Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for out of band access tokens in the GCS Client #11181

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add support for out of band access tokens in the GCS Client #11181

wants to merge 4 commits into from

Conversation

ArnavBalyan
Copy link

  • Currently the GCS client supports only keyfiles for credential based authentication. (However this is not always safe and many usecases leverage access tokens for storage access).
  • This change adds support for access token based authentication when interacting with GCS.
  • Access tokens can be fetched using an out of band fetch mechanism such as token-broker service or a custom token provider.
  • This change adds the contract and ability to use access tokens, the user must bundle their custom token provider which can interact with internal systems and provide an access token on demand.

@facebook-github-bot
Copy link
Contributor

Hi @ArnavBalyan!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at [email protected]. Thanks!

@netlify Netlify
Copy link

netlify bot commented Oct 7, 2024
edited
Loading

Deploy Preview for meta-velox canceled.

Name Link
🔨 Latest commit ca77f06
🔍 Latest deploy log https://app.netlify.com/sites/meta-velox/deploys/67037c26042efc000851ec12

@ArnavBalyan ArnavBalyan changed the title [Velox] Add support for out of band access tokens in the GCS Client Add support for out of band access tokens in the GCS Client Oct 7, 2024
@facebook-github-bot
Copy link
Contributor

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Oct 7, 2024
@kgpai kgpai requested a review from majetideepak October 11, 2024 06:16
@majetideepak
Copy link
Collaborator

@ArnavBalyan I added another change to GCS config here #11235.
Let me know your thoughts.
I will look at this PR now.

majetideepak
majetideepak reviewed Oct 11, 2024
View reviewed changes
Copy link
Collaborator

@majetideepak majetideepak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ArnavBalyan The PR looks incomplete. The CMakeLists.txt changes are missing. Can you complete this and ensure the build is passing?
Are you able to test this locally?

velox/connectors/hive/storage_adapters/gcs/GCSFileSystem.cpp
@@ -28,6 +28,8 @@
#include <stdexcept>

#include <google/cloud/storage/client.h>
#include "TokenProvider.h"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

paths must be relative to root.
Example: velox/connector/velox/connectors/hive/storage_adapters/gcs/TokenProvider.h
Please fix this at other places as well.

velox/connectors/hive/storage_adapters/gcs/GCSFileSystem.cpp
@@ -175,6 +180,7 @@ class GCSReadFile final : public ReadFile {
}

std::shared_ptr<gcs::Client> client_;
std::function<void(std::shared_ptr<gcs::Client>&, const std::optional<std::string>&, const std::optional<std::vector<std::string>>&)> refreshTokenFn_;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a comment here about the expected inputs are for the refereshTokenFn_

velox/connectors/hive/storage_adapters/gcs/GCSFileSystem.cpp
@@ -244,6 +252,7 @@ class GCSWriteFile final : public WriteFile {

gcs::ObjectWriteStream stream_;
std::shared_ptr<gcs::Client> client_;
std::function<void(std::shared_ptr<gcs::Client>&, const std::optional<std::string>&, const std::optional<std::vector<std::string>>&)> refreshTokenFn_;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a comment here as well.

velox/connectors/hive/storage_adapters/gcs/GCSFileSystem.cpp
@@ -267,8 +276,12 @@ class GCSFileSystem::Impl {
// Use the input Config parameters and initialize the GCSClient.
void initializeClient() {
auto options = gc::Options{};

std::string accessTokenEnabled =
hiveConfig_->config()->get<std::string>("gcs.access_token_enabled", "false");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to add new configs in HiveConfig.cpp/HiveConfig.h

velox/connectors/hive/storage_adapters/gcs/GCSFileSystem.cpp
if (accessTokenEnabled == "true") {
std::string providerClassName =
hiveConfig_->config()->get<std::string>("gcs.access_token_provider", "");
throw std::runtime_error("AccessTokenProvider not configured. Please implement an out of band access token provider.");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add some checks here?
I would LOG an error here and let the GCS library handle the invalid config

velox/connectors/hive/storage_adapters/gcs/GCSFileSystem.cpp
client_ = std::make_shared<gcs::Client>(options);
}

std::shared_ptr<gcs::Client> getClient() const {
return client_;
}

std::shared_ptr<OutOfBandOAuth2Credentials> credentials_;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should go to the private: section below.

velox/connectors/hive/storage_adapters/gcs/OutOfBandOAuth2Credentials.h
Comment on lines +17 to +18
#ifndef OUT_OF_BAND_OAUTH2_CREDENTIALS_H
#define OUT_OF_BAND_OAUTH2_CREDENTIALS_H
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Who needs this? gcs library?

@ArnavBalyan
Copy link
Author

Hi @majetideepak, thanks for the review, I have to update the CMakeLists. I'll address the comments and let you know

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@majetideepak majetideepak majetideepak left review comments

Assignees
No one assigned
Labels
CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ArnavBalyan @facebook-github-bot @majetideepak