github-actions[bot] commented on code in PR #63068:
URL: https://github.com/apache/doris/pull/63068#discussion_r3216243572
##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/AuthenticatorManager.java:
##########
@@ -225,6 +228,7 @@ private void applyAuthenticateResponse(ConnectContext
context, String remoteIp,
context.setIsTempUser(response.isTemp());
context.setAuthenticatedPrincipal(response.getPrincipal());
context.setAuthenticatedRoles(response.getAuthenticatedRoles());
+
context.setSessionContext(SessionContext.of(response.getDelegatedCredential()));
}
Review Comment:
This only stores the delegated credential in the local `ConnectContext`.
When a user connects to a follower/observer and the statement is forwarded,
`FEOpExecutor.buildStmtForwardParams()` does not put this `SessionContext` or
delegated credential into `TMasterOpRequest`, and
`ConnectProcessor.proxyExecute()` on the master starts with
`SessionContext.empty()`. As a result, the same Iceberg REST user-session
query/DDL works when connected to the master but fails or uses non-user
credentials when forwarded. Please extend the FE forwarding thrift request to
carry the credential type/token/expiration and restore it in `proxyExecute()`
before planning/execution.
##########
fe/fe-core/src/main/java/org/apache/doris/datasource/iceberg/IcebergMetadataOps.java:
##########
@@ -1140,26 +1157,35 @@ public boolean viewExists(String remoteDbName, String
remoteViewName) {
@Override
public Object loadView(String dbName, String tblName) {
- if (!isViewCatalogEnabled()) {
+ return loadView(SessionContext.empty(), dbName, tblName);
+ }
+
+ public Object loadView(SessionContext ctx, String dbName, String tblName) {
+ Optional<ViewCatalog> viewCatalog = viewCatalog(ctx);
Review Comment:
The new session-aware `loadView` overload is not used by the view
schema/load path: `IcebergUtils.getIcebergView()` still goes through
`IcebergExternalMetaCache.getIcebergView()`, whose loader calls
`ops.loadView(db, tblName)` and therefore passes `SessionContext.empty()`. For
an Iceberg REST catalog with `iceberg.rest.session=user`, querying a view or
loading its schema still uses the non-session catalog path even though table
loading now uses the delegated credential. Please route view loads through the
current `SessionContext` as well, and avoid sharing a per-user authenticated
view object through the existing global cache unless the cache key includes the
relevant session identity.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
