Implementation:Apache Paimon DLFAuthProviderFactory
| Knowledge Sources | |
|---|---|
| Domains | Authentication, Alibaba Cloud, Factory Pattern |
| Last Updated | 2026-02-08 00:00 GMT |
Overview
DLFAuthProviderFactory creates DLFAuthProvider instances from configuration options, supporting multiple authentication modes and automatic algorithm selection.
Description
DLFAuthProviderFactory implements the AuthProviderFactory interface to provide a configuration-driven way of creating DLFAuthProvider instances for Alibaba Cloud Data Lake Formation authentication. The factory handles the complexity of parsing configuration options and determining the appropriate authentication mode.
The factory supports three primary authentication modes based on the configuration options provided: token loader mode (using dlf.token-loader or dlf.token-path), access key mode (using dlf.access-key-id and dlf.access-key-secret), and ECS metadata mode (automatically using ECS instance role credentials). Each mode has its own configuration requirements and validation logic.
An intelligent feature of this factory is the automatic determination of the DLF region and signing algorithm when not explicitly configured. The parseRegionFromUri() method extracts the region from the endpoint URI using regex pattern matching, supporting various Alibaba Cloud region naming conventions including pre-production environments. The parseSigningAlgoFromUri() method automatically selects the appropriate signing algorithm based on the endpoint hostname, choosing 'openapi' for DlfNext endpoints and 'default' for standard DLF endpoints.
The factory validates configuration completeness, throwing descriptive IllegalArgumentException when required parameters are missing. This fail-fast approach helps developers quickly identify configuration issues during application initialization.
Usage
Use DLFAuthProviderFactory when configuring REST catalog connections to Alibaba Cloud DLF. The factory is automatically discovered through Paimon's plugin mechanism when token.provider is set to "dlf", and it handles all the complexity of creating properly configured DLFAuthProvider instances.
Code Reference
Source Location
- Repository: Apache_Paimon
- File: paimon-api/src/main/java/org/apache/paimon/rest/auth/DLFAuthProviderFactory.java
Signature
public class DLFAuthProviderFactory implements AuthProviderFactory {
@Override
public String identifier() {
return AuthProviderEnum.DLF.identifier();
}
@Override
public AuthProvider create(Options options);
protected static String parseRegionFromUri(String uri);
protected static String parseSigningAlgoFromUri(String uri);
}
Import
import org.apache.paimon.rest.auth.DLFAuthProviderFactory;
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| options | Options | Yes | Configuration options containing DLF authentication parameters |
| uri | String | Yes | DLF endpoint URI (from RESTCatalogOptions.URI) |
| dlf.region | String | No | DLF region (auto-detected from URI if not set) |
| dlf.signing-algorithm | String | No | Signing algorithm (auto-detected from URI if not set) |
| dlf.token-loader | String | No | Token loader identifier for token-based auth |
| dlf.token-path | String | No | File path for file-based token auth |
| dlf.access-key-id | String | No | Access key ID for key-based auth |
| dlf.access-key-secret | String | No | Access key secret for key-based auth |
| dlf.security-token | String | No | Optional security token for temporary credentials |
Outputs
| Name | Type | Description |
|---|---|---|
| create() | AuthProvider | Returns configured DLFAuthProvider instance |
| parseRegionFromUri() | String | Returns extracted region from URI |
| parseSigningAlgoFromUri() | String | Returns appropriate signing algorithm identifier |
Usage Examples
import org.apache.paimon.rest.auth.AuthProvider;
import org.apache.paimon.rest.auth.DLFAuthProviderFactory;
import org.apache.paimon.rest.RESTCatalogOptions;
import org.apache.paimon.options.Options;
// Example 1: Access key authentication with auto-detected region
Options options = new Options();
options.set(RESTCatalogOptions.URI, "https://dlf.cn-hangzhou.aliyuncs.com");
options.set(RESTCatalogOptions.TOKEN_PROVIDER, "dlf");
options.set(RESTCatalogOptions.DLF_ACCESS_KEY_ID, "LTAI***");
options.set(RESTCatalogOptions.DLF_ACCESS_KEY_SECRET, "secret***");
// Region "cn-hangzhou" is automatically extracted from URI
DLFAuthProviderFactory factory = new DLFAuthProviderFactory();
AuthProvider provider = factory.create(options);
// Example 2: Explicit region and signing algorithm
Options explicitOptions = new Options();
explicitOptions.set(RESTCatalogOptions.URI, "https://custom.endpoint.com");
explicitOptions.set(RESTCatalogOptions.TOKEN_PROVIDER, "dlf");
explicitOptions.set(RESTCatalogOptions.DLF_REGION, "cn-beijing");
explicitOptions.set(RESTCatalogOptions.DLF_SIGNING_ALGORITHM, "openapi");
explicitOptions.set(RESTCatalogOptions.DLF_ACCESS_KEY_ID, "LTAI***");
explicitOptions.set(RESTCatalogOptions.DLF_ACCESS_KEY_SECRET, "secret***");
AuthProvider explicitProvider = factory.create(explicitOptions);
// Example 3: Token loader authentication
Options loaderOptions = new Options();
loaderOptions.set(RESTCatalogOptions.URI, "https://dlf.cn-shanghai.aliyuncs.com");
loaderOptions.set(RESTCatalogOptions.TOKEN_PROVIDER, "dlf");
loaderOptions.set(RESTCatalogOptions.DLF_TOKEN_LOADER, "ecs");
loaderOptions.set(RESTCatalogOptions.DLF_TOKEN_ECS_ROLE_NAME, "my-ecs-role");
AuthProvider loaderProvider = factory.create(loaderOptions);
// Example 4: File-based token authentication
Options fileOptions = new Options();
fileOptions.set(RESTCatalogOptions.URI, "https://dlf.cn-hangzhou.aliyuncs.com");
fileOptions.set(RESTCatalogOptions.TOKEN_PROVIDER, "dlf");
fileOptions.set(RESTCatalogOptions.DLF_TOKEN_PATH, "/path/to/token.json");
AuthProvider fileProvider = factory.create(fileOptions);
// Example 5: Temporary credentials with security token
Options tempOptions = new Options();
tempOptions.set(RESTCatalogOptions.URI, "https://dlf.cn-hangzhou.aliyuncs.com");
tempOptions.set(RESTCatalogOptions.TOKEN_PROVIDER, "dlf");
tempOptions.set(RESTCatalogOptions.DLF_ACCESS_KEY_ID, "STS.***");
tempOptions.set(RESTCatalogOptions.DLF_ACCESS_KEY_SECRET, "temp_secret***");
tempOptions.set(RESTCatalogOptions.DLF_SECURITY_TOKEN, "security_token***");
AuthProvider tempProvider = factory.create(tempOptions);
// Example 6: Auto-detect OpenAPI signing from DlfNext endpoint
Options openapiOptions = new Options();
openapiOptions.set(RESTCatalogOptions.URI,
"https://dlfnext.cn-hangzhou.aliyuncs.com");
openapiOptions.set(RESTCatalogOptions.TOKEN_PROVIDER, "dlf");
openapiOptions.set(RESTCatalogOptions.DLF_ACCESS_KEY_ID, "LTAI***");
openapiOptions.set(RESTCatalogOptions.DLF_ACCESS_KEY_SECRET, "secret***");
// Signing algorithm automatically set to "openapi" due to "dlfnext" in URI
AuthProvider openapiProvider = factory.create(openapiOptions);
// Example 7: Region parsing examples
String region1 = DLFAuthProviderFactory.parseRegionFromUri(
"https://dlf.cn-hangzhou.aliyuncs.com");
// Returns: "cn-hangzhou"
String region2 = DLFAuthProviderFactory.parseRegionFromUri(
"https://dlf.pre-cn-beijing.aliyuncs.com");
// Returns: "cn-beijing"
String region3 = DLFAuthProviderFactory.parseRegionFromUri(
"https://dlf.us-west-1.aliyuncs.com");
// Returns: "us-west-1"
// Example 8: Signing algorithm detection
String algo1 = DLFAuthProviderFactory.parseSigningAlgoFromUri(
"https://dlf.cn-hangzhou.aliyuncs.com");
// Returns: "default"
String algo2 = DLFAuthProviderFactory.parseSigningAlgoFromUri(
"https://dlfnext.cn-hangzhou.aliyuncs.com");
// Returns: "openapi"
// Example 9: Error handling
try {
Options invalidOptions = new Options();
invalidOptions.set(RESTCatalogOptions.URI, "https://dlf.cn-hangzhou.aliyuncs.com");
invalidOptions.set(RESTCatalogOptions.TOKEN_PROVIDER, "dlf");
// Missing authentication credentials
factory.create(invalidOptions);
} catch (IllegalArgumentException e) {
System.err.println("Configuration error: " + e.getMessage());
// Output: "DLF token path or AK must be set for DLF Auth."
}
// Example 10: Pre-production environment
Options preOptions = new Options();
preOptions.set(RESTCatalogOptions.URI,
"https://dlf.pre-cn-hangzhou.aliyuncs.com");
preOptions.set(RESTCatalogOptions.TOKEN_PROVIDER, "dlf");
preOptions.set(RESTCatalogOptions.DLF_ACCESS_KEY_ID, "LTAI***");
preOptions.set(RESTCatalogOptions.DLF_ACCESS_KEY_SECRET, "secret***");
// Region correctly extracted as "cn-hangzhou" (pre- prefix removed)
AuthProvider preProvider = factory.create(preOptions);