morningman commented on code in PR #52831: URL: https://github.com/apache/doris/pull/52831#discussion_r2212287739
########## fe/fe-core/src/main/java/org/apache/doris/datasource/iceberg/IcebergVendedCredentialsProvider.java: ########## @@ -0,0 +1,132 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.datasource.iceberg; + +import org.apache.doris.datasource.property.metastore.IcebergRestProperties; + +import org.apache.iceberg.Table; +import org.apache.iceberg.aws.s3.S3FileIOProperties; + +import java.util.HashMap; +import java.util.Map; + +/** + * Provider for dynamic credentials in Iceberg catalogs. + * This class abstracts the logic for extracting and converting dynamic credentials + * (like vended credentials from REST catalogs) to backend properties format. + * <p> + * Design principles: + * 1. Abstract interface for future FileIO support + * 2. Clear separation between credential extraction and backend property conversion + * 3. Minimal coupling with specific Iceberg implementations + */ +public class IcebergVendedCredentialsProvider { + + // AWS credential property keys for backend + private static final String BACKEND_AWS_ACCESS_KEY = "AWS_ACCESS_KEY"; + private static final String BACKEND_AWS_SECRET_KEY = "AWS_SECRET_KEY"; + private static final String BACKEND_AWS_TOKEN = "AWS_TOKEN"; + + /** + * Interface for future FileIO-based credential extraction. + * This interface is designed to be compatible with Iceberg FileIO + * when we implement FileIO support in the future. + */ + public interface CredentialExtractor { + /** + * Extract credentials from a generic properties map. + * + * @param properties properties map from any source (FileIO, Table IO, etc.) + * @return extracted credentials as backend properties + */ + Map<String, String> extractCredentials(Map<String, String> properties); + } + + /** + * Default credential extractor for S3 credentials. + */ + public static class S3CredentialExtractor implements CredentialExtractor { + @Override + public Map<String, String> extractCredentials(Map<String, String> properties) { + Map<String, String> credentials = new HashMap<>(); + + if (properties == null || properties.isEmpty()) { + return credentials; + } + + // Extract AWS credentials from Iceberg S3 FileIO format + if (properties.containsKey(S3FileIOProperties.ACCESS_KEY_ID)) { + credentials.put(BACKEND_AWS_ACCESS_KEY, properties.get(S3FileIOProperties.ACCESS_KEY_ID)); + } + if (properties.containsKey(S3FileIOProperties.SECRET_ACCESS_KEY)) { + credentials.put(BACKEND_AWS_SECRET_KEY, properties.get(S3FileIOProperties.SECRET_ACCESS_KEY)); + } + if (properties.containsKey(S3FileIOProperties.SESSION_TOKEN)) { + credentials.put(BACKEND_AWS_TOKEN, properties.get(S3FileIOProperties.SESSION_TOKEN)); + } + + return credentials; + } + } + + private static final S3CredentialExtractor s3Extractor = new S3CredentialExtractor(); + + /** + * Check if vended credentials are enabled for the catalog. + * + * @param catalog the Iceberg external catalog + * @return true if vended credentials are enabled + */ + public static boolean isVendedCredentialsEnabled(IcebergExternalCatalog catalog) { + if (catalog == null || !IcebergExternalCatalog.ICEBERG_REST.equals(catalog.getIcebergCatalogType())) { + return false; + } + + IcebergRestProperties restProps = (IcebergRestProperties) catalog.getCatalogProperty() + .getMetastoreProperties(); + return restProps != null && restProps.isIcebergRestVendedCredentialsEnabled(); + } + + /** + * Extract vended credentials from Iceberg Table and convert to backend properties. + * + * @param table the Iceberg table + * @return Map of backend properties with credentials + */ + public static Map<String, String> extractVendedCredentialsFromTable(Table table) { + if (table == null || table.io() == null) { + return new HashMap<>(); + } + + Map<String, String> ioProperties = table.io().properties(); + return s3Extractor.extractCredentials(ioProperties); + } + + /** + * Future method for FileIO-based credential extraction. + * This method signature is designed to be compatible with future FileIO implementations. + * + * @param fileIoProperties properties from FileIO (reserved for future use) + * @param extractor custom credential extractor + * @return extracted credentials + */ + public static Map<String, String> extractCredentialsFromFileIO(Map<String, String> fileIoProperties, Review Comment: Add @VisibleForTesting anotation. And looks like this method name is wrong? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
