roeap commented on code in PR #5259:
URL: https://github.com/apache/arrow-rs/pull/5259#discussion_r1441811973
##########
object_store/src/azure/client.rs:
##########
@@ -324,6 +333,45 @@ impl AzureClient {
Ok(())
}
+ /// Make a Get User Delegation Key request
+ ///
<https://docs.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key>
+ pub async fn get_user_delegation_key(
+ &self,
+ start: &DateTime<Utc>,
Review Comment:
this is private now ...
##########
object_store/src/azure/credential.rs:
##########
@@ -137,33 +141,86 @@ pub mod authority_hosts {
pub const AZURE_PUBLIC_CLOUD: &str = "https://login.microsoftonline.com";;
}
-pub(crate) trait CredentialExt {
- /// Apply authorization to requests against azure storage accounts
- ///
<https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-requests-to-azure-storage>
- fn with_azure_authorization(self, credential: &AzureCredential, account:
&str) -> Self;
+pub(crate) struct AzureSigner {
+ signing_key: AzureAccessKey,
Review Comment:
tried to find a way to borrow this, but found no nice solution, as the key
is owned by the invoking function that creates the signer.
Since signing URLs would usually not be so high volume, i thought this might
be OK.
##########
object_store/src/signer.rs:
##########
@@ -30,5 +30,21 @@ pub trait Signer: Send + Sync + fmt::Debug + 'static {
/// the URL should be valid, return a signed [`Url`] created with the
object store
/// implementation's credentials such that the URL can be handed to
something that doesn't have
/// access to the object store's credentials, to allow limited access to
the object store.
- async fn signed_url(&self, method: Method, path: &Path, expires_in:
Duration) -> Result<Url>;
+ async fn signed_url(&self, method: &Method, path: &Path, expires_in:
Duration) -> Result<Url>;
+
+ /// Generate signed urls for multiple paths.
+ ///
+ /// See [`Signer::signed_url`] for more details.
+ async fn signed_urls(
+ &self,
+ method: &Method,
+ paths: &[Path],
+ expires_in: Duration,
+ ) -> Result<Vec<Url>> {
+ let mut urls = Vec::with_capacity(paths.len());
+ for path in paths {
+ urls.push(self.signed_url(method, path, expires_in).await?);
+ }
+ Ok(urls)
+ }
Review Comment:
To effectively hide the delegation key shenanigans, I though it may be best
to just expose an additional method for signing multiple URLs with a default
implementation.
This also introduced a breaking change as we now would take a ref of the
`Method`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
