Add Support for Custom AuthManager implementation #2055
Conversation
sungwy
added
the
changelog
There was a problem hiding this comment.
A couple of comments but no real substantive feedback because this is great. Looking forward to being able to use different auth implementations.
One question: I assume future authmanager implementations added to pyiceberg will always get a dedicated type, and custom will be reserved for implementations that aren't in tree?
mkdocs/docs/configuration.md
Outdated
|
|
||
| | Property | Required | Description | | ||
| |------------------|----------|-------------------------------------------------------------------------------------------------| | ||
| | `auth.type` | Yes | The authentication type to use (`noop`, `basic`, `oauth2`, or `custom`). | |
There was a problem hiding this comment.
on review I was debating the necessity of a separate type config given an impl option, but I can see the appeal (we are free to change the implementation referred to by a given type).
There was a problem hiding this comment.
we have similar pattern to load "custom" implementation for catalog/file_io/location_provider :)
https://grep.app/search?f.repo=apache%2Ficeberg-python&f.repo.pattern=iceberg&q=def+_import_
| assert "__init__() missing 1 required positional argument: 'password'" in str(e.value) | ||
|
|
||
|
|
||
| def test_rest_catalog_with_custom_auth_type() -> None: |
There was a problem hiding this comment.
could imagine doing a version of this test that specifies the basic auth as the implementation and just verifies that the custom implementation is actually used/that properties specified for custom are actually passed to the implementation.
mkdocs/docs/configuration.md
Outdated
| @@ -374,6 +374,94 @@ Specific headers defined by the RESTCatalog spec include: | |||
| | ------------------------------------ | ------------------------------------- | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | |||
| | `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}` | `vended-credentials` | Signal to the server that the client supports delegated access via a comma-separated list of access mechanisms. The server may choose to supply access via any or none of the requested mechanisms | | |||
|
|
|||
| #### Authentication in RESTCatalog | |||
There was a problem hiding this comment.
This is great! A heads up, we recently merged a PR which added an "Authentication Options" section under the REST Catalog docs. Would be great to merge with what you have here.
pyiceberg/catalog/rest/auth.py
Outdated
| client_id: str, | ||
| client_secret: str, |
There was a problem hiding this comment.
should we let users provide these 2 separately? or parse them out from credential based on https://github.com/apache/iceberg-python/blob/main/mkdocs/docs/configuration.md#oauth2
There was a problem hiding this comment.
there are a couple of options in the oauth section
token
credential
scope
resource
audience
LegacyOAuth2AuthManager currently supports this, so i think we should support them in the new implementation too
WDYT?
There was a problem hiding this comment.
separated out to: #2244
|
It looks like there's some more discussions to be had to introduce the OAuth2AuthManager into the repository, and I think there's a lot of value in introducing the custom AuthManager parsing in this release. @kevinjqliu - let me separate that implementation out to a separate review @corleyma - I will take your suggestion to use the basic auth manager for testing for this PR :) |
There was a problem hiding this comment.
@sungwy For absolute completeness, you might consider adding a simple test for type: noop that asserts that the Authorization header is not present in the request. This would confirm the "off switch" works as intended.
But Overall this is awesome change to unblock custom implementation. Thank you so much.
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for custom authentication managers in the REST catalog by introducing a new configuration pattern. The change allows users to specify different authentication types including basic auth and custom implementations through an auth configuration block.
- Added support for pluggable authentication via
authconfiguration property with support fornoop,basic, andcustomtypes - Implemented validation logic to ensure proper configuration of auth type and implementation
- Added comprehensive test coverage for all authentication scenarios
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
pyiceberg/catalog/rest/__init__.py |
Adds auth configuration parsing and validation logic in _create_session() method |
pyiceberg/catalog/rest/auth.py |
Adds docstrings to existing AuthManager implementations |
tests/catalog/test_rest.py |
Comprehensive test suite for new auth configuration patterns |
mkdocs/docs/configuration.md |
Documentation for the new pluggable authentication system |
pyiceberg/catalog/rest/__init__.py
Outdated
| if auth_type is CUSTOM and not auth_impl: | ||
| raise ValueError("auth.impl must be specified when using custom auth.type") | ||
|
|
||
| if auth_type is not CUSTOM and auth_impl: |
There was a problem hiding this comment.
The comparison auth_type is not CUSTOM uses identity comparison with a string literal. This should use inequality comparison (!=) instead since auth_type comes from dictionary input and may not be the same string object.
| if auth_type is not CUSTOM and auth_impl: | |
| if auth_type != CUSTOM and auth_impl: |
Copilot uses AI. Check for mistakes.
| }, | ||
| } | ||
| with pytest.raises(ValueError) as e: | ||
| # Missing namespace |
There was a problem hiding this comment.
The comment 'Missing namespace' is misleading. The test is actually checking for an unsupported auth type, not a missing namespace.
| # Missing namespace | |
| # Unsupported authentication type |
Copilot uses AI. Check for mistakes.
| }, | ||
| } | ||
| with pytest.raises(ValueError) as e: | ||
| # Missing namespace |
There was a problem hiding this comment.
The comment 'Missing namespace' is misleading. The test is actually checking for an invalid impl property usage, not a missing namespace.
| # Missing namespace | |
| # Invalid impl property usage in non-custom auth.type |
Copilot uses AI. Check for mistakes.
| }, | ||
| } | ||
| with pytest.raises(ValueError) as e: | ||
| # Missing namespace |
There was a problem hiding this comment.
The comment 'Missing namespace' is misleading. The test is actually checking for a missing impl property when using custom auth type, not a missing namespace.
| # Missing namespace | |
| # Missing 'impl' property in custom auth configuration |
Copilot uses AI. Check for mistakes.
|
first time trying to copilot, good bot! |
There was a problem hiding this comment.
LGTM! Could you address the comments from copilot?
@sungwy For absolute completeness, you might consider adding a simple test for type: noop that asserts that the Authorization header is not present in the request. This would confirm the "off switch" works as intended.
+1 to this. Could you also add a test for the fallback case where auth: is not specified?
Co-authored-by: Copilot <[email protected]>
<!--
Thanks for opening a pull request!
-->
<!-- In the case this PR will resolve an issue, please replace
${GITHUB_ISSUE_ID} below with the actual Github issue id. -->
<!-- Closes #${1960} -->
# Rationale for this change
Expose a way for users to use a custom AuthManager when they define
their REST Catalog.
- [x] Add property parsing for custom AuthManager
- [x] Add docs
The properties should follow the pattern in:
apache/iceberg#13209
# Are these changes tested?
Unit and integration tests will be added
# Are there any user-facing changes?
New properties will be exposed to support adding a custom AuthManager to
RestCatalog
---------
Co-authored-by: Copilot <[email protected]>
Rationale for this change
Expose a way for users to use a custom AuthManager when they define their REST Catalog.
The properties should follow the pattern in: apache/iceberg#13209
Are these changes tested?
Unit and integration tests will be added
Are there any user-facing changes?
New properties will be exposed to support adding a custom AuthManager to RestCatalog