Skip to content

feat(namespace): pluggable auth providers for REST Namespace with AWS SigV4#7099

Open
shiwk wants to merge 5 commits into
lance-format:mainfrom
shiwk:feat/rest-auth-sigv4
Open

feat(namespace): pluggable auth providers for REST Namespace with AWS SigV4#7099
shiwk wants to merge 5 commits into
lance-format:mainfrom
shiwk:feat/rest-auth-sigv4

Conversation

@shiwk

@shiwk shiwk commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Implements pluggable authentication for REST Namespace, with AWS SigV4 as the first provider. Closes #6583.

  • Introduces RestAuthProvider trait with per-request authenticate() and connect-time initialize() for fail-fast credential validation
  • Adds SigV4AuthProvider using the aws-sigv4 crate, with credentials resolved via explicit properties or the standard AWS chain (env vars, profile, IMDS)
  • Supports explicit static credentials via rest.auth.sigv4.access-key-id, rest.auth.sigv4.secret-access-key, and rest.auth.sigv4.session-token properties, taking precedence over the AWS default chain
  • Wires through Python (PyO3) and Java (JNI) bindings — properties like rest.auth.type=sigv4 pass transparently to Rust
  • Includes x-amz-content-sha256 header for S3-compatible service support
  • rest.auth.* and header.Authorization are mutually exclusive; misconfiguration is caught at build time

Configuration

rest.auth.type = sigv4
rest.auth.sigv4.region = us-east-1
rest.auth.sigv4.service = execute-api          # default
rest.auth.sigv4.access-key-id = AKIA...        # optional, overrides env
rest.auth.sigv4.secret-access-key = wJal...    # optional, overrides env
rest.auth.sigv4.session-token = FwoGZX...      # optional

Test plan

  • Rust unit tests (14): AWS official test vectors, session token signing, explicit credentials via properties, injected provider precedence over static credentials, partial credentials rejection, host:port handling, auth conflict detection
  • Signature correctness cross-verified against botocore (Python) for both GET and POST requests
  • Python e2e tests (7): connect + operate, missing region error, botocore signature cross-verification, explicit credentials, session token, precedence over env, partial credentials rejection
  • Java e2e tests (7): connect + operate, missing region error, header format verification, explicit credentials, session token, credentials regardless of env, partial credentials rejection
  • cargo clippy and cargo test across feature matrix including --all-features

claude[bot]
claude Bot reviewed Jun 4, 2026
View reviewed changes

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

@github-actions github-actions Bot added A-python Python bindings A-java Java bindings + JNI A-deps Dependency updates A-namespace Namespace impls enhancement New feature or request labels Jun 4, 2026
@shiwk shiwk force-pushed the feat/rest-auth-sigv4 branch from 2f11cea to b0817e5 Compare June 8, 2026 01:58
@shiwk shiwk force-pushed the feat/rest-auth-sigv4 branch 2 times, most recently from bcd4fdb to d59a620 Compare June 8, 2026 06:57
@shiwk shiwk force-pushed the feat/rest-auth-sigv4 branch from d59a620 to b5f7f1f Compare June 8, 2026 07:18
@shiwk

shiwk commented Jun 8, 2026

Copy link
Copy Markdown
Author

@jackye1995 Could you help review this when you have time? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

A-deps Dependency updates A-java Java bindings + JNI A-namespace Namespace impls A-python Python bindings enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support pluggable authentication providers for REST Namespace (e.g. AWS SigV4)

1 participant

@shiwk