add refresh credentials property to loadTableResult

[jasonf20]

Rebased version of #1164

[dimas-b]

Please address CI failures :)

[dimas-b]

LGTM overall 👍 Thanks for working on this @jasonf20 !

Do we have existing integration tests for the credential refresh endpoint? If not, could you add a test in RestCatalogMinIOSpecialIT (probably). I suppose we could use the test REST Client to validate refresh credential responses. I know this is specific to the S3 storage integration, but it will hit the common call path and we can validate Azure AccessConfig in unit tests. WDYT?

[dimas-b]

Just to confirm: relative URIs are correct in this case, right?

[jasonf20]

Yes, from what I understand the recent version of the client automatically appends the base URI if a relative path is returned from the server.

[dimas-b]

I do not think this property is a credential property (logically)

[jasonf20]

From my understanding of the client code:

1. The AwsClientFactory is initialized ahead of time with generic properties retrieved from the "configuration" endpoint. This doesn't include specific endpoints for credential refresh per table and/or access keys.
2. Later on when loading the fileIO per table, the base properties + additional table properties provided from the List<Credential> are added here.

For the property to be available in Credential.config() down the line this needs to be set to true.

[dimas-b]

Thanks for the code pointer! In this case, it does make sense to mark these properties as "credentials", but please add a code comment for future readers to be aware of what Iceberg java clients expect.

[jasonf20]

I had another look at this. I think I was wrong since it also passes in tableConf which if set initializes a new fileIO with those properties, so this can be false. I'll update those.

[dimas-b]

Thanks for your diligence! 🙂

[jasonf20]

@dimas-b I've added the integration test and unit test for azure as you suggested and made other fixes based on your comments.

[dimas-b]

This PR LGTM in its current state 👍 ... with some minor comments 🙂

However, I believe it is worth sending a dev email about the new feature before merging (as commented below).

[dimas-b]

This logic is ok from my POV, but I wonder if other community members prefer a feature flag to switch the new behaviour on/off.

Please send an email about this to the dev ML.

[dimas-b]

Actually, I'll send the dev email myself :)

[dimas-b]

https://lists.apache.org/thread/dvrx5lg36ovo7387pt6dm06wgmswstvc

[singhpk234]

Mostly LGTM as well 👍 ! we are very close :) !

[singhpk234]

ideally we are not refreshing the credentials, we are getting brand new one how about we say something like
https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml#L119

[dimas-b]

@jasonf20 : Could you add an entry about this change to CHANGELOG.md, section New Features?

[dimas-b]

LGTM 👍 Thanks again for you contribution, @jasonf20 !

Since this PR was already mentioned on the dev ML on Aug 21 and no concerned were raised, I think it is good to merge. I'll wait until Aug 26 before merging, in case any last minute comments come up.

[singhpk234]

LGTM overall (have some small cosmetic suggestion for documentation), Thank you @jasonf20 ! much needed feature for long running jobs !

will wait for @dimas-b review and approval before merge

[singhpk234]

can we return anything except relative path ? my understanding is base uri is always catalog uri https://github.com/apache/iceberg/blob/main/aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java#L92 is this statement in intentionally open ended since spec is not explicit ?

[jasonf20]

At one point the client required full paths, now it works with partial paths. I'm not sure if the spec identifies one as the correct method over the other so I left it like this. If one is definitely the "correct" way I can update the comment.

[dimas-b]

@jasonf20 : do you know the Iceberg version / PR where relative paths started working?

[jasonf20]

It was linked in the previous PR. #1164 (comment)

Seems like it's since 1.8.0

[singhpk234]

Oh no this made a lot of things super tricky, i checked iceberg python for refresh keyword but i didn't any prs for that so i am assuming that it doesn't support, taking only the iceberg java sdk reference
if we always send relative url it only works for >= 1.8
fails for < 1.8
I know there is a header that the java sdk sends which has SDK version X-Client-Version header we may want to salvage this now on when to return the absolute vs relative, https://github.com/apache/iceberg/blob/main/core/src/main/java/org/apache/iceberg/rest/HTTPClient.java#L77

seems like the only broken release would be 1.7

Its a bit surprising to me, but i think for now we can park this by just documenting this gotcha, WDYT @dimas-b ?

[dimas-b]

Getting full URI is a bit trickier - as discussed in #1164.

From my POV, let's merge this "as is" and open a GH issue that it does not work properly for Iceberg < 1.8. When someone has time, let's improve.

Getting this feature enabled for Iceberg clients >= 1.8 is valuable, I think.

[dimas-b]

Since old client version behave differently, I think we ought to have a feature flag now... just in case someone runs into client incompatibility issues and wants to disable credential refresh properties completely (i.e. revert to old Polaris behaviour). WDYT?

[singhpk234]

That would be ideal IMHO (specially now), but i think the jobs without us sending the credentials endpoint would still have failed because my understanding is we would have not made the /credentials call unless the creds in loadTable expires https://github.com/apache/iceberg/blob/main/aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java#L63, its just we might see an HTTP error rather than the creds expired exception.
But agree, we might want to have a feature flag to fallback to the old behaviour if we unexpectedly fail.

[jasonf20]

I don't think a feature flag is needed.

1. The client is already broken, if they reach the need to refresh credentials it already fails today.
2. A feature flag will not solve the problem. Enabling it will fix the issue for some and create a different issue for others, so you'll never be able to enable it anymore than you can without the flag.
3. Clients can simply upgrade to 1.8.0 to get a working version. Their current version doesn't work anyway so they can upgrade at their own time when this becomes important to them.
4. If you would like we can remove the refresh_credentials_enabled property and let the client set that one in his catalog settings. That way he can control if this gets used or not. This would be better than a flag and is controlled client side. not server side.

[jasonf20]

I've added a commit that does 4.

[singhpk234]

Looks like we already have @dimas-b ;) review, we were parallely reviewing, we good to go from my end !

[dimas-b]

Oops, CI failure 😅

[jasonf20]

Oops, CI failure 😅

fixed

[dimas-b]

@jasonf20 : I'm a bit lost now... Why do we need to remove the "enabled" flag in 2a123d1?

In my earlier comments I mean that we need to add a new flag to FeatureConfiguration and use it to control whether to add the credential refresh endpoint and the related "enabled" flag to AccessConfig... WDYT?

[dimas-b]

After re-reading @jasonf20 comment, I think removing of the "enabled" properties from AccessConfig is a sound approach.

[singhpk234]

Lets call out the client version limitation here and the suggestion to the caller to set the client side override to enable this.

[dimas-b]

good points!

[dimas-b]

since the release is imminent, if the round trip cycle is slow, I suppose we can still merge this PR and later adjust the changelog between @singhpk234 and myself :) Let's give it a few more hours.

[jasonf20]

I updated the changelog. Seems a little verbose now for a changelog but It's probably fine.

p.s. I believe you should be able to push changes to my branch yourself since I have the "Allow edits and access to secrets by maintainers" checkbox enabled. But I never tried using that myself.

[singhpk234]

the properties are unfortunately different for the all the cloud providers, not sure if we wanna call this out, just saying enabled never the less refresh-credentials-enabled should be endpoint

how about we say that clients must enable refresh-credentials flag for their respective cloud provider ?

[jasonf20]

Yea that's less verbose. I changed it to that.

[dimas-b]

lgtm 👍

[singhpk234]

LGTM, thanks @jasonf20 for all the effort !
Appreciate your contribution :), much needed capability !

[jasonf20]

Thanks for your reviews @dimas-b @singhpk234 !

[flyrain]

We will need to document this. Unfortunately, the best place to doc this is a page for storage setting and credential vending, which doesn't exist yet. Here is the issue filed long time ago, #1325. Not a blocker for this PR though.