Skip to content

[rest] Add pluggable signer architecture for REST API authentication #7100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JingsongLi merged 4 commits into from
Jan 29, 2026
Merged

[rest] Add pluggable signer architecture for REST API authentication #7100

JingsongLi merged 4 commits into from
Jan 29, 2026

Conversation

@sundapeng
Copy link
Member

@sundapeng sundapeng commented Jan 22, 2026
edited
Loading

Purpose

This PR refactors the REST API authentication mechanism to support multiple signing algorithms through a pluggable architecture.

Key changes:

  • Introduced DLFRequestSigner interface to abstract signing behavior
  • Implemented two signing algorithms:
    • DLFDefaultSigner: Original DLF signing algorithm (DLF4-HMAC-SHA256)
    • DLFOpenApiSigner: New OpenAPI signing algorithm for AlibabaCloud OpenAPI endpoints(dlfnext)
  • Added automatic signer selection based on URI patterns in DLFAuthProviderFactory
  • Refactored some helper methods for better code organization

Benefits:

  • Better extensibility for future signing algorithms
  • Automatic algorithm selection transparent to users
  • Backward compatible with existing implementations

Tests

  • Added DLFRequestSignerTest with comprehensive test coverage
  • Updated existing tests in MockRESTCatalogTest and AuthProviderTest

API and Format

No API or storage format changes.

Documentation

  • Added documentation about two signer: DLFDefaultSigner and DLFOpenApiSigner
  • Added documentation for automatic signer selection logic based on endpoint URI patterns

@sundapeng sundapeng changed the title add new signer for dlf [WIP]add new signer for dlf Jan 22, 2026
@sundapeng sundapeng force-pushed the dlf-pop-signer branch 8 times, most recently from fa19e4b to d5b4b50 Compare January 28, 2026 16:30
@sundapeng sundapeng changed the title [WIP]add new signer for dlf [rest] Add pluggable signer architecture for rest API authentication Jan 28, 2026
@sundapeng sundapeng changed the title [rest] Add pluggable signer architecture for rest API authentication [rest] Add pluggable signer architecture for REST API authentication Jan 28, 2026
JingsongLi
JingsongLi reviewed Jan 29, 2026
View reviewed changes
docs/content/concepts/rest/dlf.md Outdated
Paimon supports multiple signing algorithms for DLF authentication. You can configure the signing algorithm explicitly,
or let Paimon automatically select it based on the endpoint host.

### Automatic Selection (Recommended)
Copy link
Contributor

@JingsongLi JingsongLi Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DLF Default Signing (Recommended)

Copy link
Member Author

@sundapeng sundapeng Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DLF Default Signing (Recommended)

Hi @JingsongLi , Here's a background: Each endpoint URI can only use the specific signer, so introduce the auto-selection:

  • For domain names containing "dlfnext", the OpenAPI signing is selected by default.
  • For other domain names, the default signing is selected by default.

For dlfnext endpoint, default signer is not work. "DLF Default Signing is Recommended" may be misleading.

Copy link
Contributor

@JingsongLi JingsongLi Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If automatic derivation works well, is it necessary for us to expose this configuration?

Copy link
Member Author

@sundapeng sundapeng Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All known scenarios don't require configuring it, but it's hard to guarantee the OpenAPI infrastructure won't change in the future.

Copy link
Contributor

@JingsongLi JingsongLi Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is OK to introduce it, it is not necessary to document it.

Copy link
Member Author

@sundapeng sundapeng Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Document updated.

@JingsongLi
Copy link
Contributor

JingsongLi commented Jan 29, 2026

+1

@JingsongLi JingsongLi merged commit 5925d39 into apache:master Jan 29, 2026
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JingsongLi JingsongLi JingsongLi left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sundapeng @JingsongLi