XJDKC commented on code in PR #1506:
URL: https://github.com/apache/polaris/pull/1506#discussion_r2072205634
##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,34 @@ components:
format: password
description: Bearer token (input-only)
+ SigV4AuthenticationParameters:
Review Comment:
Hey Prashant and Dmitri,
Even though AWS STS doesn't have regional endpoints in every region, I
believe the AWS SDK will fall back to the global endpoint if a regional one
isn't available. From what I understand in the AWS docs, you can opt out of
using regional endpoints (though it’s not recommended), and if you don't opt
out, the SDK will choose the appropriate endpoint: i.e. using the regional one
when available, and falling back to the global endpoint otherwise.
I also took a look into MinIO:
https://min.io/docs/minio/linux/developers/security-token-service.html
Since MinIO provides an S3-compatible API, if we want to support its STS
service, Polaris will first need to support the s3compat API for the storage.
In addition, since we need to send requests to STS to get subscoped storage
credentials, we'd need to define a unified approach that works across both the
storage config and the connection config.
Given all of that, I'd recommend marking this out of scope for the initial
spec changes. It's not a one-way door, we can always introduce the optional STS
endpoint later once we've had time to fully think through the design.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
