Support s3 as remote segment

[zhaohaidao]

Purpose

Linked issue: close (#92)

It has been running stably for over 10 hours, and the long-term stability test will continue.

Brief change log

Tests

API and Format

Documentation

[zhaohaidao]

@luoyuxia Hi, yuxia, PTAL if u have time. It has been running stably for over 10 hours, and the long-term stability test will continue

[Copilot]

Pull request overview

This PR implements S3 support for remote log segments in Fluss, enabling log data to be stored and retrieved from S3-compatible storage. The implementation includes credential management with caching, proper timeout handling, and client-side projection for remote logs.

Key changes:

• Added S3 storage backend with configuration via OpenDAL's S3 service
• Implemented security token-based authentication with credential caching (1-hour TTL)
• Fixed Arrow IPC metadata padding calculation for correct remote log parsing
• Added client-side projection support for remote logs with full schema handling

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
crates/fluss/src/io/storage_s3.rs	New module implementing S3 configuration builder and path parsing utilities
crates/fluss/src/io/storage.rs	Extended Storage enum to support S3 with credential properties
crates/fluss/src/io/mod.rs	Added conditional compilation for storage-s3 feature
crates/fluss/src/client/credentials.rs	New module implementing credentials cache with security token fetching and Hadoop-to-OpenDAL key conversion
crates/fluss/src/client/table/scanner.rs	Integrated credentials cache into LogFetcher for S3 authentication
crates/fluss/src/client/table/remote_log.rs	Added S3 props injection, timeout handling, and debug logging for remote downloads
crates/fluss/src/client/mod.rs	Exported credentials module
crates/fluss/src/rpc/message/get_security_token.rs	New RPC message for fetching filesystem security tokens
crates/fluss/src/rpc/message/mod.rs	Added get_security_token module and exports
crates/fluss/src/rpc/api_key.rs	Added GetFileSystemSecurityToken API key (1025)
crates/fluss/src/record/arrow.rs	Fixed metadata padding calculation and added record_batch_for_remote_log with full schema support
crates/fluss/src/proto/fluss_api.proto	Added protocol buffer definitions for security token request/response
crates/fluss/Cargo.toml	Added storage-s3 feature and enabled it by default
crates/examples/Cargo.toml	Added dependencies for serde, serde_json, and opendal
Cargo.toml	Added workspace dependencies for serde, serde_json, and opendal

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Using eprintln! for logging download progress is not appropriate for production code. This outputs directly to stderr and cannot be controlled or filtered. Consider using the tracing crate (which is already a dependency of this project) for proper structured logging. This would allow users to control log levels and output destinations.

[Copilot]

Using .expect() with a panic message bypasses proper error handling. If no server is available, this will cause a panic instead of returning a proper error. Consider using .ok_or_else() to return an appropriate Error type instead, allowing the caller to handle this failure gracefully.

[Copilot]

The hardcoded timeout constant is defined locally in the function instead of at the module level or as a configurable constant. Consider moving this to a module-level constant for better maintainability and consistency with the pattern used in storage_s3.rs (lines 32-33) where timeouts are defined at the module level.

Suggested change

const REMOTE_OP_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(30);

[Copilot]

The version specified in Cargo.toml (0.53) doesn't match the version used in the workspace (0.53.3 as seen in crates/fluss/Cargo.toml line 57). This inconsistency could lead to dependency resolution issues. Consider using workspace = true to inherit the version from the workspace root instead of specifying it directly.

Suggested change

	opendal = { version = "0.53", features = ["services-s3"] }
	opendal = { version = "0.53.3", features = ["services-s3"] }

[Copilot]

The credentials cache has a fixed TTL of 1 hour (3600 seconds), but the response from the server includes an optional expiration_time field (see fluss_api.proto line 313). Consider using the server-provided expiration time when available instead of using a fixed duration, as the server may issue credentials with different lifetimes based on security policies.

[Copilot]

The comment describes client-side projection, but the implementation differs from the regular record_batch() method. The regular method applies ordered_schema when projection exists (line 811), while this method always uses full_schema (line 852). This inconsistency could lead to incorrect data parsing when projections are involved. Consider documenting why this difference is necessary or aligning the implementations if the difference is unintentional.

[Copilot]

The new GetFileSystemSecurityTokenResponse message returns a token (parsed client-side as JSON with access_key_id/access_key_secret) over the existing RPC layer, which currently uses a plain TCP Transport::Plain without TLS or any encryption. Anyone with access to the network path between client and server can sniff this RPC and steal cloud credentials, enabling full compromise of the backing object store and its data. Protect this RPC with transport-level encryption (for example by adding TLS to the RPC transport) and/or change the design so that only short-lived, scoped tokens are issued and transmitted instead of raw access keys.

Suggested change

	message GetFileSystemSecurityTokenResponse {
	required string schema = 1;
	// Response containing a short-lived, scoped security token for accessing the file system.
	// WARNING: Do NOT transmit raw access keys or long-lived credentials in the token field.
	// Only issue and transmit short-lived, scoped tokens (e.g., session tokens, JWTs, or
	// cloud provider temporary credentials) with minimal privileges and a short expiration.
	message GetFileSystemSecurityTokenResponse {
	required string schema = 1;
	// Short-lived, scoped security token (e.g., session token, JWT, or temporary credentials).
	// MUST NOT contain raw access keys or long-lived secrets.

[luoyuxia]

@zhaohaidao Thanks for the pr. Left minor comments. PTAL

[luoyuxia]

In here, we hard code to s3 props, but what if the remote storage is not s3?

[zhaohaidao]

My idea here is this: the current implementation follows the principle of simplicity, avoiding over-encapsulation. Seeing the 's3' prefix should clearly indicate that this is the configuration used by s3, and other remote storages should not use it.

Do you have any suggestions? If you want different RemoteDownloaders to be implemented for different remote storages, I can also modify it.

[luoyuxia]

seems we always set s3 props, but what if it's not s3 as remote storage.

[luoyuxia]

Seems it's not used?

[zhaohaidao]

It's used in storage.rs. I

           #[cfg(feature = "storage-s3")]
            Storage::S3 { props } => {
                let (bucket, key) = super::parse_s3_path(path);
                let mut s3_props = props.clone();
                s3_props.insert("bucket".to_string(), bucket.to_string());
                let op = super::s3_config_build(&s3_props)?;
                Ok((op, key))
            }