mbutrovich commented on code in PR #4309: URL: https://github.com/apache/datafusion-comet/pull/4309#discussion_r3291353298
########## native/core/src/cloud/s3/credential_bridge.rs: ########## @@ -0,0 +1,356 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//! JNI bridge to the JVM `CometS3CredentialDispatcher` SPI, exposed as +//! `object_store::CredentialProvider` (raw Parquet path) and `reqsign_core::ProvideCredential` +//! (Iceberg via `opendal`). See `docs/source/contributor-guide/s3-credential-provider-design.md`. + +use crate::execution::operators::ExecutionError; +use crate::jvm_bridge::{jni_new_global_ref, jni_static_call, JVMClasses}; +use async_trait::async_trait; +use iceberg_storage_opendal::AwsCredential as IcebergAwsCredential; +use jni::objects::{Global, JFieldID, JObject, JString, JValue}; +use jni::signature::{Primitive, ReturnType}; +use jni::strings::JNIString; +use jni::sys::jint; +use log::warn; +use object_store::aws::AwsCredential; +use object_store::CredentialProvider; +use once_cell::sync::OnceCell; +use reqsign_core::time::Timestamp; +use reqsign_core::{ + Context, Error as ReqsignError, ErrorKind as ReqsignErrorKind, + ProvideCredential as IcebergProvideCredential, +}; +use std::collections::HashMap; +use std::fmt; +use std::sync::Arc; +use std::time::Duration; + +/// Cap on opendal's credential cache when the provider does not report an expiry. Prevents the +/// executor from holding a stale credential for the entire job lifetime. +const DEFAULT_EXPIRY_WHEN_UNKNOWN: Duration = Duration::from_secs(300); + +/// Once-per-process latch for the "missing expiry" warning. Bridges are per-scan, so a per-bridge +/// latch would re-log on every scan. +static WARNED_MISSING_EXPIRY: OnceCell<()> = OnceCell::new(); + +/// Access intent forwarded to the Java SPI. Ordinal must match the JVM `CometS3AccessMode` enum. +#[derive(Debug, Clone, Copy)] +pub enum AccessMode { + Read = 0, + #[allow(dead_code)] + Write = 1, +} + +/// Per-scan credential provider that delegates to the JVM SPI via JNI. `handle` is the JVM-side +/// identity for the `(provider_class, dispatch_key, catalog_properties)` triple returned by +/// `ensureInitialized`. `bucket_jstr` / `path_jstr` are interned once at construction to avoid Review Comment: The JVM SPI takes `(bucket, path)`, but the upstream traits don't carry a per-request path: `object_store::CredentialProvider::get_credential(&self)` is arg-less (object_store 0.13.2, `client/mod.rs:907`) and `reqsign_core::ProvideCredential::provide_credential(&self, ctx: &Context)` takes only the signing `Context` (reqsign-core 3.0.0, `api.rs:51`). So today the effective identity is per-bucket on the Parquet path and per-table-location on the Iceberg path, even though the Java side nominally exposes path. Added a doc note on `CometS3CredentialBridge` so this isn't a surprise. True per-path would mean wrapping each object_store operation, which isn't a hook either trait offers. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
