search

StarRocks / starrocks

StarRocks, a Linux Foundation project, is a next-generation sub-second MPP OLAP database for full analytics scenarios, including multi-dimensional analytics, real-time analytics, and ad-hoc queries.
https://starrocks.io
Apache License 2.0
8.74k stars 1.75k forks source link

Iceberg REST configurable OAuth Endpoint #50112

Open c-thiel opened 1 month ago

c-thiel commented 1 month ago

Enhancement

Recent changes in Iceberg REST deprecated the oauth2 endpoint as part of the REST spec. Instead, the OAuth2 endpoint of the IdP should be used.

Extract from the updated spec:

The oauth/tokens endpoint is DEPRECATED for REMOVAL. It is not recommended to implement this endpoint, unless you are fully aware of the potential security implications. All clients are encouraged to explicitly set the configuration property oauth2-server-uri to the correct OAuth endpoint.

It would be great to make the oauth2 server uri configurable by adding a iceberg.catalog.oauth2.server-uri configuration for the Iceberg Rest Catalog.

While on it, it might make sense to also rename the credential configuration property from iceberg.catalog.credential to iceberg.catalog.oauth2.credential as oauth2 might not be the only auth mechanism in the future. trino, presto and spark all use a nested oauth2 prefix, which might be a good orientation. They are also more precise in naming the properties iceberg.rest.xxx.xxx, as iceberg also supports other catalogs than rest.

Smith-Cruise commented 1 month ago

You are right, we should use oauth2 prefix in the future.

Did trino implement oauth2.server-uri parameters? I didn't have seen this parameters in their doc.

c-thiel commented 1 month ago

@Smith-Cruise no, trino is also missing the parameter currently but an issue is also open: https://github.com/trinodb/trino/issues/23086

c-thiel commented 1 month ago

This issue could probably be implemented together with https://github.com/StarRocks/starrocks/issues/50518