CalvinKirs commented on code in PR #63068:
URL: https://github.com/apache/doris/pull/63068#discussion_r3279816607
##########
fe/fe-core/src/main/java/org/apache/doris/qe/ConnectProcessor.java:
##########
@@ -558,6 +574,9 @@ protected void handleQueryException(Throwable throwable,
String origStmt,
@SuppressWarnings("rawtypes")
protected void handleFieldList(String tableName) throws
ConnectionException {
// Already get command code.
+ if (rejectExpiredDelegatedCredential(tableName)) {
Review Comment:
My original intention for this check was REST catalog access. Even if the
Doris SQL connection is still alive, Iceberg REST access is request-oriented,
so a
later metadata request may use a delegated token that has already expired.
But after checking Snowflake/MySQL-like behavior again, expiration usually
affects new connection/re-authentication rather than proactively killing an
established SQL connection. So I agree that putting this check in
ConnectProcessor/MysqlConnectProcessor is probably too broad, because it can
reject SQL that
does not access Iceberg REST at all.
Would it be better to move this check to the Iceberg REST user-session
layer instead? Then Doris only fails fast when Iceberg REST actually consumes an
expired delegated credential, while unrelated SQL on the same connection
is not affected. If expiration is unavailable, the REST service would still
validate
the token.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
