mirrors/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-05-20 16:51:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4.20
seaweedfs/test/s3tables
History
Chris Lu 2b8c16160f feat(iceberg): add OAuth2 token endpoint for DuckDB compatibility (#9017) 
* feat(iceberg): add OAuth2 token endpoint for DuckDB compatibility (#9015)

DuckDB's Iceberg connector uses OAuth2 client_credentials flow,
hitting POST /v1/oauth/tokens which was not implemented, returning 404.

Add the OAuth2 token endpoint that accepts S3 access key / secret key
as client_id / client_secret, validates them against IAM, and returns
a signed JWT bearer token. The Auth middleware now accepts Bearer tokens
in addition to S3 signature auth.

* fix(test): use weed shell for table bucket creation with IAM enabled

The S3 Tables REST API requires SigV4 auth when IAM is configured.
Use weed shell (which bypasses S3 auth) to create table buckets,
matching the pattern used by the Trino integration tests.

* address review feedback: access key in JWT, full identity in Bearer auth

- Include AccessKey in JWT claims so token verification uses the exact
  credential that signed the token (no ambiguity with multi-key identities)
- Return full Identity object from Bearer auth so downstream IAM/policy
  code sees an authenticated request, not anonymous
- Replace GetSecretKeyForIdentity with GetCredentialByAccessKey for
  unambiguous credential lookup
- DuckDB test now tries the full SQL script first (CREATE SECRET +
  catalog access), falling back to simple CREATE SECRET if needed
- Tighten bearer auth test assertion to only accept 200/500

Addresses review comments from coderabbitai and gemini-code-assist.

* security: use PostFormValue, bind signing key to access key, fix port conflict

- Use r.PostFormValue instead of r.FormValue to prevent credentials from
  leaking via query string into logs and caches
- Reject client_secret in URL query parameters explicitly
- Include access key in HMAC signing key derivation to prevent
  cross-credential token forgery when secrets happen to match
- Allocate dedicated webdav port in OAuth test env to avoid port
  collision with the shared TestMain cluster
2026-04-10 11:18:11 -07:00
..
catalog
feat(iceberg): add OAuth2 token endpoint for DuckDB compatibility (#9017)
2026-04-10 11:18:11 -07:00
catalog_risingwave
test: consolidate port allocation into shared test/testutil package (#8982)
2026-04-08 11:30:02 -07:00
catalog_spark
test: consolidate port allocation into shared test/testutil package (#8982)
2026-04-08 11:30:02 -07:00
catalog_trino
test: consolidate port allocation into shared test/testutil package (#8982)
2026-04-08 11:30:02 -07:00
lakekeeper
test: consolidate port allocation into shared test/testutil package (#8982)
2026-04-08 11:30:02 -07:00
maintenance
test: consolidate port allocation into shared test/testutil package (#8982)
2026-04-08 11:30:02 -07:00
polaris
test: consolidate port allocation into shared test/testutil package (#8982)
2026-04-08 11:30:02 -07:00
sts_integration
test: consolidate port allocation into shared test/testutil package (#8982)
2026-04-08 11:30:02 -07:00
table-buckets
test: consolidate port allocation into shared test/testutil package (#8982)
2026-04-08 11:30:02 -07:00
Makefile
Remove unsupported iceberg rest signing-region from tests and docs (#8289)
2026-02-10 12:23:31 -08:00
README.txt
Add Iceberg admin UI (#8246)
2026-02-08 20:06:32 -08:00

README.txt 

Populate data run:

  - make -C test/s3tables help
  - make -C test/s3tables populate-trino
  - make -C test/s3tables populate-spark

  Run:

  - make -C test/s3tables populate
  - If your account id differs, override: make -C test/s3tables populate
    TABLE_ACCOUNT_ID=000000000000
Reference in New Issue View Git Blame Copy Permalink