kevinjqliu commented on code in PR #781:
URL:
https://github.com/apache/arrow-rs-object-store/pull/781#discussion_r3475709458
##########
src/azure/client.rs:
##########
@@ -662,16 +663,47 @@ async fn parse_blob_batch_delete_body(
Ok(results)
}
+/// How long a freshly fetched user delegation key is requested to remain
valid.
+///
+/// The SAS tokens we sign with it stay short-lived; this only bounds how often
+/// we call `GetUserDelegationKey`. Azure caps the key lifetime at 7 days.
+const DELEGATION_KEY_VALIDITY: Duration = Duration::from_secs(12 * 60 * 60);
+
+/// Minimum remaining validity for a cached key to be reused.
+///
+/// The cache only hands back a key with at least this much life left, so it is
+/// also the longest SAS lifetime the cache can safely serve (a SAS must not
+/// outlive the key it is signed with). Longer-lived SAS fetch a dedicated key.
+const DELEGATION_KEY_MIN_TTL: Duration = Duration::from_secs(2 * 60 * 60);
+
+/// Parse the validity Azure actually granted a user delegation key, falling
back
+/// to the window we requested if the response can't be parsed.
+fn delegation_key_expiry(key: &UserDelegationKey, requested: DateTime<Utc>) ->
DateTime<Utc> {
+ DateTime::parse_from_rfc3339(&key.signed_expiry)
+ .map(|t| t.with_timezone(&Utc))
+ .unwrap_or(requested)
+}
+
#[derive(Debug)]
pub(crate) struct AzureClient {
config: AzureConfig,
client: HttpClient,
+ /// Caches the user delegation key used to sign SAS URLs.
+ ///
+ /// Fetching a key is a network round-trip (`GetUserDelegationKey`) that
Azure
+ /// throttles under load, so we fetch a long-lived key once and reuse it to
+ /// mint many short-lived SAS tokens.
+ delegation_key_cache: TokenCache<UserDelegationKey>,
Review Comment:
we should redact these, similar to aws/credentials.rs
https://github.com/apache/arrow-rs-object-store/blob/93f6f88f4d2d58e89c93f917db05ebf3b24825b7/src/aws/credential.rs#L83-L91
maybe some of this logic should live in azure/credentials.rs
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]