Fix prefix match for ADLS_SAS_TOKEN (#2461)

tom-s-powell · iamthomaspowell · web-flow · commit 6e018c85af73 · 2025-09-16T12:25:00.000-07:00
The current logic when constructing an ADLS file system incorrectly matches [`adls.sas-token-expires-at-ms.`](https://github.com/apache/iceberg/blob/d1771207c9040f1c8b6886665b56d1a972fe402a/azure/src/main/java/org/apache/iceberg/azure/AzureProperties.java#L45) prefixed keys. If this is provided and encountered prior to [`adls.sas-token.`](https://github.com/apache/iceberg/blob/d1771207c9040f1c8b6886665b56d1a972fe402a/azure/src/main/java/org/apache/iceberg/azure/AzureProperties.java#L44) prefixed keys, it will incorrectly determine the `ADLS_ACCOUNT_NAME` and `ADLS_SAS_TOKEN`. For example with the following properties: ``` { 'adls.sas-token-expires-at-ms.testaccount.dfs.core.windows.net': '1757597218121', 'adls.sas-token.testaccount.dfs.core.windows.net': '<redacted>' } ``` **Before** ``` { 'adls.sas-token-expires-at-ms.testaccount.dfs.core.windows.net': '1757597218121', 'adls.sas-token.testaccount.dfs.core.windows.net': '<redacted>', 'adls.account-name': 'adls', 'adls.sas-token': '1757597218121' } ``` **After** ``` { 'adls.sas-token-expires-at-ms.testaccount.dfs.core.windows.net': '1757597218121', 'adls.sas-token.testaccount.dfs.core.windows.net': '<redacted>', 'adls.account-name': 'testaccount', 'adls.sas-token': '<redacted>' } ``` --------- Co-authored-by: Thomas Powell <tpowell@palantir.com>
diff --git a/pyiceberg/io/fsspec.py b/pyiceberg/io/fsspec.py
@@ -207,7 +207,7 @@ def _adls(properties: Properties) -> AbstractFileSystem:
     from azure.core.credentials_async import AsyncTokenCredential
 
     for key, sas_token in {
-        key.replace(f"{ADLS_SAS_TOKEN}.", ""): value for key, value in properties.items() if key.startswith(ADLS_SAS_TOKEN)
+        key.replace(f"{ADLS_SAS_TOKEN}.", ""): value for key, value in properties.items() if key.startswith(f"{ADLS_SAS_TOKEN}.")
     }.items():
         if ADLS_ACCOUNT_NAME not in properties:
             properties[ADLS_ACCOUNT_NAME] = key.split(".")[0]
diff --git a/tests/io/test_fsspec.py b/tests/io/test_fsspec.py
@@ -508,6 +508,34 @@ def test_fsspec_pickle_round_trip_aldfs(adls_fsspec_fileio: FsspecFileIO) -> Non
     _test_fsspec_pickle_round_trip(adls_fsspec_fileio, "abfss://tests/foo.txt")
 
 
+@pytest.mark.adls
+def test_adls_account_name_sas_token_extraction() -> None:
+    session_properties: Properties = {
+        "adls.tenant-id": "test-tenant-id",
+        "adls.account-host": "testaccount.dfs.core.windows.net",
+        "adls.sas-token.testaccount.dfs.core.windows.net": "test-sas-token",
+        "adls.sas-token-expires-at-ms.testaccount.dfs.core.windows.net": "1757597218121",
+    }
+
+    with mock.patch("adlfs.AzureBlobFileSystem") as mock_adlfs:
+        adls_fileio = FsspecFileIO(properties=session_properties)
+        filename = str(uuid.uuid4())
+
+        adls_fileio.new_input(location=f"abfss://tests/{filename}")
+
+        mock_adlfs.assert_called_with(
+            connection_string=None,
+            credential=None,
+            account_name="testaccount",
+            account_key=None,
+            sas_token="test-sas-token",
+            tenant_id="test-tenant-id",
+            client_id=None,
+            client_secret=None,
+            account_host="testaccount.dfs.core.windows.net",
+        )
+
+
 @pytest.mark.gcs
 def test_fsspec_new_input_file_gcs(fsspec_fileio_gcs: FsspecFileIO) -> None:
     """Test creating a new input file from a fsspec file-io"""
