singhpk234 commented on code in PR #2280: URL: https://github.com/apache/polaris/pull/2280#discussion_r2276774113
########## api/iceberg-aws-sign-service/src/main/java/org/apache/polaris/service/aws/sign/model/PolarisS3SignRequest.java: ########## @@ -0,0 +1,45 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.polaris.service.aws.sign.model; + +import com.fasterxml.jackson.databind.annotation.JsonDeserialize; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import jakarta.annotation.Nullable; +import org.apache.iceberg.aws.s3.signer.S3SignRequest; +import org.apache.polaris.immutables.PolarisImmutable; +import org.immutables.value.Value; + +/** + * Request for S3 signing requests. Review Comment: ```suggestion * Request for S3 signing. ``` ########## polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java: ########## @@ -143,6 +143,37 @@ public AccessConfig getSubscopedCreds( return accessConfig.build(); } + public AccessConfig getRemoteSigningAccessConfig(URI signerUri, String signerEndpoint) { + + AwsStorageConfigurationInfo storageConfig = config(); + String region = storageConfig.getRegion(); + + if (storageConfig.getAwsPartition().equals("aws-us-gov") && region == null) { + throw new IllegalArgumentException( + String.format( + "AWS region must be set when using partition %s", storageConfig.getAwsPartition())); + } + + AccessConfig.Builder accessConfig = AccessConfig.builder(); + if (region != null) { + accessConfig.put(StorageAccessProperty.CLIENT_REGION, region); + } + + URI endpointUri = storageConfig.getEndpointUri(); + if (endpointUri != null) { + accessConfig.put(StorageAccessProperty.AWS_ENDPOINT, endpointUri.toString()); + } + if (Boolean.TRUE.equals(storageConfig.getPathStyleAccess())) { + accessConfig.put(StorageAccessProperty.AWS_PATH_STYLE_ACCESS, Boolean.TRUE.toString()); + } Review Comment: can we put these in a helper, to be used here and the method above ? ########## runtime/service/src/main/java/org/apache/polaris/service/storage/aws/signer/S3RemoteSigningCatalogHandler.java: ########## @@ -0,0 +1,119 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.storage.aws.signer; + +import jakarta.ws.rs.core.SecurityContext; +import org.apache.iceberg.catalog.TableIdentifier; +import org.apache.iceberg.exceptions.ForbiddenException; +import org.apache.iceberg.exceptions.NoSuchTableException; +import org.apache.polaris.core.auth.PolarisAuthorizableOperation; +import org.apache.polaris.core.auth.PolarisAuthorizer; +import org.apache.polaris.core.config.FeatureConfiguration; +import org.apache.polaris.core.config.RealmConfig; +import org.apache.polaris.core.context.CallContext; +import org.apache.polaris.core.entity.CatalogEntity; +import org.apache.polaris.core.entity.PolarisEntitySubType; +import org.apache.polaris.core.persistence.resolver.ResolutionManifestFactory; +import org.apache.polaris.service.aws.sign.model.PolarisS3SignRequest; +import org.apache.polaris.service.aws.sign.model.PolarisS3SignResponse; +import org.apache.polaris.service.catalog.common.CatalogHandler; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class S3RemoteSigningCatalogHandler extends CatalogHandler implements AutoCloseable { + + private static final Logger LOGGER = LoggerFactory.getLogger(S3RemoteSigningCatalogHandler.class); + + private final S3RequestSigner s3RequestSigner; + + private CatalogEntity catalogEntity; + + public S3RemoteSigningCatalogHandler( + CallContext callContext, + ResolutionManifestFactory resolutionManifestFactory, + SecurityContext securityContext, + String catalogName, + PolarisAuthorizer authorizer, + S3RequestSigner s3RequestSigner) { + super(callContext, resolutionManifestFactory, securityContext, catalogName, authorizer); + this.s3RequestSigner = s3RequestSigner; + } + + @Override + protected void initializeCatalog() { + catalogEntity = + CatalogEntity.of(resolutionManifest.getResolvedReferenceCatalogEntity().getRawLeafEntity()); + if (catalogEntity.isExternal()) { + throw new ForbiddenException("Cannot use S3 remote signing with federated catalogs."); + } + // no need to materialize the catalog here, as we only need the catalog entity + } + + public PolarisS3SignResponse signS3Request( + PolarisS3SignRequest s3SignRequest, TableIdentifier tableIdentifier) { + + LOGGER.debug("Requesting s3 signing for {}: {}", tableIdentifier, s3SignRequest); + + // TODO authorize based on the request's method? Review Comment: shouldn't we ? SIGN_S3_REQUEST shouldn't be a blanket approval for deletes ? ########## runtime/service/src/main/java/org/apache/polaris/service/storage/aws/signer/S3RemoteSigningCatalogHandler.java: ########## @@ -0,0 +1,119 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.storage.aws.signer; + +import jakarta.ws.rs.core.SecurityContext; +import org.apache.iceberg.catalog.TableIdentifier; +import org.apache.iceberg.exceptions.ForbiddenException; +import org.apache.iceberg.exceptions.NoSuchTableException; +import org.apache.polaris.core.auth.PolarisAuthorizableOperation; +import org.apache.polaris.core.auth.PolarisAuthorizer; +import org.apache.polaris.core.config.FeatureConfiguration; +import org.apache.polaris.core.config.RealmConfig; +import org.apache.polaris.core.context.CallContext; +import org.apache.polaris.core.entity.CatalogEntity; +import org.apache.polaris.core.entity.PolarisEntitySubType; +import org.apache.polaris.core.persistence.resolver.ResolutionManifestFactory; +import org.apache.polaris.service.aws.sign.model.PolarisS3SignRequest; +import org.apache.polaris.service.aws.sign.model.PolarisS3SignResponse; +import org.apache.polaris.service.catalog.common.CatalogHandler; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class S3RemoteSigningCatalogHandler extends CatalogHandler implements AutoCloseable { + + private static final Logger LOGGER = LoggerFactory.getLogger(S3RemoteSigningCatalogHandler.class); + + private final S3RequestSigner s3RequestSigner; + + private CatalogEntity catalogEntity; + + public S3RemoteSigningCatalogHandler( + CallContext callContext, + ResolutionManifestFactory resolutionManifestFactory, + SecurityContext securityContext, + String catalogName, + PolarisAuthorizer authorizer, + S3RequestSigner s3RequestSigner) { + super(callContext, resolutionManifestFactory, securityContext, catalogName, authorizer); + this.s3RequestSigner = s3RequestSigner; + } + + @Override + protected void initializeCatalog() { + catalogEntity = + CatalogEntity.of(resolutionManifest.getResolvedReferenceCatalogEntity().getRawLeafEntity()); + if (catalogEntity.isExternal()) { + throw new ForbiddenException("Cannot use S3 remote signing with federated catalogs."); + } + // no need to materialize the catalog here, as we only need the catalog entity + } + + public PolarisS3SignResponse signS3Request( Review Comment: can i have a sign priviledge without table read priviledge ? a client may directly contact the sign endpoint ########## runtime/service/src/main/java/org/apache/polaris/service/storage/aws/signer/S3RequestSignerImpl.java: ########## @@ -0,0 +1,84 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.polaris.service.storage.aws.signer; + +import jakarta.enterprise.context.ApplicationScoped; +import jakarta.inject.Inject; +import java.net.URI; +import org.apache.iceberg.aws.s3.signer.S3SignRequest; +import org.apache.polaris.service.aws.sign.model.ImmutablePolarisS3SignResponse; +import org.apache.polaris.service.aws.sign.model.PolarisS3SignResponse; +import org.apache.polaris.service.storage.StorageConfiguration; +import software.amazon.awssdk.auth.credentials.AwsCredentials; +import software.amazon.awssdk.http.ContentStreamProvider; +import software.amazon.awssdk.http.SdkHttpFullRequest; +import software.amazon.awssdk.http.SdkHttpMethod; +import software.amazon.awssdk.http.SdkHttpRequest; +import software.amazon.awssdk.http.auth.aws.signer.AwsV4HttpSigner; +import software.amazon.awssdk.http.auth.spi.signer.SignRequest; +import software.amazon.awssdk.http.auth.spi.signer.SignedRequest; +import software.amazon.awssdk.services.s3.S3Client; + +@ApplicationScoped +class S3RequestSignerImpl implements S3RequestSigner { + + private final AwsV4HttpSigner signer = AwsV4HttpSigner.create(); + + @Inject StorageConfiguration storageConfiguration; + + @Override + public PolarisS3SignResponse signRequest(S3SignRequest signingRequest) { + + URI uri = signingRequest.uri(); + SdkHttpMethod method = SdkHttpMethod.valueOf(signingRequest.method()); + + SdkHttpFullRequest.Builder requestToSign = + SdkHttpFullRequest.builder() + .uri(uri) + .protocol(uri.getScheme()) + .method(method) + .headers(signingRequest.headers()); + + AwsCredentials credentials = storageConfiguration.awsSystemCredentials().resolveCredentials(); Review Comment: How are the credentials refreshed ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
