Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access delegation #1033

Merged
merged 19 commits into from
Nov 6, 2024
Merged

Access delegation #1033

merged 19 commits into from
Nov 6, 2024

Conversation

guitcastro
Copy link
Contributor

@guitcastro guitcastro commented Aug 9, 2024

This PR fix the hardcoded X-Iceberg-Access-Delegation header, the second point of #1028.

It's based on the #1029 , and must be merged after.

Closes #1028

guilhermecastro and others added 6 commits August 8, 2024 21:40
Co-authored-by: Fokko Driesprong <fokko@apache.org>
Co-authored-by: Fokko Driesprong <fokko@apache.org>
Co-authored-by: Fokko Driesprong <fokko@apache.org>
@Fokko
Copy link
Contributor

Fokko commented Aug 12, 2024

@guitcastro Can you rebase this one, this looks good to me 👍

@guitcastro
Copy link
Contributor Author

@Fokko done :)

@guitcastro
Copy link
Contributor Author

@Fokko Can you please take a look in this?

Copy link
Contributor

@Fokko Fokko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I missed this one

mkdocs/docs/configuration.md Outdated Show resolved Hide resolved
pyiceberg/catalog/rest.py Outdated Show resolved Hide resolved
@guitcastro
Copy link
Contributor Author

Sorry, I missed this one

No problem at all. I have renamed the property to use dash instead of _.

Copy link
Collaborator

@sungwy sungwy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @guitcastro thank you for raising the issue and working on this PR. I've left some comments regarding the approach - please let me know what you think!

mkdocs/docs/configuration.md Outdated Show resolved Hide resolved
@@ -532,7 +534,7 @@ def _config_headers(self, session: Session) -> None:
session.headers["Content-type"] = "application/json"
session.headers["X-Client-Version"] = ICEBERG_REST_SPEC_VERSION
session.headers["User-Agent"] = f"PyIceberg/{__version__}"
session.headers["X-Iceberg-Access-Delegation"] = "vended-credentials"
session.headers["X-Iceberg-Access-Delegation"] = self.properties.get(ACCESS_DELEGATION, ACCESS_DELEGATION_DEFAULT)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we already have a way of setting custom headers in _extract_headers_from_properties. If I understand it correctly, if we set a property like: header.X-Iceberg-Access-Delegation = remote-signing then this should set the header "X-Iceberg-Access-Delegation" as remote-signing.

I think we could achieve this by setting the default header values, and then setting the property based values after the default values are set:

        session.headers["Content-type"] = "application/json"
        session.headers["X-Client-Version"] = ICEBERG_REST_SPEC_VERSION
        session.headers["User-Agent"] = f"PyIceberg/{__version__}"
        session.headers["X-Iceberg-Access-Delegation"] = "vended-credentials"
        header_properties = self._extract_headers_from_properties()
        session.headers.update(header_properties)

What do you think of this approach over introducing a different property?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO having an explicit and documented property is better than setting custom header. But I can change if you think it's better.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sungwy I tried your code, but some tests failed with:

    assert (
            catalog._session.headers.get("Content-type") == "application/json"
    ), "Expected 'Content-Type' default header not to be overwritten"

I guess the idea is not allow default header override. Thus I guess having a dedicate property still the best option. What are you thoughts on this?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @guitcastro - I appreciate you giving it a go. That error message is interesting because its specific to the Content-Type property, Did you intend to overwrite the Content-Type as well?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@guitcastro I was able to make @sungwy's suggestion work in guitcastro#1, without breaking existing tests.

guitcastro and others added 3 commits August 20, 2024 12:54
Co-authored-by: Sung Yun <107272191+sungwy@users.noreply.github.com>
Copy link
Contributor

@Fokko Fokko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Fokko Fokko merged commit ef5c6ef into apache:main Nov 6, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support for Nessie Rest s3 signer
5 participants