feat(auth): implement SigV4 authentication for REST catalog by plusplusjiajia · Pull Request #616 · apache/iceberg-cpp

plusplusjiajia · 2026-04-11T08:47:05Z

Implement AWS SigV4 authentication for the REST catalog client, following Java's RESTSigV4AuthManager and RESTSigV4AuthSession.

Extend AuthSession::Authenticate() with HTTPRequestContext (method, url, body) for SigV4 request signing
Add SigV4AuthSession: delegate-first auth → relocate conflicting Authorization header → sign with AWS SDK
Add SigV4AuthManager: wraps delegate AuthManager (default OAuth2), resolves credentials from properties or default chain
Body hash matches Java's SignerChecksumParams output: empty body → hex EMPTY_BODY_SHA256; non-empty body → Base64(SHA256(body))

wgtmac

Thanks for adding this! I have just completed the architectural review and didn't fully review the sigv4 manager yet. I have some preliminary questions here:

Should we also be compatible to the legacy rest.sigv4-enabled=true config (and others) when creating a auth manager?
How is this tested e2e? Any chance to have an integration test?

plusplusjiajia · 2026-05-12T09:56:42Z

Thanks for adding this! I have just completed the architectural review and didn't fully review the sigv4 manager yet. I have some preliminary questions here:

Should we also be compatible to the legacy rest.sigv4-enabled=true config (and others) when creating a auth manager?

How is this tested e2e? Any chance to have an integration test?

@wgtmac Thanks for taking a look!
Legacy rest.sigv4-enabled: Java does carry a deprecation alias here. I'd rather not pull that over into a fresh client — iceberg-cpp has no historical users to preserve, and inheriting a property name Java is already trying to retire feels like the wrong direction. Happy to revisit if there's a concrete cross-runtime config-sharing case.
E2E: Java's TestRESTSigV4AuthSession is also header-only — it checks the headers the signer produces but never sends a real HTTP request. The first 12 of our 21 cases are direct ports, so we're at parity with Java's actual coverage.

…eson

…or S3+SigV4)

…s, Base64 wording, CI toolchain

…g session test

wgtmac · 2026-06-13T03:45:34Z

Thanks for the update! I'll go through it again and perhaps polish some design on my end. Have you ever tested it against a real AWS environment? How can we ensure it works and won't break in the future?

Simplify AWS SDK wiring, remove premature session-cache plumbing, tighten credential validation, and strengthen SigV4 tests.

wgtmac

Thanks for working on this PR, @plusplusjiajia!

I have pushed a commit for cleanup. I think this PR still has some design issues, especially around REST catalog session and table-level auth. I have to admit that current REST catalog design has some obvious drawbacks which make it hard to support contextual sessions. So let’s keep this PR focused for now. I may follow up with a separate PR to address the design issues around REST catalog.

plusplusjiajia · 2026-06-14T08:48:26Z

Thanks @wgtmac for the thorough review and the polish pass, and everyone else for the feedback along the way — much appreciated!

plusplusjiajia force-pushed the sigv4 branch 9 times, most recently from d1c0732 to 4326282 Compare April 11, 2026 11:01

evindj reviewed Apr 14, 2026

View reviewed changes