Skip to content

Core: Pass REST auth manager to S3 signer #2846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kevinjqliu merged 6 commits into from
Jan 17, 2026
Merged

Core: Pass REST auth manager to S3 signer #2846

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
203bbb4
Fix REST signer to use catalog auth manager
010Soham Dec 19, 2025
d7d57ea
Merge branch 'main' into fix-2544-rest-signer-token
010Soham Dec 21, 2025
a99dcad
Apply ruff format after merge
010Soham Dec 21, 2025
72be520
Merge branch 'main' into fix-2544-rest-signer-token
Fokko Jan 5, 2026
570ba7c
address review feedback:prefer auth manager,move constant
010Soham Jan 6, 2026
92bbc7a
Merge branch 'main' into fix-2544-rest-signer-token
kevinjqliu Jan 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pyiceberg/catalog/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@
_ENV_CONFIG = Config()

TOKEN = "token"
AUTH_MANAGER = "auth.manager"
Comment thread
010Soham marked this conversation as resolved.
Outdated
TYPE = "type"
PY_CATALOG_IMPL = "py-catalog-impl"
ICEBERG = "iceberg"
Expand Down
25 changes: 14 additions & 11 deletions pyiceberg/catalog/rest/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,7 @@
from tenacity import RetryCallState, retry, retry_if_exception_type, stop_after_attempt

from pyiceberg import __version__
from pyiceberg.catalog import (
BOTOCORE_SESSION,
TOKEN,
URI,
WAREHOUSE_LOCATION,
Catalog,
PropertiesUpdateSummary,
)
from pyiceberg.catalog import AUTH_MANAGER, BOTOCORE_SESSION, TOKEN, URI, WAREHOUSE_LOCATION, Catalog, PropertiesUpdateSummary
from pyiceberg.catalog.rest.auth import AuthManager, AuthManagerAdapter, AuthManagerFactory, LegacyOAuth2AuthManager
from pyiceberg.catalog.rest.response import _handle_non_200_response
from pyiceberg.exceptions import (
Expand All @@ -49,7 +42,7 @@
TableAlreadyExistsError,
UnauthorizedError,
)
from pyiceberg.io import AWS_ACCESS_KEY_ID, AWS_REGION, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
from pyiceberg.io import AWS_ACCESS_KEY_ID, AWS_REGION, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, FileIO, load_file_io
from pyiceberg.partitioning import UNPARTITIONED_PARTITION_SPEC, PartitionSpec, assign_fresh_partition_spec_ids
from pyiceberg.schema import Schema, assign_fresh_schema_ids
from pyiceberg.table import (
Expand Down Expand Up @@ -218,6 +211,7 @@ class ListViewsResponse(IcebergBaseModel):
class RestCatalog(Catalog):
uri: str
_session: Session
_auth_manager: AuthManager | None

def __init__(self, name: str, **properties: str):
"""Rest Catalog.
Expand All @@ -229,6 +223,7 @@ def __init__(self, name: str, **properties: str):
properties: Properties that are passed along to the configuration.
"""
super().__init__(name, **properties)
self._auth_manager: AuthManager | None = None
self.uri = properties[URI]
self._fetch_config()
self._session = self._create_session()
Expand Down Expand Up @@ -263,16 +258,24 @@ def _create_session(self) -> Session:
if auth_type != CUSTOM and auth_impl:
raise ValueError("auth.impl can only be specified when using custom auth.type")

session.auth = AuthManagerAdapter(AuthManagerFactory.create(auth_impl or auth_type, auth_type_config))
self._auth_manager = AuthManagerFactory.create(auth_impl or auth_type, auth_type_config)
session.auth = AuthManagerAdapter(self._auth_manager)
else:
session.auth = AuthManagerAdapter(self._create_legacy_oauth2_auth_manager(session))
self._auth_manager = self._create_legacy_oauth2_auth_manager(session)
session.auth = AuthManagerAdapter(self._auth_manager)
Comment on lines +382 to +383
Copy link
Copy Markdown
Contributor

@kevinjqliu kevinjqliu Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: take session.auth = AuthManagerAdapter(self._auth_manager) part out of the if/else branch since its the same logic


# Configure SigV4 Request Signing
if property_as_bool(self.properties, SIGV4, False):
self._init_sigv4(session)

return session

def _load_file_io(self, properties: Properties = EMPTY_DICT, location: str | None = None) -> FileIO:
merged_properties = {**self.properties, **properties}
if self._auth_manager:
merged_properties[AUTH_MANAGER] = self._auth_manager
return load_file_io(merged_properties, location)

Comment thread
010Soham marked this conversation as resolved.
def is_rest_scan_planning_enabled(self) -> bool:
"""Check if rest server-side scan planning is enabled.

Expand Down
16 changes: 13 additions & 3 deletions pyiceberg/io/fsspec.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
from fsspec.implementations.local import LocalFileSystem
from requests import HTTPError

from pyiceberg.catalog import TOKEN, URI
from pyiceberg.catalog import AUTH_MANAGER, TOKEN, URI
from pyiceberg.exceptions import SignError
from pyiceberg.io import (
ADLS_ACCOUNT_HOST,
Expand Down Expand Up @@ -121,9 +121,19 @@ def __call__(self, request: "AWSRequest", **_: Any) -> None:
signer_url = self.properties.get(S3_SIGNER_URI, self.properties[URI]).rstrip("/") # type: ignore
signer_endpoint = self.properties.get(S3_SIGNER_ENDPOINT, S3_SIGNER_ENDPOINT_DEFAULT)

signer_headers = {}
signer_headers: dict[str, str] = {}

auth_header: str | None = None
if token := self.properties.get(TOKEN):
signer_headers = {"Authorization": f"Bearer {token}"}
Comment thread
010Soham marked this conversation as resolved.
auth_header = f"Bearer {token}"
Comment on lines 125 to +131
Copy link
Copy Markdown
Contributor

@kevinjqliu kevinjqliu Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe we can get rid of accessing TOKEN through properties here and just standardize on using the auth manager.

Copy link
Copy Markdown
Collaborator

@sungwy sungwy Dec 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be out of scope for this bug-fix PR, but it looks like we’re tightly coupling AuthManager and authentication tokens which are RestCatalog concepts into FileIO, which should be Catalog type agnostic.

It might be worth revisiting this design in more detail in the future to ensure we don’t introduce fallback logic that’s driven by configuration properties rather than clearer separation of concerns

Copy link
Copy Markdown
Contributor

@kevinjqliu kevinjqliu Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yea great point. i think it would be better to split out the "rest signer" from fileio. there's a good example already in the REST catalog,

iceberg-python/pyiceberg/catalog/rest/__init__.py

Lines 409 to 459 in a99dcad

def _init_sigv4(self, session: Session) -> None:
from urllib import parse
import boto3
from botocore.auth import SigV4Auth
from botocore.awsrequest import AWSRequest
from requests import PreparedRequest
from requests.adapters import HTTPAdapter
class SigV4Adapter(HTTPAdapter):
def __init__(self, **properties: str):
super().__init__()
self._properties = properties
self._boto_session = boto3.Session(
region_name=get_first_property_value(self._properties, AWS_REGION),
botocore_session=self._properties.get(BOTOCORE_SESSION),
aws_access_key_id=get_first_property_value(self._properties, AWS_ACCESS_KEY_ID),
aws_secret_access_key=get_first_property_value(self._properties, AWS_SECRET_ACCESS_KEY),
aws_session_token=get_first_property_value(self._properties, AWS_SESSION_TOKEN),
)
def add_headers(self, request: PreparedRequest, **kwargs: Any) -> None: # pylint: disable=W0613
credentials = self._boto_session.get_credentials().get_frozen_credentials()
region = self._properties.get(SIGV4_REGION, self._boto_session.region_name)
service = self._properties.get(SIGV4_SERVICE, "execute-api")
url = str(request.url).split("?")[0]
query = str(parse.urlsplit(request.url).query)
params = dict(parse.parse_qsl(query))
# remove the connection header as it will be updated after signing
del request.headers["connection"]
aws_request = AWSRequest(
method=request.method, url=url, params=params, data=request.body, headers=dict(request.headers)
)
SigV4Auth(credentials, service, region).add_auth(aws_request)
original_header = request.headers
signed_headers = aws_request.headers
relocated_headers = {}
# relocate headers if there is a conflict with signed headers
for header, value in original_header.items():
if header in signed_headers and signed_headers[header] != value:
relocated_headers[f"Original-{header}"] = value
request.headers.update(relocated_headers)
request.headers.update(signed_headers)
session.mount(self.uri, SigV4Adapter(**self.properties))

it might also be easier to just pass in the request Session from the REST catalog to the Signer. So we dont need to recreate the auth header directly

but again, we can refactor this after the bug fix :)

Copy link
Copy Markdown
Collaborator

@sungwy sungwy Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed - just leaving a comment so we don't forget 🙂

Copy link
Copy Markdown
Contributor

@kevinjqliu kevinjqliu Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in case we forget, #2862

Copy link
Copy Markdown
Contributor Author

@010Soham 010Soham Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that sounds good, lets address the cleaner design in #2862

elif auth_manager := self.properties.get(AUTH_MANAGER):
header = getattr(auth_manager, "auth_header", None)
if callable(header):
auth_header = header()
Comment thread
010Soham marked this conversation as resolved.
Outdated

if auth_header:
signer_headers["Authorization"] = auth_header

signer_headers.update(get_header_properties(self.properties))

signer_body = {
Expand Down
51 changes: 51 additions & 0 deletions tests/io/test_fsspec.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
from fsspec.spec import AbstractFileSystem
from requests_mock import Mocker

from pyiceberg.catalog import AUTH_MANAGER
from pyiceberg.exceptions import SignError
from pyiceberg.io import fsspec
from pyiceberg.io.fsspec import FsspecFileIO, S3V4RestSigner
Expand Down Expand Up @@ -948,3 +949,53 @@ def test_s3v4_rest_signer_forbidden(requests_mock: Mocker) -> None:
"""Failed to sign request 401: {'method': 'HEAD', 'region': 'us-west-2', 'uri': 'https://bucket/metadata/snap-8048355899640248710-1-a5c8ea2d-aa1f-48e8-89f4-1fa69db8c742.avro', 'headers': {'User-Agent': ['Botocore/1.27.59 Python/3.10.7 Darwin/21.5.0']}}"""
in str(exc_info.value)
)


def test_s3v4_rest_signer_uses_auth_manager(requests_mock: Mocker) -> None:
new_uri = "https://bucket/metadata/snap-signed.avro"
requests_mock.post(
f"{TEST_URI}/v1/aws/s3/sign",
json={
"uri": new_uri,
"headers": {
"Authorization": ["AWS4-HMAC-SHA256 Credential=ASIA.../s3/aws4_request, SignedHeaders=host, Signature=abc"],
"Host": ["bucket.s3.us-west-2.amazonaws.com"],
},
"extensions": {},
},
status_code=200,
)

request = AWSRequest(
method="HEAD",
url="https://bucket/metadata/snap-foo.avro",
headers={"User-Agent": "Botocore/1.27.59 Python/3.10.7 Darwin/21.5.0"},
data=b"",
params={},
auth_path="/metadata/snap-foo.avro",
)
request.context = {
"client_region": "us-west-2",
"has_streaming_input": False,
"auth_type": None,
"signing": {"bucket": "bucket"},
"retries": {"attempt": 1, "invocation-id": "75d143fb-0219-439b-872c-18213d1c8d54"},
}

class DummyAuthManager:
def __init__(self) -> None:
self.calls = 0

def auth_header(self) -> str:
self.calls += 1
return "Bearer via-manager"

auth_manager = DummyAuthManager()

signer = S3V4RestSigner(properties={AUTH_MANAGER: auth_manager, "uri": TEST_URI})
signer(request)

assert auth_manager.calls == 1
assert requests_mock.last_request is not None
assert requests_mock.last_request.headers["Authorization"] == "Bearer via-manager"
assert request.url == new_uri