dimas-b commented on code in PR #1532: URL: https://github.com/apache/polaris/pull/1532#discussion_r2098292448
########## service/common/src/main/java/org/apache/polaris/service/catalog/validation/IcebergPropertiesValidation.java: ########## @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.catalog.validation; + +import static org.apache.polaris.core.config.FeatureConfiguration.ALLOW_INSECURE_STORAGE_TYPES_ACCEPTING_SECURITY_RISKS; +import static org.apache.polaris.core.config.FeatureConfiguration.ALLOW_SPECIFYING_FILE_IO_IMPL; +import static org.apache.polaris.core.config.FeatureConfiguration.SUPPORTED_CATALOG_STORAGE_TYPES; + +import jakarta.annotation.Nonnull; +import jakarta.annotation.Nullable; +import java.util.Map; +import org.apache.iceberg.CatalogProperties; +import org.apache.iceberg.exceptions.ValidationException; +import org.apache.polaris.core.context.CallContext; +import org.apache.polaris.core.storage.PolarisStorageConfigurationInfo; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class IcebergPropertiesValidation { + private static final Logger LOGGER = LoggerFactory.getLogger(IcebergPropertiesValidation.class); + + public static void validateIcebergProperties( + @Nonnull CallContext callContext, @Nonnull Map<String, String> properties) { + validateIcebergProperties(callContext, properties, null); + } + + public static String validateIcebergProperties( + @Nonnull CallContext callContext, + @Nonnull Map<String, String> properties, + @Nullable PolarisStorageConfigurationInfo storageConfigurationInfo) { + var ctx = callContext.getPolarisCallContext(); + var configStore = ctx.getConfigurationStore(); + + var ioImpl = properties.get(CatalogProperties.FILE_IO_IMPL); + if (ioImpl != null) { + if (!configStore.getConfiguration(ctx, ALLOW_SPECIFYING_FILE_IO_IMPL)) { + throw new ValidationException( + "Cannot set property '%s' to '%s' for this catalog.", + CatalogProperties.FILE_IO_IMPL, ioImpl); + } + LOGGER.debug( + "Allowing overriding ioImplClassName to {} for storageConfiguration {}", + ioImpl, + storageConfigurationInfo); + } else if (storageConfigurationInfo != null) { + ioImpl = storageConfigurationInfo.getFileIoImplClassName(); + LOGGER.debug( + "Resolved ioImplClassName {} from storageConfiguration {}", + ioImpl, + storageConfigurationInfo); + } + + if (ioImpl != null) { + var storageType = StorageTypeFileIO.fromFileIoImplementation(ioImpl); + if (storageType.validateAllowedStorageType() + && !configStore + .getConfiguration(ctx, SUPPORTED_CATALOG_STORAGE_TYPES) + .contains(storageType.name())) { + throw new ValidationException( + "File IO implementation '%s', as storage type '%s' is not supported", + ioImpl, storageType); + } + + if (!storageType.safe() + && !configStore.getConfiguration( + ctx, ALLOW_INSECURE_STORAGE_TYPES_ACCEPTING_SECURITY_RISKS)) { + throw new ValidationException( + "File IO implementation '%s' (storage type '%s') is considered insecure and must not be used", + ioImpl, storageType); + } + } + + return ioImpl; + } + + public static boolean safeStorageType(String name) { + return StorageTypeFileIO.valueOf(name).safe(); Review Comment: ping ########## quarkus/service/src/main/java/org/apache/polaris/service/quarkus/config/ProductionReadinessChecks.java: ########## @@ -57,26 +64,53 @@ public class ProductionReadinessChecks { */ private static final String WARNING_SIGN_UTF_8 = "\u0000\u26A0\uFE0F"; + private static final String SEVERE_SIGN_UTF_8 = "\u0000\uD83D\uDED1"; + /** A simple warning sign displayed when the character set is not UTF-8. */ private static final String WARNING_SIGN_PLAIN = "!!!"; + private static final String SEVERE_SIGN_PLAIN = "***STOP***"; + public void warnOnFailedChecks( - @Observes Startup event, Instance<ProductionReadinessCheck> checks) { + @Observes Startup event, + Instance<ProductionReadinessCheck> checks, + QuarkusReadinessConfiguration config) { List<Error> errors = checks.stream().flatMap(check -> check.getErrors().stream()).toList(); if (!errors.isEmpty()) { - String warning = - Charset.defaultCharset().equals(StandardCharsets.UTF_8) - ? WARNING_SIGN_UTF_8 - : WARNING_SIGN_PLAIN; - LOGGER.warn("{} Production readiness checks failed! Check the warnings below.", warning); + var utf8 = Charset.defaultCharset().equals(StandardCharsets.UTF_8); + var warning = utf8 ? WARNING_SIGN_UTF_8 : WARNING_SIGN_PLAIN; + var severe = utf8 ? SEVERE_SIGN_UTF_8 : SEVERE_SIGN_PLAIN; + var hasSevere = errors.stream().anyMatch(Error::severe); + LOGGER + .makeLoggingEventBuilder(hasSevere ? Level.ERROR : Level.WARN) + .log( + "{} Production readiness checks failed! Check the warnings below.", + hasSevere ? severe : warning); errors.forEach( error -> - LOGGER.warn( - "- {} Offending configuration option: '{}'.", - error.message(), - error.offendingProperty())); - LOGGER.warn( - "Refer to https://polaris.apache.org/in-dev/unreleased/configuring-polaris-for-production for more information."); + LOGGER + .makeLoggingEventBuilder(error.severe() ? Level.ERROR : Level.WARN) + .log( + "- {} {} Offending configuration option: '{}'.", + error.severe() ? severe : warning, + error.message(), + error.offendingProperty())); + LOGGER + .makeLoggingEventBuilder(hasSevere ? Level.ERROR : Level.WARN) + .log( + "Refer to https://polaris.apache.org/in-dev/unreleased/configuring-polaris-for-production for more information."); + + if (hasSevere) { + if (!config.ignoreSevereIssues()) { + throw new IllegalStateException( + "Severe production readiness issues detected, startup aborted!"); + } + LOGGER.error( + "{} severe production readiness issues detected, but user explicitly requested startup by setting " Review Comment: This feels like a WARN to me, specifically because it was acknowledged via config. ########## service/common/src/main/java/org/apache/polaris/service/catalog/validation/IcebergPropertiesValidation.java: ########## @@ -0,0 +1,93 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.catalog.validation; + +import static org.apache.polaris.core.config.FeatureConfiguration.ALLOW_INSECURE_STORAGE_TYPES; +import static org.apache.polaris.core.config.FeatureConfiguration.ALLOW_SPECIFYING_FILE_IO_IMPL; +import static org.apache.polaris.core.config.FeatureConfiguration.SUPPORTED_CATALOG_STORAGE_TYPES; + +import jakarta.annotation.Nonnull; +import jakarta.annotation.Nullable; +import java.util.Map; +import org.apache.iceberg.CatalogProperties; +import org.apache.iceberg.exceptions.ValidationException; +import org.apache.polaris.core.context.CallContext; +import org.apache.polaris.core.storage.PolarisStorageConfigurationInfo; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class IcebergPropertiesValidation { + private static final Logger LOGGER = LoggerFactory.getLogger(IcebergPropertiesValidation.class); + + public static void validateIcebergProperties( + @Nonnull CallContext callContext, @Nonnull Map<String, String> properties) { + validateIcebergPropertiesForFileIo(callContext, properties, null); + } + + public static String validateIcebergPropertiesForFileIo( Review Comment: This method name still looks misleading to me. It returns a usable FileIO class name is addition to validating it. Validation is implied in the class name.... How about `determineFileIOClassName(...)`? ########## quarkus/service/src/main/java/org/apache/polaris/service/quarkus/config/ProductionReadinessChecks.java: ########## @@ -176,4 +210,71 @@ public ProductionReadinessCheck checkPolarisEventListener( private static String authRealmSegment(String realm) { return realm.equals(QuarkusAuthenticationConfiguration.DEFAULT_REALM_KEY) ? "" : realm + "."; } + + @Produces + public ProductionReadinessCheck checkInsecureStorageSettings( + FeaturesConfiguration featureConfiguration) { + var insecure = FeatureConfiguration.ALLOW_INSECURE_STORAGE_TYPES; + + var errors = new ArrayList<Error>(); + if (Boolean.parseBoolean(featureConfiguration.defaults().get(insecure.key))) { + errors.add( + Error.ofSevere( + "Must not enable a configuration that exposes known and severe security risks: " + + insecure.description, + format("polaris.features.defaults.\"%s\"", insecure.key))); + } + + featureConfiguration + .realmOverrides() + .forEach( + (realmId, overrides) -> { + if (Boolean.parseBoolean(overrides.overrides().get(insecure.key))) { + errors.add( + Error.ofSevere( + "Must not enable a configuration that exposes known and severe security risks: " + + insecure.description, + format( + "polaris.features.realm-overrides.\"%s\".overrides.\"%s\"", + realmId, insecure.key))); + } + }); + + var storageTypes = FeatureConfiguration.SUPPORTED_CATALOG_STORAGE_TYPES; + var mapper = new ObjectMapper(); + var defaults = featureConfiguration.parseDefaults(mapper); + var realmOverrides = featureConfiguration.parseRealmOverrides(mapper); + @SuppressWarnings("unchecked") + var supported = (List<String>) defaults.getOrDefault(storageTypes.key, List.of()); + supported.stream() + .filter(n -> !IcebergPropertiesValidation.safeStorageType(n)) + .forEach( + t -> + errors.add( + Error.ofSevere( + format( + "The storage type '%s' is considered insecure and to expose the service to severe security ricks!", + t), + format("polaris.features.defaults.\"%s\"", storageTypes.key)))); + realmOverrides.forEach( + (realmId, overrides) -> { + @SuppressWarnings("unchecked") + var s = (List<String>) overrides.getOrDefault(storageTypes.key, List.of()); + s.stream() + .filter(n -> !IcebergPropertiesValidation.safeStorageType(n)) + .forEach( + t -> + errors.add( + Error.ofSevere( + format( + "The storage type '%s' is considered insecure and to expose the service to severe security ricks!", Review Comment: ping re: spelling here -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
