obelix74 opened a new pull request, #3823: URL: https://github.com/apache/polaris/pull/3823
Replaces the all-or-nothing `INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL` and `INCLUDE_TRACE_ID_IN_SESSION_TAGS` boolean flags with a single list-based config `SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL` that lets operators choose exactly which fields to include as session tags in AWS STS AssumeRole requests. This gives operators control over how many of the 2048-character STS packed policy budget their session tags consume, helping avoid the policy size limit errors described in #3243. Supported fields: realm, catalog, namespace, table, principal, roles, trace_id - Add `realm` field to CredentialVendingContext (populated from RealmContext) - Replace boolean feature flags with `SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL` list config - Update `AwsSessionTagsBuilder.buildSessionTags()` to accept a `Set<String>` of enabled fields - Update `AwsCredentialsStorageIntegration` and `StorageCredentialCache` to use the new config - Update `StorageAccessConfigProvider` to inject `RealmContext` and populate realm in context - Add tests for realm tag inclusion/exclusion - Update existing tests to use the new per-field configuration style <!-- ๐ Describe what changes you're proposing, especially breaking or user-facing changes. ๐ See https://github.com/apache/polaris/blob/main/CONTRIBUTING.md for more. --> ## Checklist - [x] ๐ก๏ธ Don't disclose security issues! (contact [email protected]) - [x] ๐ Clearly explained why the changes are needed, or linked related issues: Fixes # - [x] ๐งช Added/updated tests with good coverage, or manually tested (and explained how) - [x] ๐ก Added comments for complex logic - [x] ๐งพ Updated `CHANGELOG.md` (if needed) - [ ] ๐ Updated documentation in `site/content/in-dev/unreleased` (if needed) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
