[Data] Fix credential drop and IMDS herd in download expression

[xyuzh]

Summary

Fixes two independent bugs in the download expression pipeline that compound under concurrent S3 workloads on EC2.

Bug 1 — Silent credential drop (obstore path)

When a user passes an fsspec S3FileSystem with Okta/STS/profile-based auth (wrapped as PyFileSystem(FSSpecHandler(s3fs_fs))), _extract_credentials_from_filesystem read only static attrs (key/secret/token, storage_options). Those attrs are None for session-backed s3fs — credentials live on fs.session.get_credentials() and may rotate. The function returned {}, obstore's from_url got no keys, and obstore silently fell back to its own credential chain (IMDS on EC2). Users never saw a warning.

Bug 2 — IMDS thundering herd (threaded fallback)

download_bytes_threaded spawned 16 worker threads via make_async_gen. Each worker independently called _resolve_paths_and_filesystem(uri, cached_fs=None) on its first URI, constructing a fresh pyarrow.fs.S3FileSystem → triggering an IMDS credential fetch. With N concurrent Download tasks on a node that was ~16×N near-simultaneous IMDS HTTP calls — enough to trip the per-instance rate limit and produce intermittent NoCredentialsError.

Changes

• _extract_credentials_from_filesystem now returns Optional[Dict]. None signals "route to threaded" so the user's filesystem stays authoritative. New _frozen_s3fs_credentials helper snapshots via session.get_credentials().get_frozen_credentials() for both sync (botocore) and async (aiobotocore) sessions. Unrecognized non-None filesystems also return None per the new contract.
• _plan_obstore_routing(fs) -> (use_obstore, fs_kwargs) centralizes dispatch with a one-shot WARNING per filesystem when credentials can't be extracted.
• plan_download_op pre-decides obstore-vs-threaded at plan time and routes AsyncPartitionActor accordingly — no silent downgrade.
• download_bytes_threaded resolves the filesystem exactly once per (block, column) before make_async_gen and shares it across all 16 workers via closure default-arg binding. Probe loop requires both paths and fs to be usable before breaking, avoiding leak-through when _resolve_paths_and_filesystem silently drops a bad URI.
• download_bytes_async extracts credentials once in sync context and threads kwargs through to _download_uris_with_obstore. Fixes a correctness issue where aiobotocore's async get_credentials couldn't run from inside an existing event loop.
• AsyncPartitionActor fails closed with a clear RuntimeError if it's ever constructed with an unextractable filesystem (dispatch-bug guard).

Test plan

• pre-commit run passes on all changed files (ruff, pydoclint, black, docstyle, semgrep, import order, mock-method / logger checks).
• Added unit tests in test_obstore_download.py:
  • TestSessionBackedFsspecCredentials — boto3 sync session, aiobotocore async session, _session fallback for older s3fs, unresolvable session returns None, no-access-key returns None, anon=True skips session, static attrs win over session.
  • TestPlanObstoreRouting — None filesystem → obstore, non-S3 fsspec → threaded, unextractable fsspec-S3 → threaded with warning, warning dedup (same FS twice = one warning), extractable fsspec-S3 → obstore, AsyncPartitionActor raises on unextractable creds.
  • TestThreadedDownloadPreResolve — exactly one probe across 16 workers, supplied-FS skips probe, bad-first-URI still finds FS, all-bad URIs don't crash, empty block doesn't spawn workers, regression test for ([], fs) probe-break bug.
• End-to-end against moto/minio with Okta-style fsspec S3FileSystem over ~100 URIs (no NoCredentialsError, moto sees signed requests).
• Run with RAY_DATA_USE_OBSTORE=0 over concurrent tasks, verifying S3FileSystem.__init__ is invoked exactly once per block rather than per worker.

[gemini-code-assist]

Code Review

This pull request enhances the obstore download path by adding support for session-backed s3fs credentials (Okta/STS) and introducing a routing logic that falls back to threaded PyArrow downloads when credentials cannot be statically extracted. It also mitigates the "IMDS thundering herd" problem in the threaded path by pre-resolving the filesystem once per block. Reviewers noted that obstore support could be extended to GCS and Azure fsspec protocols and raised concerns about a potential regression in handling mixed-scheme blocks due to the new "sticky" filesystem behavior in threaded downloads.

[gemini-code-assist]

The comment states that obstore cannot use non-S3 fsspec protocols, but obstore (via the underlying object_store Rust crate) does support GCS and Azure. While the current credential extraction logic is focused on S3, it might be worth clarifying the comment or considering future support for GCS/Azure fsspec protocols to avoid unnecessary fallbacks to the threaded path when obstore could potentially be used.

[gemini-code-assist]

The implementation of download_bytes_threaded now uses a single pre-resolved filesystem (resolved_fs) for all URIs in a block to mitigate the IMDS thundering herd. This introduces a 'sticky' filesystem behavior per block. If a block contains mixed-scheme URIs (e.g., S3 and GCS), URIs that are incompatible with the first resolved filesystem will fail to download, as _resolve_paths_and_filesystem will return the incompatible input filesystem when one is provided (per its documented behavior). While mixed-scheme blocks are rare in Ray Data, this is a regression in flexibility compared to the previous per-worker resolution. Consider if a per-scheme cache within the worker would be a more robust alternative to support mixed-scheme blocks while still avoiding the thundering herd.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 53bfece. Configure here.}

[cursor]

Unrecognized native filesystems unnecessarily forced to threaded path

Low Severity

_extract_credentials_from_filesystem now returns None for all unrecognized non-None filesystems (e.g. LocalFileSystem), whereas it previously returned {}. This causes _plan_obstore_routing to route these to the threaded path and emit a misleading warning about "S3 credentials" — even though obstore natively supports file:// URIs and no credentials are needed. Users explicitly passing pafs.LocalFileSystem() would see an unnecessary performance downgrade and a confusing warning.

Additional Locations (1)

• python/ray/data/_internal/planner/_obstore_download.py#L385-L394

 

^{Reviewed by Cursor Bugbot for commit 53bfece. Configure here.}

[xyuzh]

Splitting into two independent PRs for easier review:

• [Data] Fix silent credential drop for fsspec-S3 in download expression #62897 — [Data] Fix silent credential drop for fsspec-S3 in download expression (obstore path)
• [Data] Pre-resolve filesystem in threaded download to avoid IMDS herd #62898 — [Data] Pre-resolve filesystem in threaded download to avoid IMDS herd (PyArrow path)

The two bugs are independent; either PR can land first. Closing this combined PR in favor of the split.