Make regression tests use default authentication #804
Conversation
adutra
force-pushed
the
regtests-default-auth
branch
from
0ae2b98 to
266e9b3
Compare
adutra
changed the title
adutra
requested review from
ashvina,
dennishuo,
dimas-b,
eric-maynard,
jackye1995,
jbonofre,
vvcephei,
collado-mike,
snazy,
RussellSpitzer,
takidau,
flyrain and
ebyhr
as code owners
|
@MonkeyCanCode @flyrain @HonahX with this PR we should get regression tests running with production-like profile. This should supersede #866 and fix #865. Let me know what you think. |
adutra
force-pushed
the
regtests-default-auth
branch
from
266e9b3 to
f83ec9a
Compare
regtests/run_spark_sql.sh
Outdated
| @@ -55,7 +55,7 @@ if [ -z "${SPARK_HOME}"]; then | |||
| export SPARK_HOME=$(realpath ~/${SPARK_DISTRIBUTION}) | |||
| fi | |||
|
|
|||
| SPARK_BEARER_TOKEN="${REGTEST_ROOT_BEARER_TOKEN:-principal:root;realm:default-realm}" | |||
| SPARK_BEARER_TOKEN="${REGTEST_ROOT_BEARER_TOKEN:-principal:root;realm:POLARIS}" | |||
There was a problem hiding this comment.
Since the authenticator is default now, do we still need this token default value, principal:root;realm:POLARIS. Seems we will need to run the added script in run.sh to get a token using root credential first before running run_spark_sql.sh.
Additionally, is run_spark_sql.sh expected to work without first running run.sh? If so, may be we should consider adding code to get a token within this script to make it work out-of-box.
There was a problem hiding this comment.
do we still need this token default value
Indeed I thought about removing the default values everywhere, but I wasn't sure whether all these scripts are always executed from the run.sh entrypoint. Do you think we should remove the default values?
may be we should consider adding code to get a token within this script to make it work out-of-box.
Good catch! The script is definitely meant to be executed individually. I will add support for default auth in that script as well.
There was a problem hiding this comment.
I will add support for default auth in that script as well.
Done, let me know what you think!
There was a problem hiding this comment.
Done, let me know what you think!
Thanks for adding that! Look great!
but I wasn't sure whether all these scripts are always executed from the run.sh entrypoint. Do you think we should remove the default values?
My understanding is that the default values will always fail since default authenticator reject principal:root:realm:* token anyway. We will need to either execute run.sh to store a real token in env or adding the default auth like run_spark_sql.sh to make scripts able to be executed without run.sh.
Keeping default values there will have no affect on tests but I feel it will cause additional work if we want to change realm name for regression test in the future. WDYT?
There was a problem hiding this comment.
I think I agree. Should I remove the default values in this PR or as a follow-up?
There was a problem hiding this comment.
I am ok with either way. As you pointed out in #865 (comment), we will need some follow-up PRs to clean-up/fix things so I think that could also be a good place to remove these values
There was a problem hiding this comment.
Okay, I took note to open a follow-up PR for that 👍
| polaris.realm-context.realms: default-realm,realm1 | ||
| quarkus.log.file.enable: false | ||
| POLARIS_BOOTSTRAP_CREDENTIALS: POLARIS,root,secret | ||
| quarkus.log.file.enable: "false" |
There was a problem hiding this comment.
This can also help simplify the docker-compose.yml in getting-started examples: e.g. #868
I am happy to update that PR if this one goes in first : )
| @@ -24,7 +24,7 @@ if [ -z "$AWS_CROSS_REGION_TEST_ENABLED" ] || [ "$AWS_CROSS_REGION_TEST_ENABLED" | |||
| exit 0 | |||
| fi | |||
|
|
|||
| SPARK_BEARER_TOKEN="${REGTEST_ROOT_BEARER_TOKEN:-principal:root;realm:realm1}" | |||
| SPARK_BEARER_TOKEN="${REGTEST_ROOT_BEARER_TOKEN:-principal:root;realm:POLARIS}" | |||
There was a problem hiding this comment.
Do we need to keep -principal:root;realm:POLARIS as token will be fetched by run.sh? Given the direction that we want to to is to use the default authenticator always for reggresstion test, I think we should remove them to avoid confusion, as principal:root;realm:POLARIS doesn't work for default athenticator.
There was a problem hiding this comment.
With @HonahX we decided to postpone that, but I think you are right: leaving this default value will create confusion. So I went ahead and removed them.
README.md
Outdated
| @@ -62,11 +62,8 @@ Apache Polaris is built using Gradle with Java 21+ and Docker 27+. | |||
| - `./gradlew assemble` - To skip tests. | |||
| - `./gradlew test` - To run unit tests and integration tests. | |||
| - `./gradlew polarisServerRun` - To run the Polaris server locally, with profile `prod`; the server | |||
There was a problem hiding this comment.
I'm not familiar with Quarkus conventions, but "with profile prod" seems a bit odd to me, it is no way close to a prod deployment. Is "with the default profile" more accurate? Or we don't even have to mention it in that case.
There was a problem hiding this comment.
You are right. Rephrased.
|
I think we should also remove this line, polaris/getting-started/trino/README.md Line 56 in 7d854f2 |
Also align realm names and fix docs.
adutra
force-pushed
the
regtests-default-auth
branch
from
a8a1c40 to
f71b14f
Compare
|
Rebased (to get the tox removal commit) and addressed feedback. I am now able to run the regression tests both locally and with docker-compose. I am also able to run |
... and align realm names to use
POLARISconsistently.Using default authenticators with real JWT tokens, the regression tests are better aligned with a production-like setup.