[Native] The "Extra Credentials" API is not available to Prestissimo/Velox connectors

[ashkrisk]

As per the Presto Client REST API, clients can add a header called X-Presto-Extra-Credential to their requests. These extra credentials are not used by core Presto, but are made available to the connectors through the ConnectorSession object.

session.getIdentity().getExtraCredentials()

In Prestissimo, the closest equivalent to the ConnectorSession is the ConnectorQueryCtx class, which does not have any interface to read the extra credentials provided by the client.

As such there is no way for Prestissimo connectors to read the extra credentials supplied by the client.

Expected Behavior or Use Case

Connectors written for Prestissimo should have access to the extra credentials provided by the client.

Presto Component, Service, or Connector

Prestissimo connector infrastructure.

Context

Normally, access credentials are specified as catalog properties. This does not always work well in multi-user contexts, where many different users with varying levels of access credentials are all interacting with the same presto cluster. The "Extra Credentials" interface is a way for integrations to provide different levels of access to different users, but these are currently unavailable to Prestissimo connectors. We ran into this issue while developing an Arrow Flight connector for Prestissimo.

[ashkrisk]

FYI @tdcmeehan

[aditi-pandit]

@majetideepak

[majetideepak]

@ashkrisk Velox does not have some of the Presto Java abstractions such as Session, Identity. An easy workaround is to combine the extraCredentials and other session properties along with the ConnectorQueryCtx.sessionProperties map.
I added this implementation below. Will that work for you?
#22859

[ashkrisk]

@majetideepak yes, we can work with this, thanks 👍
Should the credentials added to the session be prefixed like ec.<name> or extraCreds.<name> before adding them to the list of session properties to avoid conflicts?

[tdcmeehan]

Wondering if this use case, providing per-session authentication credentials, is common enough that it should have its own abstraction in Velox?

[majetideepak]

Wondering if this use case, providing per-session authentication credentials, is common enough that it should have its own abstraction in Velox?

Yes, we should add an identity/credentials abstraction in Velox. The complexity is to make this engine agnostic.
Is it going to simply be another map?

[majetideepak]

Should the credentials added to the session be prefixed

We can add a prefix. I assume the extraCredentials keys are fixed per connector.

[tdcmeehan]

Wondering if this use case, providing per-session authentication credentials, is common enough that it should have its own abstraction in Velox?

Yes, we should add an identity/credentials abstraction in Velox. The complexity is to make this engine agnostic. Is it going to simply be another map?

That's how it is in Presto. Connectors will either expect a specific key in that map, or it may be configurable as a property.

[majetideepak]

I added a simple Identity API in Velox. Let me know your feedback.
facebookincubator/velox#9982

[majetideepak]

@ashkrisk can you update the RFC to explain how and where the Extra Credentials will be used?

[ashkrisk]

@majetideepak added a couple of lines to explain where the extraCredentials will be used.

https://github.com/prestodb/rfcs/blob/1c8a264658eda3c47e2ba4bda2ecb32fb391992f/RFC-0003-arrow-flight-connector.md?plain=1#L110-L112