singhpk234 commented on code in PR #4695: URL: https://github.com/apache/iceberg/pull/4695#discussion_r865596398
########## aws/src/main/java/org/apache/iceberg/aws/lakeformation/LakeFormationTemporaryCredentials.java: ########## @@ -0,0 +1,42 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.iceberg.aws.lakeformation; + +import java.time.Instant; +import software.amazon.awssdk.auth.credentials.AwsCredentials; + +public class LakeFormationTemporaryCredentials { + + private final AwsCredentials credentials; + private final Instant sessionCredentialsExpiration; + + public LakeFormationTemporaryCredentials(AwsCredentials credentials, Instant expiration) { + this.credentials = credentials; + this.sessionCredentialsExpiration = expiration; + } + + public AwsCredentials getCredentials() { + return credentials; + } + + public Instant getSessionCredentialsExpiration() { + return sessionCredentialsExpiration; + } Review Comment: [minor] can remove `get` from the getter. ########## aws/src/main/java/org/apache/iceberg/aws/lakeformation/LakeFormationAwsClientFactory.java: ########## @@ -135,24 +141,57 @@ private LakeFormationClient lakeFormation() { static class LakeFormationCredentialsProvider implements AwsCredentialsProvider { private LakeFormationClient client; private String tableArn; + private final long expiryLeadTimeForRefreshInMins; + + private LakeFormationTemporaryCredentials cachedCredentials; + private final Cache<String, LakeFormationTemporaryCredentials> cache; LakeFormationCredentialsProvider(LakeFormationClient lakeFormationClient, String tableArn) { this.client = lakeFormationClient; this.tableArn = tableArn; + this.expiryLeadTimeForRefreshInMins = 1; + this.cache = Caffeine.newBuilder() + .initialCapacity(1) + .recordStats() + .build(); } @Override public AwsCredentials resolveCredentials() { - GetTemporaryGlueTableCredentialsRequest getTemporaryGlueTableCredentialsRequest = - GetTemporaryGlueTableCredentialsRequest.builder() - .tableArn(tableArn) - // Now only two permission types (COLUMN_PERMISSION and CELL_FILTER_PERMISSION) are supported - // and Iceberg only supports COLUMN_PERMISSION at this time - .supportedPermissionTypes(PermissionType.COLUMN_PERMISSION) - .build(); - GetTemporaryGlueTableCredentialsResponse response = - client.getTemporaryGlueTableCredentials(getTemporaryGlueTableCredentialsRequest); - return AwsSessionCredentials.create(response.accessKeyId(), response.secretAccessKey(), response.sessionToken()); + LakeFormationTemporaryCredentials credentials = cache.getIfPresent(tableArn); + if (credentials != null && shouldRefresh(credentials)) { + cache.invalidate(tableArn); + } Review Comment: [question] should we use expireAfter(Expiry) for variable TTL based on record instead, while creating the Caffeine obj itself - can ref https://github.com/ben-manes/caffeine/wiki/Eviction#time-based ########## aws/src/main/java/org/apache/iceberg/aws/lakeformation/LakeFormationAwsClientFactory.java: ########## @@ -135,24 +141,57 @@ private LakeFormationClient lakeFormation() { static class LakeFormationCredentialsProvider implements AwsCredentialsProvider { private LakeFormationClient client; private String tableArn; + private final long expiryLeadTimeForRefreshInMins; + + private LakeFormationTemporaryCredentials cachedCredentials; + private final Cache<String, LakeFormationTemporaryCredentials> cache; LakeFormationCredentialsProvider(LakeFormationClient lakeFormationClient, String tableArn) { this.client = lakeFormationClient; this.tableArn = tableArn; + this.expiryLeadTimeForRefreshInMins = 1; + this.cache = Caffeine.newBuilder() + .initialCapacity(1) + .recordStats() + .build(); } @Override public AwsCredentials resolveCredentials() { - GetTemporaryGlueTableCredentialsRequest getTemporaryGlueTableCredentialsRequest = - GetTemporaryGlueTableCredentialsRequest.builder() - .tableArn(tableArn) - // Now only two permission types (COLUMN_PERMISSION and CELL_FILTER_PERMISSION) are supported - // and Iceberg only supports COLUMN_PERMISSION at this time - .supportedPermissionTypes(PermissionType.COLUMN_PERMISSION) - .build(); - GetTemporaryGlueTableCredentialsResponse response = - client.getTemporaryGlueTableCredentials(getTemporaryGlueTableCredentialsRequest); - return AwsSessionCredentials.create(response.accessKeyId(), response.secretAccessKey(), response.sessionToken()); + LakeFormationTemporaryCredentials credentials = cache.getIfPresent(tableArn); + if (credentials != null && shouldRefresh(credentials)) { + cache.invalidate(tableArn); + } + + credentials = cache.get(tableArn, key -> { + GetTemporaryGlueTableCredentialsRequest getTemporaryGlueTableCredentialsRequest = + GetTemporaryGlueTableCredentialsRequest.builder() + .tableArn(key) + // Now only two permission types (COLUMN_PERMISSION and CELL_FILTER_PERMISSION) are supported + // and Iceberg only supports COLUMN_PERMISSION at this time + .supportedPermissionTypes(PermissionType.COLUMN_PERMISSION) + .build(); + GetTemporaryGlueTableCredentialsResponse response = + client.getTemporaryGlueTableCredentials(getTemporaryGlueTableCredentialsRequest); + + AwsSessionCredentials awsSessionCredentials = AwsSessionCredentials.create(response.accessKeyId(), + response.secretAccessKey(), response.sessionToken()); + + cachedCredentials = new LakeFormationTemporaryCredentials(awsSessionCredentials, response.expiration()); + return cachedCredentials; + }); + + return credentials.getCredentials(); + } + + private boolean shouldRefresh(LakeFormationTemporaryCredentials credentials) { + Instant refreshRequiredSince = credentials.getSessionCredentialsExpiration() + .minus(Duration.ofMillis(TimeUnit.MINUTES.toMillis(expiryLeadTimeForRefreshInMins))); + if (refreshRequiredSince.isBefore(Clock.systemUTC().instant())) { + return true; + } + + return false; Review Comment: can return `refreshRequiredSince.isBefore(Clock.systemUTC().instant())` instead -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
