namespace iceberg::rest::auth { + +/// \brief An authentication session that can authenticate outgoing HTTP requests. +/// +/// Authentication sessions are typically immutable, but may hold resources that need +/// to be released when the session is no longer needed (e.g., token refresh threads). +/// Implementations should override Close() to release any such resources. +/// +/// This interface is modeled after Java Iceberg's AuthSession interface. +class ICEBERG_REST_EXPORT AuthSession { + public: + virtual ~AuthSession() = default; + + /// \brief Authenticate the given request headers. + /// + /// This method adds authentication information (e.g., Authorization header) + /// to the provided headers map. The implementation should be idempotent. + /// + /// \param headers The headers map to add authentication information to. + virtual void Authenticate(std::unordered_map<std::string, std::string>& headers) = 0; + + /// \brief Close the session and release any resources. + /// + /// This method is called when the session is no longer needed. For stateful + /// sessions (e.g., OAuth2 with token refresh), this should stop any background + /// threads and release resources. + /// + /// Note: Since sessions may be cached, this method may not be called immediately + /// after the session is no longer needed, but rather when the session is evicted + /// from the cache or the cache itself is closed. + virtual void Close() {} + + /// \brief Get a shared pointer to an empty session that does nothing. + /// + /// The empty session is a singleton that simply returns the request unchanged. + /// It is useful as a default or placeholder session. + /// + /// \return A shared pointer to the empty session singleton. + static std::shared_ptr<AuthSession> Empty(); +}; + +/// \brief A default authentication session that adds static headers to requests. +/// +/// This implementation authenticates requests by adding a fixed set of headers. +/// It is suitable for authentication methods that use static credentials, +/// such as Basic auth or static bearer tokens. +class ICEBERG_REST_EXPORT DefaultAuthSession : public AuthSession { + public: + /// \brief Construct a DefaultAuthSession with the given headers. + /// + /// \param headers The headers to add to each request for authentication. + explicit DefaultAuthSession(std::unordered_map<std::string, std::string> headers); + + ~DefaultAuthSession() override = default; + + /// \brief Add the configured headers to the request. + /// + /// Headers are added only if they don't already exist in the request + /// (i.e., request headers take precedence). + /// + /// \param headers The headers map to add authentication information to. + void Authenticate(std::unordered_map<std::string, std::string>& headers) override; Review Comment: Do you think it is worth adding a class HttpRequest? We don't have it yet. ########## src/iceberg/catalog/rest/auth/auth_managers.h: ########## @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <functional> +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_manager.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" + +/// \file iceberg/catalog/rest/auth/auth_managers.h +/// \brief Factory for creating authentication managers. + +namespace iceberg::rest::auth { + +/// \brief Factory function type for creating AuthManager instances. +/// +/// \param name The name of the manager (used for logging). +/// \param properties Configuration properties. +/// \return A unique pointer to the created AuthManager. +using AuthManagerFactory = std::function<std::unique_ptr<AuthManager>( + const std::string& name, + const std::unordered_map<std::string, std::string>& properties)>; + +/// \brief Factory class for loading authentication managers. +/// +/// This class provides a registry-based approach to create AuthManager instances +/// based on the configured authentication type. It supports built-in types +/// (none, basic, oauth2) and allows registration of custom types. +/// +/// This class is modeled after Java Iceberg's AuthManagers class. +class ICEBERG_REST_EXPORT AuthManagers { + public: + /// \brief Load an authentication manager based on configuration. + /// + /// This method reads the "rest.auth.type" property to determine which + /// AuthManager implementation to create. Supported types include: + /// - "none": NoopAuthManager (no authentication) + /// - "basic": BasicAuthManager (HTTP Basic authentication) + /// - "oauth2": OAuth2AuthManager (OAuth2 authentication) + /// - "sigv4": SigV4AuthManager (AWS Signature V4) + /// + /// If no auth type is specified, the method will infer the type based on + /// other properties (e.g., presence of "credential" or "token" implies oauth2). + /// If no auth-related properties are found, it defaults to "none". + /// + /// \param name A name for the manager (used for logging). + /// \param properties Configuration properties. + /// \return A unique pointer to the created AuthManager, or an error. + static Result<std::unique_ptr<AuthManager>> Load( + const std::string& name, Review Comment: ```suggestion std::string_view name, ``` ########## src/iceberg/catalog/rest/auth/auth_managers.cc: ########## @@ -0,0 +1,91 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#include "iceberg/catalog/rest/auth/auth_managers.h" + +#include <algorithm> +#include <cctype> + +#include "iceberg/catalog/rest/auth/auth_properties.h" + +namespace iceberg::rest::auth { + +namespace { + +/// \brief Convert a string to lowercase for case-insensitive comparison. +std::string ToLower(std::string_view str) { + std::string result(str); + std::ranges::transform(result, result.begin(), + [](unsigned char c) { return std::tolower(c); }); + return result; +} + +/// \brief Infer the authentication type from properties. +/// +/// If no explicit auth type is set, this function tries to infer it from +/// other properties. If "credential" or "token" is present, it implies +/// OAuth2 authentication. Otherwise, defaults to no authentication. +/// +/// This behavior is consistent with Java Iceberg's AuthManagers. +std::string InferAuthType( + const std::unordered_map<std::string, std::string>& properties) { + // Check for explicit auth type first + auto it = properties.find(std::string(AuthProperties::kAuthType)); + if (it != properties.end() && !it->second.empty()) { + return ToLower(it->second); + } + + // Infer from OAuth2 properties (credential or token) + bool has_credential = + properties.contains(std::string(AuthProperties::kOAuth2Credential)); + bool has_token = properties.contains(std::string(AuthProperties::kOAuth2Token)); + if (has_credential || has_token) { + return std::string(AuthProperties::kAuthTypeOAuth2); + } + + // Default to no authentication + return std::string(AuthProperties::kAuthTypeNone); +} + +} // namespace + +std::unordered_map<std::string, AuthManagerFactory>& AuthManagers::GetRegistry() { + static std::unordered_map<std::string, AuthManagerFactory> registry; Review Comment: ```suggestion static std::unordered_map<std::string, AuthManagerFactory, StringHash, StringEqual> registry; ``` Let's support heterogeneous lookup ########## src/iceberg/catalog/rest/auth/auth_managers.h: ########## @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <functional> +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_manager.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" + +/// \file iceberg/catalog/rest/auth/auth_managers.h +/// \brief Factory for creating authentication managers. + +namespace iceberg::rest::auth { + +/// \brief Factory function type for creating AuthManager instances. +/// +/// \param name The name of the manager (used for logging). +/// \param properties Configuration properties. +/// \return A unique pointer to the created AuthManager. +using AuthManagerFactory = std::function<std::unique_ptr<AuthManager>( + const std::string& name, + const std::unordered_map<std::string, std::string>& properties)>; + +/// \brief Factory class for loading authentication managers. +/// +/// This class provides a registry-based approach to create AuthManager instances +/// based on the configured authentication type. It supports built-in types +/// (none, basic, oauth2) and allows registration of custom types. +/// +/// This class is modeled after Java Iceberg's AuthManagers class. +class ICEBERG_REST_EXPORT AuthManagers { + public: + /// \brief Load an authentication manager based on configuration. + /// + /// This method reads the "rest.auth.type" property to determine which + /// AuthManager implementation to create. Supported types include: + /// - "none": NoopAuthManager (no authentication) + /// - "basic": BasicAuthManager (HTTP Basic authentication) + /// - "oauth2": OAuth2AuthManager (OAuth2 authentication) + /// - "sigv4": SigV4AuthManager (AWS Signature V4) + /// + /// If no auth type is specified, the method will infer the type based on + /// other properties (e.g., presence of "credential" or "token" implies oauth2). + /// If no auth-related properties are found, it defaults to "none". + /// + /// \param name A name for the manager (used for logging). Review Comment: ```suggestion /// \param name A name for the manager. ``` ########## src/iceberg/catalog/rest/auth/auth_session.h: ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/iceberg_rest_export.h" + +/// \file iceberg/catalog/rest/auth/auth_session.h +/// \brief Authentication session interface for REST catalog. + +namespace iceberg::rest::auth { + +/// \brief An authentication session that can authenticate outgoing HTTP requests. +/// +/// Authentication sessions are typically immutable, but may hold resources that need +/// to be released when the session is no longer needed (e.g., token refresh threads). +/// Implementations should override Close() to release any such resources. +/// +/// This interface is modeled after Java Iceberg's AuthSession interface. +class ICEBERG_REST_EXPORT AuthSession { + public: + virtual ~AuthSession() = default; + + /// \brief Authenticate the given request headers. + /// + /// This method adds authentication information (e.g., Authorization header) + /// to the provided headers map. The implementation should be idempotent. + /// + /// \param headers The headers map to add authentication information to. + virtual void Authenticate(std::unordered_map<std::string, std::string>& headers) = 0; Review Comment: ```suggestion virtual Status Authenticate(std::unordered_map<std::string, std::string>& headers) = 0; ``` Let's return status just in case. ########## src/iceberg/catalog/rest/auth/auth_manager.h: ########## @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_session.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/table_identifier.h" + +/// \file iceberg/catalog/rest/auth/auth_manager.h +/// \brief Authentication manager interface for REST catalog. + +namespace iceberg::rest { +class HttpClient; +} // namespace iceberg::rest + +namespace iceberg::rest::auth { + +/// \brief Manager for authentication sessions. +/// +/// This interface is used to create sessions for the catalog, tables/views, +/// and any other context that requires authentication. +/// +/// Managers are typically stateful and may require initialization and cleanup. +/// The manager is created by the catalog and is closed when the catalog is closed. +/// +/// This interface is modeled after Java Iceberg's AuthManager interface. +class ICEBERG_REST_EXPORT AuthManager { + public: + virtual ~AuthManager() = default; + + /// \brief Return a temporary session for contacting the configuration endpoint. + /// + /// This session is used only during catalog initialization to fetch server + /// configuration. The returned session will be closed after the configuration + /// endpoint is contacted and should not be cached. + /// + /// The provided HTTP client is a short-lived client; it should only be used + /// to fetch initial credentials if required, and must be discarded after that. + /// + /// This method cannot return null. By default, it returns the catalog session. + /// + /// \param init_client A short-lived HTTP client for initialization. + /// \param properties Configuration properties. + /// \return A session for initialization, or the catalog session by default. + virtual std::shared_ptr<AuthSession> InitSession( + HttpClient* init_client, Review Comment: Perhaps it is better to use `HttpClient&` to save the null check? ########## src/iceberg/catalog/rest/auth/auth_managers.h: ########## @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <functional> +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/auth/auth_manager.h" +#include "iceberg/catalog/rest/iceberg_rest_export.h" +#include "iceberg/result.h" + +/// \file iceberg/catalog/rest/auth/auth_managers.h +/// \brief Factory for creating authentication managers. + +namespace iceberg::rest::auth { + +/// \brief Factory function type for creating AuthManager instances. +/// +/// \param name The name of the manager (used for logging). +/// \param properties Configuration properties. +/// \return A unique pointer to the created AuthManager. +using AuthManagerFactory = std::function<std::unique_ptr<AuthManager>( + const std::string& name, + const std::unordered_map<std::string, std::string>& properties)>; + +/// \brief Factory class for loading authentication managers. +/// +/// This class provides a registry-based approach to create AuthManager instances +/// based on the configured authentication type. It supports built-in types +/// (none, basic, oauth2) and allows registration of custom types. +/// +/// This class is modeled after Java Iceberg's AuthManagers class. +class ICEBERG_REST_EXPORT AuthManagers { + public: + /// \brief Load an authentication manager based on configuration. + /// + /// This method reads the "rest.auth.type" property to determine which + /// AuthManager implementation to create. Supported types include: + /// - "none": NoopAuthManager (no authentication) + /// - "basic": BasicAuthManager (HTTP Basic authentication) + /// - "oauth2": OAuth2AuthManager (OAuth2 authentication) + /// - "sigv4": SigV4AuthManager (AWS Signature V4) + /// + /// If no auth type is specified, the method will infer the type based on + /// other properties (e.g., presence of "credential" or "token" implies oauth2). + /// If no auth-related properties are found, it defaults to "none". + /// + /// \param name A name for the manager (used for logging). + /// \param properties Configuration properties. + /// \return A unique pointer to the created AuthManager, or an error. + static Result<std::unique_ptr<AuthManager>> Load( + const std::string& name, + const std::unordered_map<std::string, std::string>& properties); + + /// \brief Register a custom authentication manager factory. + /// + /// This allows users to extend the supported authentication types by + /// registering their own AuthManager implementations. + /// + /// \param auth_type The authentication type name (e.g., "custom"). + /// \param factory The factory function to create the AuthManager. + static void Register(const std::string& auth_type, AuthManagerFactory factory); + + private: + /// \brief Get the global registry of auth manager factories. + static std::unordered_map<std::string, AuthManagerFactory>& GetRegistry(); Review Comment: We don't need this function in the header file, right? ########## src/iceberg/catalog/rest/auth/auth_session.h: ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/iceberg_rest_export.h" + +/// \file iceberg/catalog/rest/auth/auth_session.h +/// \brief Authentication session interface for REST catalog. + +namespace iceberg::rest::auth { + +/// \brief An authentication session that can authenticate outgoing HTTP requests. +/// +/// Authentication sessions are typically immutable, but may hold resources that need +/// to be released when the session is no longer needed (e.g., token refresh threads). +/// Implementations should override Close() to release any such resources. +/// +/// This interface is modeled after Java Iceberg's AuthSession interface. +class ICEBERG_REST_EXPORT AuthSession { + public: + virtual ~AuthSession() = default; + + /// \brief Authenticate the given request headers. + /// + /// This method adds authentication information (e.g., Authorization header) + /// to the provided headers map. The implementation should be idempotent. + /// + /// \param headers The headers map to add authentication information to. + virtual void Authenticate(std::unordered_map<std::string, std::string>& headers) = 0; + + /// \brief Close the session and release any resources. + /// + /// This method is called when the session is no longer needed. For stateful + /// sessions (e.g., OAuth2 with token refresh), this should stop any background + /// threads and release resources. + /// + /// Note: Since sessions may be cached, this method may not be called immediately + /// after the session is no longer needed, but rather when the session is evicted + /// from the cache or the cache itself is closed. + virtual void Close() {} + + /// \brief Get a shared pointer to an empty session that does nothing. + /// + /// The empty session is a singleton that simply returns the request unchanged. + /// It is useful as a default or placeholder session. + /// + /// \return A shared pointer to the empty session singleton. + static std::shared_ptr<AuthSession> Empty(); +}; + +/// \brief A default authentication session that adds static headers to requests. +/// +/// This implementation authenticates requests by adding a fixed set of headers. +/// It is suitable for authentication methods that use static credentials, +/// such as Basic auth or static bearer tokens. +class ICEBERG_REST_EXPORT DefaultAuthSession : public AuthSession { + public: + /// \brief Construct a DefaultAuthSession with the given headers. + /// + /// \param headers The headers to add to each request for authentication. + explicit DefaultAuthSession(std::unordered_map<std::string, std::string> headers); + + ~DefaultAuthSession() override = default; + + /// \brief Add the configured headers to the request. + /// + /// Headers are added only if they don't already exist in the request + /// (i.e., request headers take precedence). + /// + /// \param headers The headers map to add authentication information to. + void Authenticate(std::unordered_map<std::string, std::string>& headers) override; + + /// \brief Create a DefaultAuthSession with the given headers. + /// + /// \param headers The headers to add to each request. + /// \return A shared pointer to the new session. + static std::shared_ptr<DefaultAuthSession> Of( + std::unordered_map<std::string, std::string> headers); + + private: + std::unordered_map<std::string, std::string> headers_; Review Comment: Why do we need this? ########## src/iceberg/catalog/rest/auth/auth_managers.cc: ########## @@ -0,0 +1,91 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#include "iceberg/catalog/rest/auth/auth_managers.h" + +#include <algorithm> +#include <cctype> + +#include "iceberg/catalog/rest/auth/auth_properties.h" + +namespace iceberg::rest::auth { + +namespace { + +/// \brief Convert a string to lowercase for case-insensitive comparison. +std::string ToLower(std::string_view str) { + std::string result(str); + std::ranges::transform(result, result.begin(), + [](unsigned char c) { return std::tolower(c); }); + return result; +} + +/// \brief Infer the authentication type from properties. +/// +/// If no explicit auth type is set, this function tries to infer it from +/// other properties. If "credential" or "token" is present, it implies +/// OAuth2 authentication. Otherwise, defaults to no authentication. +/// +/// This behavior is consistent with Java Iceberg's AuthManagers. +std::string InferAuthType( Review Comment: Should we add a enum class for the auth type? ########## src/iceberg/catalog/rest/auth/auth_session.h: ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#pragma once + +#include <memory> +#include <string> +#include <unordered_map> + +#include "iceberg/catalog/rest/iceberg_rest_export.h" + +/// \file iceberg/catalog/rest/auth/auth_session.h +/// \brief Authentication session interface for REST catalog. + +namespace iceberg::rest::auth { + +/// \brief An authentication session that can authenticate outgoing HTTP requests. +/// +/// Authentication sessions are typically immutable, but may hold resources that need +/// to be released when the session is no longer needed (e.g., token refresh threads). +/// Implementations should override Close() to release any such resources. +/// +/// This interface is modeled after Java Iceberg's AuthSession interface. +class ICEBERG_REST_EXPORT AuthSession { + public: + virtual ~AuthSession() = default; + + /// \brief Authenticate the given request headers. + /// + /// This method adds authentication information (e.g., Authorization header) + /// to the provided headers map. The implementation should be idempotent. + /// + /// \param headers The headers map to add authentication information to. + virtual void Authenticate(std::unordered_map<std::string, std::string>& headers) = 0; + + /// \brief Close the session and release any resources. + /// + /// This method is called when the session is no longer needed. For stateful + /// sessions (e.g., OAuth2 with token refresh), this should stop any background + /// threads and release resources. + /// + /// Note: Since sessions may be cached, this method may not be called immediately + /// after the session is no longer needed, but rather when the session is evicted + /// from the cache or the cache itself is closed. + virtual void Close() {} + + /// \brief Get a shared pointer to an empty session that does nothing. + /// + /// The empty session is a singleton that simply returns the request unchanged. + /// It is useful as a default or placeholder session. + /// + /// \return A shared pointer to the empty session singleton. + static std::shared_ptr<AuthSession> Empty(); +}; + +/// \brief A default authentication session that adds static headers to requests. +/// +/// This implementation authenticates requests by adding a fixed set of headers. +/// It is suitable for authentication methods that use static credentials, +/// such as Basic auth or static bearer tokens. +class ICEBERG_REST_EXPORT DefaultAuthSession : public AuthSession { + public: + /// \brief Construct a DefaultAuthSession with the given headers. + /// + /// \param headers The headers to add to each request for authentication. + explicit DefaultAuthSession(std::unordered_map<std::string, std::string> headers); + + ~DefaultAuthSession() override = default; + + /// \brief Add the configured headers to the request. + /// + /// Headers are added only if they don't already exist in the request + /// (i.e., request headers take precedence). + /// + /// \param headers The headers map to add authentication information to. + void Authenticate(std::unordered_map<std::string, std::string>& headers) override; + + /// \brief Create a DefaultAuthSession with the given headers. + /// + /// \param headers The headers to add to each request. + /// \return A shared pointer to the new session. + static std::shared_ptr<DefaultAuthSession> Of( Review Comment: Let's be consistent to use `Make` as the function name. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
