feat(rest): introduce AuthManager/AuthSession and migrate OAuth2#2838
Draft
plusplusjiajia wants to merge 1 commit into
Draft
feat(rest): introduce AuthManager/AuthSession and migrate OAuth2#2838plusplusjiajia wants to merge 1 commit into
plusplusjiajia wants to merge 1 commit into
Conversation
plusplusjiajia
force-pushed
the
feat/rest-auth-manager-core
branch
4 times, most recently
from
July 17, 2026 09:19
2f496d7 to
420dbd0
Compare
plusplusjiajia
force-pushed
the
feat/rest-auth-manager-core
branch
from
July 17, 2026 10:02
420dbd0 to
4730ec1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Modeled on Java's
AuthManagerAPI (the init/catalog session lifecycle, the Noop/OAuth2 manager set, and the SigV4-wraps-a-delegate composition coming in the follow-up), adapted to Rust idioms.What it does
AuthManager/AuthSessiontraits in a newauth/module:init_session()serves theGET /v1/confighandshake,catalog_session(merged_props)serves everything after, so a manager can rebuild its session from server-merged properties.Noop/OAuth2managers, selected via a newrest.auth.typeproperty (oauth2is the default and behaves as no auth when neithertokennorcredentialis set), injectable throughRestCatalogBuilder::with_auth_manager.HttpClientintoOAuth2Manager, with the cached token surviving the config handshake;OAuth2Manageris publicly constructible (new()+with_*).auth_manager, and the test-only fake-request token shim is gone — tests observe the session's cached bearer (#[cfg(test)] bearer_token()) and assert the header the mock server receives.No new dependencies; no public API removed (additions only,
public-api.txtregenerated).Java reference:
org.apache.iceberg.rest.auth.Deviations from Java
tableSession/contextualSessionyet — in Java they aredefaultmethods falling back to the catalog/parent session, and the Rust REST catalog has no call sites for them (contextualSessionalso needs aSessionCatalogconcept that doesn't exist here yet). Adding defaulted trait methods later is non-breaking.close()— Rust relies onDrop, and this OAuth2 implementation has no background refresh executor to shut down.AuthSessiongainsinvalidate()/refresh()(not in Java) to back the existingRestCatalog::invalidate_token/regenerate_tokenAPIs.authenticatemutates the request in place instead of returning a new one.