Skip to content

feat(rest): introduce AuthManager/AuthSession and migrate OAuth2#2838

Draft
plusplusjiajia wants to merge 1 commit into
apache:mainfrom
plusplusjiajia:feat/rest-auth-manager-core
Draft

feat(rest): introduce AuthManager/AuthSession and migrate OAuth2#2838
plusplusjiajia wants to merge 1 commit into
apache:mainfrom
plusplusjiajia:feat/rest-auth-manager-core

Conversation

@plusplusjiajia

Copy link
Copy Markdown
Member

Modeled on Java's AuthManager API (the init/catalog session lifecycle, the Noop/OAuth2 manager set, and the SigV4-wraps-a-delegate composition coming in the follow-up), adapted to Rust idioms.

What it does

  • AuthManager/AuthSession traits in a new auth/ module: init_session() serves the GET /v1/config handshake, catalog_session(merged_props) serves everything after, so a manager can rebuild its session from server-merged properties.
  • Noop/OAuth2 managers, selected via a new rest.auth.type property (oauth2 is the default and behaves as no auth when neither token nor credential is set), injectable through RestCatalogBuilder::with_auth_manager.
  • OAuth2 token handling moves out of HttpClient into OAuth2Manager, with the cached token surviving the config handshake; OAuth2Manager is publicly constructible (new() + with_*).
  • Review items from feat(catalog-rest): introduce AuthManager/AuthSession, rework SigV4 as a wrapping auth manager #2815 folded in: the config field is auth_manager, and the test-only fake-request token shim is gone — tests observe the session's cached bearer (#[cfg(test)] bearer_token()) and assert the header the mock server receives.

No new dependencies; no public API removed (additions only, public-api.txt regenerated).

Java reference: org.apache.iceberg.rest.auth.

Deviations from Java

  • No tableSession/contextualSession yet — in Java they are default methods falling back to the catalog/parent session, and the Rust REST catalog has no call sites for them (contextualSession also needs a SessionCatalog concept that doesn't exist here yet). Adding defaulted trait methods later is non-breaking.
  • No close() — Rust relies on Drop, and this OAuth2 implementation has no background refresh executor to shut down.
  • AuthSession gains invalidate()/refresh() (not in Java) to back the existing RestCatalog::invalidate_token/regenerate_token APIs.
  • authenticate mutates the request in place instead of returning a new one.

@plusplusjiajia
plusplusjiajia force-pushed the feat/rest-auth-manager-core branch 4 times, most recently from 2f496d7 to 420dbd0 Compare July 17, 2026 09:19
@plusplusjiajia
plusplusjiajia force-pushed the feat/rest-auth-manager-core branch from 420dbd0 to 4730ec1 Compare July 17, 2026 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant