dimas-b commented on code in PR #1506:
URL: https://github.com/apache/polaris/pull/1506#discussion_r2076029876
##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,40 @@ components:
format: password
description: Bearer token (input-only)
+ SigV4AuthenticationParameters:
+ type: object
+ description: AWS Signature Version 4 authentication
+ allOf:
+ - $ref: '#/components/schemas/AuthenticationParameters'
+ properties:
+ roleArn:
+ type: string
+ description: The aws IAM role arn assumed by polaris userArn when
signing requests
+ example:
"arn:aws:iam::123456789001:role/role-that-has-remote-catalog-access"
+ roleSessionName:
+ type: string
+ description: The role session name to be used by the SigV4 protocol
for signing requests
+ example: "polaris-remote-catalog-access"
+ externalId:
+ type: string
+ description: An optional external id used to establish a trust
relationship with AWS in the trust policy
+ example: "external-id-1234"
+ signingRegion:
+ type: string
+ description: Region to be used by the SigV4 protocol for signing
requests
+ example: "us-west-2"
+ signingName:
+ type: string
+ description: The service name to be used by the SigV4 protocol for
signing requests, the default signing name is "execute-api" is if not provided
+ example: "glue"
+ userArn:
+ type: string
+ description: The aws user arn used to assume the aws role, this
represents the polaris service itself
+ example: "arn:aws:iam::123456789001:user/polaris-service-user"
Review Comment:
Thanks for the explanation, @dennishuo !
It looks like this is not so much about using a two-stage Assume Role
approach in Polaris, but more about the source and target audience of
`userArn`. Right now it is clear that the user is not the source but a consumer
of this value.
I believe it would clearer if this was represented in another config object,
for example `ConnectionConfigInfo.accessDeclarations` to contain `userArn`.
Whether or not Polaris does a two-stage AssumeRole is not directly relevant
to the `AuthenticationParameters`. These parameters define what Polaris needs
to do in order to gain access to user's resources. `userArn` is a declaration
Polaris makes about the identity it will use for accessing the external
resources. Whether Polaris is authorized to use `userArn` is beyond the scope
of this config. It is declared to the user if Polaris in order for the user to
make appropriate grants.
WDYT?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
