Skip to content

Datalake catalog auth token profile events#2010

Open
ianton-ru wants to merge 4 commits into
antalya-26.3from
datalake-catalog-auth-token-profile-events
Open

Datalake catalog auth token profile events#2010
ianton-ru wants to merge 4 commits into
antalya-26.3from
datalake-catalog-auth-token-profile-events

Conversation

@ianton-ru

Copy link
Copy Markdown

Changelog category (leave one):

  • Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Datalake catalog auth token profile events

Documentation entry for user-facing changes

New profile events for requests to catalog token.

CI/CD Options

Exclude tests:

  • Fast test
  • Integration Tests
  • Stateless tests
  • Stateful tests
  • Performance tests
  • Aarch64 tests
  • All with ASAN
  • All with TSAN
  • All with MSAN
  • All with UBSAN
  • All with Coverage
  • All Regression
  • Disable CI Cache

Regression jobs to run:

  • Fast suites (mostly <1h)
  • Aggregate Functions (2h)
  • Alter (1.5h)
  • Benchmark (30m)
  • ClickHouse Keeper (1h)
  • Iceberg (2h)
  • LDAP (1h)
  • OAuth (5m)
  • Parquet (1.5h)
  • RBAC (1.5h)
  • SSL Server (1h)
  • S3 (2h)
  • S3 Export (2h)
  • Swarms (30m)
  • Tiered Storage (2h)

ianton-ru and others added 3 commits July 6, 2026 15:18
Track how often REST-family catalogs reuse cached OAuth/GCP tokens versus
fetching new ones or retrying after HTTP 401/403, and add an integration
test for the new metrics.

Co-authored-by: Cursor <cursoragent@cursor.com>
Use a mock OAuth server in the lakekeeper compose stack and valid
client credentials so token refresh and cache-hit profile events are
observed on SHOW TABLES queries.

Co-authored-by: Cursor <cursoragent@cursor.com>
Treat expired OAuth tokens as refresh candidates instead of cache hits,
and count BigLake GCP token refresh once per logical fetch when ADC
fallback to metadata is used.

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Workflow [PR], commit [c2a7bab]

@ianton-ru

Copy link
Copy Markdown
Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c2a7bab07f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

}
else
{
ProfileEvents::increment(ProfileEvents::DataLakeRestCatalogAuthTokenCacheHits);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P3 Badge Count token cache hits only after successful reuse

When a cached token is rejected with HTTP 401/403, the retry paths in createReadBuffer and sendRequest immediately fetch a new token, but this increment has already recorded DataLakeRestCatalogAuthTokenCacheHits. In that stale/revoked-token scenario the same query reports both a cache hit and a refresh even though the event is documented as reusing a cached token without fetching a new one; move this accounting to a point where the catalog request has succeeded, or suppress it when the unauthorized retry runs.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant