feat(rest): support AWS SIGv4 #1241
Conversation
Signed-off-by: xxchan <xxchan22f@gmail.com>
Signed-off-by: xxchan <xxchan22f@gmail.com>
xxchan
force-pushed
the
xxchan/cheerful-mite
branch
from
8a99af2 to
e698d79
Compare
| const EMPTY_STRING_SHA256: &str = | ||
| "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"; | ||
| request.headers_mut().insert( | ||
| "x-amz-content-sha256", | ||
| HeaderValue::from_str(EMPTY_STRING_SHA256).unwrap(), | ||
| ); |
There was a problem hiding this comment.
Why do we have to hardcode this here?
There was a problem hiding this comment.
I'm also quite confused.
There was a problem hiding this comment.
By default, reqsign will fill x-amz-content-sha256=UNSIGNED-PAYLOAD. If signing request body is needed, caller should fill a x-amz-content-sha256 themselves.
UNSIGNED-PAYLOAD works for s3, but it seems not working for s3tables. Therefore, I tried to include SHA256("")= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, and it works..
I also not sure if this is the most correct way, whether we should support this natively in reqsign.
There was a problem hiding this comment.
I think this behavor should be hidden under reqsign. cc @Xuanwo WDYT?
| @@ -220,6 +225,39 @@ impl HttpClient { | |||
| /// Executes the given `Request` and returns a `Response`. | |||
| pub async fn execute(&self, mut request: Request) -> Result<Response> { | |||
| request.headers_mut().extend(self.extra_headers.clone()); | |||
|
|
|||
| if let Some((loader, signer)) = &self.signer { | |||
| match loader.load().await { | |||
There was a problem hiding this comment.
Do we want to load credentials with every request?
let config = AwsConfig::default().from_profile().from_env();
println!("access_key_id {:?}", config.access_key_id);
let loader = AwsDefaultLoader::new(self.client().unwrap_or_default(), config);
There was a problem hiding this comment.
We also need to change request method.
| @@ -93,6 +93,7 @@ port_scanner = "0.1.5" | |||
| pretty_assertions = "1.4" | |||
| rand = "0.8.5" | |||
| regex = "1.10.5" | |||
| reqsign = { version = "0.16.3" } | |||
There was a problem hiding this comment.
Is there a reason for not using https://crates.io/crates/aws-sigv4 ?
There was a problem hiding this comment.
reqsign is lightweight, with minimal dependency footprints. And it's already depended by us (transitively via opendal ). So it's good not to introduce new heavy dependencies.
@Xuanwo could you share your opinions on this?
There was a problem hiding this comment.
I'm fine with reqsign as its api will be easier to get adapted to different vendors, and also aws-sigv4 itself says it's not designed for used directly, see
Low-level SigV4 request signing implementations.
This crate is part of the AWS SDK for Rust and the smithy-rs code generator. In most cases, it should not be used directly.
| if warehouse_path.starts_with("arn:aws:") { | ||
| let file_io = FileIOBuilder::new("s3").with_props(&props).build()?; | ||
| return Ok(file_io); | ||
| } |
There was a problem hiding this comment.
Is there a better way to know the rest catalog service e.g. using rest.signing-name?
crates/catalog/rest/src/catalog.rs
Outdated
| let config = AwsConfig::default().from_profile().from_env(); | ||
| println!("access_key_id {:?}", config.access_key_id); | ||
| let loader = AwsDefaultLoader::new(self.client().unwrap_or_default(), config); |
There was a problem hiding this comment.
Can we support customizing this like passing or reusing the aws profile / credentials configuration or better introduce a new set of rest specific configurations.
There was a problem hiding this comment.
Thanks @xxchan for this pr, generally the direction is right, but there are some things to fix. Also one of my concerns is that there is no tests at all, how should we test this feature?
| @@ -93,6 +93,7 @@ port_scanner = "0.1.5" | |||
| pretty_assertions = "1.4" | |||
| rand = "0.8.5" | |||
| regex = "1.10.5" | |||
| reqsign = { version = "0.16.3" } | |||
There was a problem hiding this comment.
I'm fine with reqsign as its api will be easier to get adapted to different vendors, and also aws-sigv4 itself says it's not designed for used directly, see
Low-level SigV4 request signing implementations.
This crate is part of the AWS SDK for Rust and the smithy-rs code generator. In most cases, it should not be used directly.
| @@ -84,6 +85,29 @@ impl RestCatalogConfig { | |||
| } | |||
| } | |||
|
|
|||
| pub(crate) fn get_signer(&self) -> Result<Option<(AwsDefaultLoader, AwsV4Signer)>> { | |||
There was a problem hiding this comment.
I don't think we should credential store loader, why not store credential?
There was a problem hiding this comment.
All the keys should use constants rather magic strings.
| @@ -84,6 +85,29 @@ impl RestCatalogConfig { | |||
| } | |||
| } | |||
|
|
|||
| pub(crate) fn get_signer(&self) -> Result<Option<(AwsDefaultLoader, AwsV4Signer)>> { | |||
| if let Some("true") = self.props.get("rest.sigv4-enabled").map(|s| s.as_str()) { | |||
There was a problem hiding this comment.
Why not use bool::from_str here?
| let Some(signing_region) = self.props.get("rest.signing-region") else { | ||
| return Err(Error::new( | ||
| ErrorKind::Unexpected, | ||
| "rest.signing-region is not set when rest.sigv4-enabled is true", |
There was a problem hiding this comment.
This string should be formatted using constants
| let Some(signing_name) = self.props.get("rest.signing-name") else { | ||
| return Err(Error::new( | ||
| ErrorKind::Unexpected, | ||
| "rest.signing-name is not set when rest.sigv4-enabled is true", |
| }; | ||
|
|
||
| let config = AwsConfig::default().from_profile().from_env(); | ||
| let loader = AwsDefaultLoader::new(self.client().unwrap_or_default(), config); |
There was a problem hiding this comment.
Not only from profile, we should also allow user to config using properties, for example aws_access_id
| @@ -306,6 +330,13 @@ impl RestCatalog { | |||
| None => None, | |||
| }; | |||
|
|
|||
| if let Some(warehouse_path) = warehouse_path { | |||
There was a problem hiding this comment.
Look at below codes, we should also consider metadata_location. Also please add some comments to explain this change.
| const EMPTY_STRING_SHA256: &str = | ||
| "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"; | ||
| request.headers_mut().insert( | ||
| "x-amz-content-sha256", | ||
| HeaderValue::from_str(EMPTY_STRING_SHA256).unwrap(), | ||
| ); |
There was a problem hiding this comment.
I'm also quite confused.
| @@ -220,6 +225,39 @@ impl HttpClient { | |||
| /// Executes the given `Request` and returns a `Response`. | |||
| pub async fn execute(&self, mut request: Request) -> Result<Response> { | |||
| request.headers_mut().extend(self.extra_headers.clone()); | |||
|
|
|||
| if let Some((loader, signer)) = &self.signer { | |||
| match loader.load().await { | |||
There was a problem hiding this comment.
We also need to change request method.
Hi @liurenjie1024 , thanks for the review. This PR is more like a quick demo to see if it can work (seem to work via manual testing with the CLI), and if the general idea (of using |
|
Here is another approach I implemented a while back that might be interesting to reference: #917 |
|
@phillipleblanc Sorry for not noticing your PR! Will check it But it seems at least we are on the same page about not to depend on the aws crates for signing (#917 (comment)) |
|
Yes, if we can implement this without depending on the aws sigv4 crate - that would be ideal. |
Signed-off-by: xxchan xxchan22f@gmail.com
Which issue does this PR close?
close #1236
There's one missing piece:
reqsigngot canonical request like:/iceberg/v1/arn%3Aaws%3As3tables%3Aap-southeast-1.../iceberg/v1/arn%253Aaws%253As3tables%253Aap-southeast-1%..., where reqsign wrongly decoded%3.During my local testing, I tried to remove this
percent_decode_strinreqsignhttps://github.com/Xuanwo/reqsign/blob/26a1e224b5498a59ad53d9508be1e85df322f043/src/aws/v4.rs#L223 , then it runs successfully (I tested with the iceberg-rust CLI from #1220). But I'm not sure about the decode reason here and what's the best way to change it. cc @XuanwoWhat changes are included in this PR?
Are these changes tested?