dimas-b commented on code in PR #1506:
URL: https://github.com/apache/polaris/pull/1506#discussion_r2085870570
##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,38 @@ components:
format: password
description: Bearer token (input-only)
+ SigV4AuthenticationParameters:
+ type: object
+ description: AWS Signature Version 4 authentication
+ allOf:
+ - $ref: '#/components/schemas/AuthenticationParameters'
+ properties:
+ roleArn:
+ type: string
+ description: The aws IAM role arn assumed by polaris userArn when
signing requests
+ example:
"arn:aws:iam::123456789001:role/role-that-has-remote-catalog-access"
+ roleSessionName:
+ type: string
+ description: The role session name to be used by the SigV4 protocol
for signing requests
+ example: "polaris-remote-catalog-access"
+ externalId:
+ type: string
+ description: An optional external id used to establish a trust
relationship with AWS in the trust policy
+ example: "external-id-1234"
+ signingRegion:
+ type: string
+ description: Region to be used by the SigV4 protocol for signing
requests
+ example: "us-west-2"
+ signingName:
+ type: string
+ description: The service name to be used by the SigV4 protocol for
signing requests, the default signing name is "execute-api" is if not provided
+ example: "glue"
+ serviceIdentity:
+ $ref: '#/components/schemas/ServiceIdentityInfo'
Review Comment:
As @XJDKC mentioned in the main comment thread, it may be worth taking this
to a higher-level...
Do we envision on `ServiceIdentityInfo` for the whole Realm, or perhaps one
`ServiceIdentityInfo` for each Catalog?
From my POV the latter case is possible, but I wonder what other people this
about its practical usefulness.
I suppose the former case is more relevant, so it does make sense to expose
`ServiceIdentityInfo` as a top-level entity... Perhaps we can have a separate
Management API endpoint for it (e.g. "/configuration")?
##########
spec/polaris-management-service.yml:
##########
@@ -1023,6 +1057,49 @@ components:
allOf:
- $ref: '#/components/schemas/StorageConfigInfo'
+ ServiceIdentityInfo:
+ type: object
+ description: Identity metadata for the Polaris service used to access
external resources.
+ readOnly: true
+ properties:
+ identityType:
+ type: string
+ enum:
+ - AWS_IAM_USER
+ - AWS_IAM_ROLE
Review Comment:
nit: it is fine as is, but I wonder if it's really worth having different
sub-types for role and user :thinking: One can always make that distinction by
parsing the ARN (if required).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
