Improvements

Author: Sreesh Maheshwar

lib/trino-filesystem-azure/src/main/java/io/trino/filesystem/azure/AzureFileSystemConstants.java

@@ -15,6 +15,14 @@
 
 public final class AzureFileSystemConstants
 {
+    /**
+     * Internal property enabling {@link AzureVendedAuth} on the filesystem when set to true.
+     */
+    public static final String EXTRA_USE_VENDED_TOKEN = "internal$use_vended_token";
+
+    /**
+     * Internal prefix for SAS token property keys, mapping storage accounts to their SAS tokens.
+     */
     public static final String EXTRA_SAS_TOKEN_PROPERTY_PREFIX = "internal$account_sas$";
 
     private AzureFileSystemConstants() {}

lib/trino-filesystem-azure/src/main/java/io/trino/filesystem/azure/AzureFileSystemFactory.java

@@ -146,6 +146,10 @@ public static HttpClient createAzureHttpClient(ConnectionProvider connectionProv
 
     private static AzureAuth withVendedAuth(ConnectorIdentity identity, AzureAuth defaultAuth)
     {
-        return identity.getExtraCredentials().isEmpty() ? defaultAuth : new AzureVendedAuth(identity.getExtraCredentials(), defaultAuth);
+        if (identity.getExtraCredentials().containsKey(AzureFileSystemConstants.EXTRA_USE_VENDED_TOKEN) &&
+                identity.getExtraCredentials().get(AzureFileSystemConstants.EXTRA_USE_VENDED_TOKEN).equalsIgnoreCase("true")) {
+            return new AzureVendedAuth(identity.getExtraCredentials(), defaultAuth);
+        }
+        return defaultAuth;
     }
 }

lib/trino-filesystem-azure/src/main/java/io/trino/filesystem/azure/AzureVendedAuth.java

@@ -17,40 +17,36 @@
 import com.azure.storage.file.datalake.DataLakeServiceClientBuilder;
 
 import java.util.Map;
+import java.util.Optional;
 
 public final class AzureVendedAuth
         implements AzureAuth
 {
-    private final Map<String, String> accountSasTokens;
+    private final Map<String, String> sasTokens;
     private final AzureAuth fallbackAuth;
 
-    public AzureVendedAuth(Map<String, String> accountSasTokens, AzureAuth fallbackAuth)
+    public AzureVendedAuth(Map<String, String> sasTokens, AzureAuth fallbackAuth)
     {
-        this.accountSasTokens = accountSasTokens;
+        this.sasTokens = sasTokens;
         this.fallbackAuth = fallbackAuth;
     }
 
     @Override
     public void setAuth(String storageAccount, BlobContainerClientBuilder builder)
     {
-        String sasToken = accountSasTokens.get(AzureFileSystemConstants.EXTRA_SAS_TOKEN_PROPERTY_PREFIX + storageAccount);
-        if (sasToken == null) {
-            fallbackAuth.setAuth(storageAccount, builder);
-        }
-        else {
-            builder.sasToken(sasToken);
-        }
+        getSasToken(storageAccount)
+                .ifPresentOrElse(builder::sasToken, () -> fallbackAuth.setAuth(storageAccount, builder));
     }
 
     @Override
     public void setAuth(String storageAccount, DataLakeServiceClientBuilder builder)
     {
-        String sasToken = accountSasTokens.get(AzureFileSystemConstants.EXTRA_SAS_TOKEN_PROPERTY_PREFIX + storageAccount);
-        if (sasToken == null) {
-            fallbackAuth.setAuth(storageAccount, builder);
-        }
-        else {
-            builder.sasToken(sasToken);
-        }
+        getSasToken(storageAccount)
+                .ifPresentOrElse(builder::sasToken, () -> fallbackAuth.setAuth(storageAccount, builder));
+    }
+
+    public Optional<String> getSasToken(String storageAccount)
+    {
+        return Optional.ofNullable(sasTokens.get(AzureFileSystemConstants.EXTRA_SAS_TOKEN_PROPERTY_PREFIX + storageAccount));
     }
 }

plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/catalog/rest/IcebergRestCatalogFileSystemFactory.java

@@ -22,8 +22,10 @@
 import org.apache.iceberg.util.PropertyUtil;
 
 import java.util.Map;
+import java.util.Optional;
 
 import static io.trino.filesystem.azure.AzureFileSystemConstants.EXTRA_SAS_TOKEN_PROPERTY_PREFIX;
+import static io.trino.filesystem.azure.AzureFileSystemConstants.EXTRA_USE_VENDED_TOKEN;
 import static io.trino.filesystem.s3.S3FileSystemConstants.EXTRA_CREDENTIALS_ACCESS_KEY_PROPERTY;
 import static io.trino.filesystem.s3.S3FileSystemConstants.EXTRA_CREDENTIALS_SECRET_KEY_PROPERTY;
 import static io.trino.filesystem.s3.S3FileSystemConstants.EXTRA_CREDENTIALS_SESSION_TOKEN_PROPERTY;
@@ -52,53 +54,55 @@ public IcebergRestCatalogFileSystemFactory(TrinoFileSystemFactory fileSystemFact
     public TrinoFileSystem create(ConnectorIdentity identity, Map<String, String> fileIoProperties)
     {
         if (vendedCredentialsEnabled) {
-            ImmutableMap.Builder<String, String> overriddenCredentialsBuilder = ImmutableMap.builder();
-
-            if (fileIoProperties.containsKey(VENDED_S3_ACCESS_KEY) &&
-                    fileIoProperties.containsKey(VENDED_S3_SECRET_KEY) &&
-                    fileIoProperties.containsKey(VENDED_S3_SESSION_TOKEN)) {
-                // S3 vended credentials
-                overriddenCredentialsBuilder
-                        .put(EXTRA_CREDENTIALS_ACCESS_KEY_PROPERTY, fileIoProperties.get(VENDED_S3_ACCESS_KEY))
-                        .put(EXTRA_CREDENTIALS_SECRET_KEY_PROPERTY, fileIoProperties.get(VENDED_S3_SECRET_KEY))
-                        .put(EXTRA_CREDENTIALS_SESSION_TOKEN_PROPERTY, fileIoProperties.get(VENDED_S3_SESSION_TOKEN));
-            }
-            else {
-                // Azure vended credentials
-                overriddenCredentialsBuilder.putAll(getAzureCredentials(fileIoProperties));
-            }
-
-            Map<String, String> overriddenCredentials = overriddenCredentialsBuilder.buildOrThrow();
-            if (!overriddenCredentials.isEmpty()) {
-                // Do not include original credentials as they should not be used in vended mode
-                ConnectorIdentity identityWithExtraCredentials = ConnectorIdentity
-                        .forUser(identity.getUser())
-                        .withGroups(identity.getGroups())
-                        .withPrincipal(identity.getPrincipal())
-                        .withEnabledSystemRoles(identity.getEnabledSystemRoles())
-                        .withConnectorRole(identity.getConnectorRole())
-                        .withExtraCredentials(overriddenCredentials).build();
-
-                return fileSystemFactory.create(identityWithExtraCredentials);
-            }
+            return fileSystemFactory.create(
+                    getVendedS3Identity(identity, fileIoProperties)
+                            .or(() -> getVendedAzureIdentity(identity, fileIoProperties))
+                            .orElse(identity));
         }
 
         return fileSystemFactory.create(identity);
     }
 
-    private static Map<String, String> getAzureCredentials(Map<String, String> fileIoProperties)
+    private static Optional<ConnectorIdentity> getVendedS3Identity(ConnectorIdentity identity, Map<String, String> fileIoProperties)
     {
-        ImmutableMap.Builder<String, String> azureCredentialBuilder = ImmutableMap.builder();
+        if (fileIoProperties.containsKey(VENDED_S3_ACCESS_KEY) &&
+                fileIoProperties.containsKey(VENDED_S3_SECRET_KEY) &&
+                fileIoProperties.containsKey(VENDED_S3_SESSION_TOKEN)) {
+            return Optional.of(getVendedIdentity(identity, ImmutableMap.<String, String>builder()
+                    .put(EXTRA_CREDENTIALS_ACCESS_KEY_PROPERTY, fileIoProperties.get(VENDED_S3_ACCESS_KEY))
+                    .put(EXTRA_CREDENTIALS_SECRET_KEY_PROPERTY, fileIoProperties.get(VENDED_S3_SECRET_KEY))
+                    .put(EXTRA_CREDENTIALS_SESSION_TOKEN_PROPERTY, fileIoProperties.get(VENDED_S3_SESSION_TOKEN))
+                    .buildOrThrow()));
+        }
+        return Optional.empty();
+    }
 
+    private static Optional<ConnectorIdentity> getVendedAzureIdentity(ConnectorIdentity identity, Map<String, String> fileIoProperties)
+    {
+        ImmutableMap.Builder<String, String> azureCredentialBuilder = ImmutableMap.builder();
         PropertyUtil.propertiesWithPrefix(fileIoProperties, VENDED_ADLS_SAS_TOKEN_PREFIX)
                 .forEach((host, token) -> {
                     String storageAccount = host.contains(".") ? host.substring(0, host.indexOf('.')) : host;
 
                     if (!storageAccount.isEmpty() && !token.isEmpty()) {
                         azureCredentialBuilder.put(EXTRA_SAS_TOKEN_PROPERTY_PREFIX + storageAccount, token);
+                        azureCredentialBuilder.put(EXTRA_USE_VENDED_TOKEN, "true");
                     }
                 });
 
-        return azureCredentialBuilder.build();
+        Map<String, String> azureCredentials = azureCredentialBuilder.buildKeepingLast();
+        return azureCredentials.isEmpty() ? Optional.empty() : Optional.of(getVendedIdentity(identity, azureCredentials));
+    }
+
+    private static ConnectorIdentity getVendedIdentity(ConnectorIdentity identity, Map<String, String> extraCredentials)
+    {
+        // Do not include original credentials as they should not be used in vended mode
+        return ConnectorIdentity.forUser(identity.getUser())
+                .withGroups(identity.getGroups())
+                .withPrincipal(identity.getPrincipal())
+                .withEnabledSystemRoles(identity.getEnabledSystemRoles())
+                .withConnectorRole(identity.getConnectorRole())
+                .withExtraCredentials(extraCredentials)
+                .build();
     }
 }