(polaris) branch main updated: Azure: Fix azure expires at prefix for the credentials refresh (#2633)

singhpk234 Fri, 19 Sep 2025 17:43:18 -0700

This is an automated email from the ASF dual-hosted git repository.

singhpk234 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git



The following commit(s) were added to refs/heads/main by this push:
     new 7f5fb060a Azure: Fix azure expires at prefix for the credentials 
refresh (#2633)
7f5fb060a is described below

commit 7f5fb060aa505cabcd44e372b5c172653e648e83
Author: Prashant Singh <[email protected]>
AuthorDate: Fri Sep 19 16:52:58 2025 -0700

    Azure: Fix azure expires at prefix for the credentials refresh (#2633)
---
 CHANGELOG.md                                                 |  2 ++
 .../apache/polaris/core/storage/StorageAccessProperty.java   |  9 ++++++++-
 .../storage/azure/AzureCredentialsStorageIntegration.java    |  7 +++++--
 .../azure/AzureCredentialsStorageIntegrationTest.java        | 12 +++++++++---
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f3b55466d..d98b2df9b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -48,6 +48,8 @@ request adding CHANGELOG notes for breaking (!) changes and 
possibly other secti
 
 ### Fixes
 
+* Fixed incorrect Azure expires at field for the credentials refresh response, 
leading to client failure via #2633
+
 ### Commits
 
 ## [1.1.0-incubating]
diff --git 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java
 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java
index faa29c31e..7dc102dc5 100644
--- 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java
+++ 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/StorageAccessProperty.java
@@ -19,6 +19,7 @@
 package org.apache.polaris.core.storage;
 
 import org.apache.iceberg.aws.AwsClientProperties;
+import org.apache.iceberg.azure.AzureProperties;
 import org.apache.iceberg.gcp.GCPProperties;
 
 /**
@@ -69,7 +70,7 @@ public enum StorageAccessProperty {
   AZURE_SAS_TOKEN(String.class, "adls.sas-token.", "an azure shared access 
signature token"),
   AZURE_REFRESH_CREDENTIALS_ENDPOINT(
       String.class,
-      "adls.refresh-credentials-endpoint",
+      AzureProperties.ADLS_REFRESH_CREDENTIALS_ENDPOINT,
       "the endpoint to load vended credentials for a table from the catalog",
       false,
       false),
@@ -78,6 +79,12 @@ public enum StorageAccessProperty {
       "expiration-time",
       "the expiration time for the access token, in milliseconds",
       true,
+      true),
+  AZURE_SAS_TOKEN_EXPIRES_AT_MS_PREFIX(
+      Long.class,
+      AzureProperties.ADLS_SAS_TOKEN_EXPIRES_AT_MS_PREFIX,
+      "The expiration time for the access token, in milliseconds",
+      true,
       true);
 
   private final Class valueType;
diff --git 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegration.java
 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegration.java
index 5b466b0c3..a043a7daa 100644
--- 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegration.java
+++ 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegration.java
@@ -182,7 +182,7 @@ public class AzureCredentialsStorageIntegration
       Instant expiresAt,
       Optional<String> refreshCredentialsEndpoint) {
     AccessConfig.Builder accessConfig = AccessConfig.builder();
-    handleAzureCredential(accessConfig, sasToken, storageDnsName);
+    handleAzureCredential(accessConfig, sasToken, storageDnsName, expiresAt);
     accessConfig.put(
         StorageAccessProperty.EXPIRATION_TIME, 
String.valueOf(expiresAt.toEpochMilli()));
     refreshCredentialsEndpoint.ifPresent(
@@ -193,8 +193,11 @@ public class AzureCredentialsStorageIntegration
   }
 
   private static void handleAzureCredential(
-      AccessConfig.Builder config, String sasToken, String host) {
+      AccessConfig.Builder config, String sasToken, String host, Instant 
expiresAt) {
     
config.putCredential(StorageAccessProperty.AZURE_SAS_TOKEN.getPropertyName() + 
host, sasToken);
+    config.putCredential(
+        
StorageAccessProperty.AZURE_SAS_TOKEN_EXPIRES_AT_MS_PREFIX.getPropertyName() + 
host,
+        String.valueOf(expiresAt.toEpochMilli()));
 
     // Iceberg 1.7.x may expect the credential key to _not_ be suffixed with 
endpoint
     if (host.endsWith(AzureLocation.ADLS_ENDPOINT)) {
diff --git 
a/polaris-core/src/test/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegrationTest.java
 
b/polaris-core/src/test/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegrationTest.java
index d613e5154..794ae25fe 100644
--- 
a/polaris-core/src/test/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegrationTest.java
+++ 
b/polaris-core/src/test/java/org/apache/polaris/core/storage/azure/AzureCredentialsStorageIntegrationTest.java
@@ -36,8 +36,10 @@ public class AzureCredentialsStorageIntegrationTest {
 
     AccessConfig noSuffixResult =
         toAccessConfig("sasToken", "some_account", expiresAt, 
Optional.empty());
-    Assertions.assertThat(noSuffixResult.credentials()).hasSize(2);
+    Assertions.assertThat(noSuffixResult.credentials()).hasSize(3);
     
Assertions.assertThat(noSuffixResult.credentials()).containsKey("adls.sas-token.some_account");
+    Assertions.assertThat(noSuffixResult.credentials())
+        .containsKey("adls.sas-token-expires-at-ms.some_account");
     Assertions.assertThat(noSuffixResult.credentials())
         .doesNotContainKey(
             
StorageAccessProperty.AZURE_REFRESH_CREDENTIALS_ENDPOINT.getPropertyName());
@@ -48,9 +50,11 @@ public class AzureCredentialsStorageIntegrationTest {
             "some_account." + AzureLocation.ADLS_ENDPOINT,
             expiresAt,
             Optional.of("endpoint/credentials"));
-    Assertions.assertThat(adlsSuffixResult.credentials()).hasSize(3);
+    Assertions.assertThat(adlsSuffixResult.credentials()).hasSize(4);
     Assertions.assertThat(adlsSuffixResult.credentials())
         .containsKey("adls.sas-token.some_account");
+    Assertions.assertThat(noSuffixResult.credentials())
+        .containsKey("adls.sas-token-expires-at-ms.some_account");
     Assertions.assertThat(adlsSuffixResult.credentials())
         .containsKey("adls.sas-token.some_account." + 
AzureLocation.ADLS_ENDPOINT);
 
@@ -62,10 +66,12 @@ public class AzureCredentialsStorageIntegrationTest {
     AccessConfig blobSuffixResult =
         toAccessConfig(
             "sasToken", "some_account." + AzureLocation.BLOB_ENDPOINT, 
expiresAt, Optional.empty());
-    Assertions.assertThat(blobSuffixResult.credentials()).hasSize(3);
+    Assertions.assertThat(blobSuffixResult.credentials()).hasSize(4);
     Assertions.assertThat(blobSuffixResult.credentials())
         .containsKey("adls.sas-token.some_account");
     Assertions.assertThat(blobSuffixResult.credentials())
         .containsKey("adls.sas-token.some_account." + 
AzureLocation.BLOB_ENDPOINT);
+    Assertions.assertThat(blobSuffixResult.credentials())
+        
.containsKey("adls.sas-token-expires-at-ms.some_account.blob.core.windows.net");
   }
 }

(polaris) branch main updated: Azure: Fix azure expires at prefix for the credentials refresh (#2633)

Reply via email to