Rename UserSecretReference to SecretReference and fix some small issues

Author: XJDKC

polaris-core/src/main/java/org/apache/polaris/core/connection/AuthenticationParametersDpo.java

@@ -29,7 +29,7 @@
 import org.apache.polaris.core.admin.model.OAuthClientCredentialsParameters;
 import org.apache.polaris.core.admin.model.SigV4AuthenticationParameters;
 import org.apache.polaris.core.connection.iceberg.IcebergCatalogPropertiesProvider;
-import org.apache.polaris.core.secrets.UserSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 
 /**
  * The internal persistence-object counterpart to AuthenticationParameters defined in the API model.
@@ -71,7 +71,7 @@ public AuthenticationType getAuthenticationType() {
 
   public static AuthenticationParametersDpo fromAuthenticationParametersModelWithSecrets(
       AuthenticationParameters authenticationParameters,
-      Map<String, UserSecretReference> secretReferences) {
+      Map<String, SecretReference> secretReferences) {
     final AuthenticationParametersDpo config;
     switch (authenticationParameters.getAuthenticationType()) {
       case OAUTH:

polaris-core/src/main/java/org/apache/polaris/core/connection/BearerAuthenticationParametersDpo.java

@@ -25,7 +25,7 @@
 import org.apache.iceberg.rest.auth.OAuth2Properties;
 import org.apache.polaris.core.admin.model.AuthenticationParameters;
 import org.apache.polaris.core.admin.model.BearerAuthenticationParameters;
-import org.apache.polaris.core.secrets.UserSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 import org.apache.polaris.core.secrets.UserSecretsManager;
 
 /**
@@ -35,16 +35,16 @@
 public class BearerAuthenticationParametersDpo extends AuthenticationParametersDpo {
 
   @JsonProperty(value = "bearerTokenReference")
-  private final UserSecretReference bearerTokenReference;
+  private final SecretReference bearerTokenReference;
 
   public BearerAuthenticationParametersDpo(
       @JsonProperty(value = "bearerTokenReference", required = true) @Nonnull
-          UserSecretReference bearerTokenReference) {
+          SecretReference bearerTokenReference) {
     super(AuthenticationType.BEARER.getCode());
     this.bearerTokenReference = bearerTokenReference;
   }
 
-  public @Nonnull UserSecretReference getBearerTokenReference() {
+  public @Nonnull SecretReference getBearerTokenReference() {
     return bearerTokenReference;
   }
 

polaris-core/src/main/java/org/apache/polaris/core/connection/ConnectionConfigInfoDpo.java

@@ -27,6 +27,7 @@
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.annotation.Nonnull;
+import jakarta.annotation.Nullable;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URL;
@@ -38,7 +39,7 @@
 import org.apache.polaris.core.connection.iceberg.IcebergCatalogPropertiesProvider;
 import org.apache.polaris.core.connection.iceberg.IcebergRestConnectionConfigInfoDpo;
 import org.apache.polaris.core.identity.dpo.ServiceIdentityInfoDpo;
-import org.apache.polaris.core.secrets.UserSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -74,7 +75,7 @@ public ConnectionConfigInfoDpo(
       @JsonProperty(value = "uri", required = true) @Nonnull String uri,
       @JsonProperty(value = "authenticationParameters", required = true) @Nonnull
           AuthenticationParametersDpo authenticationParameters,
-      @JsonProperty(value = "serviceIdentity", required = false) @Nonnull
+      @JsonProperty(value = "serviceIdentity", required = false) @Nullable
           ServiceIdentityInfoDpo serviceIdentity) {
     this(connectionTypeCode, uri, authenticationParameters, serviceIdentity, true);
   }
@@ -83,7 +84,7 @@ protected ConnectionConfigInfoDpo(
       int connectionTypeCode,
       @Nonnull String uri,
       @Nonnull AuthenticationParametersDpo authenticationParameters,
-      @Nonnull ServiceIdentityInfoDpo serviceIdentity,
+      @Nullable ServiceIdentityInfoDpo serviceIdentity,
       boolean validateUri) {
     this.connectionTypeCode = connectionTypeCode;
     this.uri = uri;
@@ -111,7 +112,7 @@ public AuthenticationParametersDpo getAuthenticationParameters() {
     return authenticationParameters;
   }
 
-  public @Nonnull ServiceIdentityInfoDpo getServiceIdentity() {
+  public @Nullable ServiceIdentityInfoDpo getServiceIdentity() {
     return serviceIdentity;
   }
 
@@ -156,7 +157,7 @@ protected void validateUri(String uri) {
    */
   public static ConnectionConfigInfoDpo fromConnectionConfigInfoModelWithSecrets(
       ConnectionConfigInfo connectionConfigurationModel,
-      Map<String, UserSecretReference> secretReferences) {
+      Map<String, SecretReference> secretReferences) {
     ConnectionConfigInfoDpo config = null;
     final AuthenticationParametersDpo authenticationParameters;
     switch (connectionConfigurationModel.getConnectionType()) {

polaris-core/src/main/java/org/apache/polaris/core/connection/OAuthClientCredentialsParametersDpo.java

@@ -35,7 +35,7 @@
 import org.apache.iceberg.rest.auth.OAuth2Util;
 import org.apache.polaris.core.admin.model.AuthenticationParameters;
 import org.apache.polaris.core.admin.model.OAuthClientCredentialsParameters;
-import org.apache.polaris.core.secrets.UserSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 import org.apache.polaris.core.secrets.UserSecretsManager;
 
 /**
@@ -53,7 +53,7 @@ public class OAuthClientCredentialsParametersDpo extends AuthenticationParameter
   private final String clientId;
 
   @JsonProperty(value = "clientSecretReference")
-  private final UserSecretReference clientSecretReference;
+  private final SecretReference clientSecretReference;
 
   @JsonProperty(value = "scopes")
   private final List<String> scopes;
@@ -62,7 +62,7 @@ public OAuthClientCredentialsParametersDpo(
       @JsonProperty(value = "tokenUri", required = false) @Nullable String tokenUri,
       @JsonProperty(value = "clientId", required = true) @Nonnull String clientId,
       @JsonProperty(value = "clientSecretReference", required = true) @Nonnull
-          UserSecretReference clientSecretReference,
+          SecretReference clientSecretReference,
       @JsonProperty(value = "scopes", required = false) @Nullable List<String> scopes) {
     super(AuthenticationType.OAUTH.getCode());
 
@@ -82,7 +82,7 @@ public OAuthClientCredentialsParametersDpo(
     return clientId;
   }
 
-  public @Nonnull UserSecretReference getClientSecretReference() {
+  public @Nonnull SecretReference getClientSecretReference() {
     return clientSecretReference;
   }
 

polaris-core/src/main/java/org/apache/polaris/core/entity/CatalogEntity.java

@@ -43,7 +43,7 @@
 import org.apache.polaris.core.config.BehaviorChangeConfiguration;
 import org.apache.polaris.core.connection.ConnectionConfigInfoDpo;
 import org.apache.polaris.core.context.CallContext;
-import org.apache.polaris.core.secrets.UserSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 import org.apache.polaris.core.storage.FileStorageConfigurationInfo;
 import org.apache.polaris.core.storage.PolarisStorageConfigurationInfo;
 import org.apache.polaris.core.storage.aws.AwsStorageConfigurationInfo;
@@ -327,7 +327,7 @@ private void validateMaxAllowedLocations(
 
     public Builder setConnectionConfigInfoDpoWithSecrets(
         ConnectionConfigInfo connectionConfigurationModel,
-        Map<String, UserSecretReference> secretReferences) {
+        Map<String, SecretReference> secretReferences) {
       if (connectionConfigurationModel != null) {
         ConnectionConfigInfoDpo config =
             ConnectionConfigInfoDpo.fromConnectionConfigInfoModelWithSecrets(

polaris-core/src/main/java/org/apache/polaris/core/identity/dpo/AwsIamServiceIdentityInfoDpo.java

@@ -26,15 +26,18 @@
 import org.apache.polaris.core.admin.model.AwsIamServiceIdentityInfo;
 import org.apache.polaris.core.admin.model.ServiceIdentityInfo;
 import org.apache.polaris.core.identity.ServiceIdentityType;
-import org.apache.polaris.core.secrets.ServiceSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 
 /**
  * Persistence-layer representation of an AWS IAM service identity used by Polaris.
  *
  * <p>This class models an AWS IAM identity (either a user or role) and extends {@link
- * ServiceIdentityInfoDpo}. It is typically used internally to store both the identity metadata
- * (such as the IAM ARN) and a reference to the actual credential (e.g., via {@link
- * ServiceSecretReference}).
+ * ServiceIdentityInfoDpo}. It is typically used internally to store a reference to the actual
+ * credential (e.g., via {@link SecretReference}).
+ *
+ * <p>During the runtime, it will be resolved to an actual ResolvedAwsIamServiceIdentityInfo object
+ * which contains the actual service identity info (e.g., the IAM user arn) and the corresponding
+ * credential.
  *
  * <p>Instances of this class are convertible to the public API model {@link
  * AwsIamServiceIdentityInfo}.
@@ -44,7 +47,7 @@ public class AwsIamServiceIdentityInfoDpo extends ServiceIdentityInfoDpo {
   @JsonCreator
   public AwsIamServiceIdentityInfoDpo(
       @JsonProperty(value = "identityInfoReference", required = false) @Nullable
-          ServiceSecretReference identityInfoReference) {
+          SecretReference identityInfoReference) {
     super(ServiceIdentityType.AWS_IAM.getCode(), identityInfoReference);
   }
 

polaris-core/src/main/java/org/apache/polaris/core/identity/dpo/ServiceIdentityInfoDpo.java

@@ -27,11 +27,14 @@
 import jakarta.annotation.Nullable;
 import org.apache.polaris.core.admin.model.ServiceIdentityInfo;
 import org.apache.polaris.core.identity.ServiceIdentityType;
-import org.apache.polaris.core.secrets.ServiceSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 
 /**
  * The internal persistence-object counterpart to ServiceIdentityInfo defined in the API model.
  * Important: JsonSubTypes must be kept in sync with {@link ServiceIdentityType}.
+ *
+ * <p>During the runtime, it will be resolved to an actual ResolvedServiceIdentityInfo object which
+ * contains the actual service identity info and the corresponding credential.
  */
 @JsonTypeInfo(
     use = JsonTypeInfo.Id.NAME,
@@ -44,12 +47,12 @@ public abstract class ServiceIdentityInfoDpo {
   private final int identityTypeCode;
 
   @JsonProperty(value = "identityInfoReference")
-  private final ServiceSecretReference identityInfoReference;
+  private final SecretReference identityInfoReference;
 
   public ServiceIdentityInfoDpo(
       @JsonProperty(value = "identityTypeCode", required = true) int identityTypeCode,
       @JsonProperty(value = "identityInfoReference", required = false) @Nullable
-          ServiceSecretReference identityInfoReference) {
+          SecretReference identityInfoReference) {
     this.identityTypeCode = identityTypeCode;
     this.identityInfoReference = identityInfoReference;
   }
@@ -64,7 +67,7 @@ public ServiceIdentityType getIdentityType() {
   }
 
   @JsonProperty
-  public ServiceSecretReference getIdentityInfoReference() {
+  public SecretReference getIdentityInfoReference() {
     return identityInfoReference;
   }
 

polaris-core/src/main/java/org/apache/polaris/core/secrets/UserSecretReference.java renamed to polaris-core/src/main/java/org/apache/polaris/core/secrets/SecretReference.java

@@ -51,7 +51,7 @@
  * the stored "secret material" as well as the referencePayload and any associated keys used for
  * encryption.
  */
-public class UserSecretReference {
+public class SecretReference {
   @JsonProperty(value = "urn")
   private final String urn;
 
@@ -74,7 +74,7 @@ public class UserSecretReference {
       Pattern.compile("^" + TYPE_SPECIFIC_IDENTIFIER_REGEX + "$");
 
   /**
-   * Precompiled regex pattern for validating and parsing UserSecretReference URNs. Expected format:
+   * Precompiled regex pattern for validating and parsing SecretReference URNs. Expected format:
    * urn:polaris-secret:<secret-manager-type>:<identifier1>(:<identifier2>:...).
    *
    * <p>Groups:
@@ -98,15 +98,15 @@ public class UserSecretReference {
   /**
    * @param urn A string which should be self-sufficient to retrieve whatever secret material that
    *     is stored in the remote secret store and also to identify an implementation of the
-   *     UserSecretsManager which is capable of interpreting this concrete UserSecretReference.
-   *     Should be of the form:
+   *     UserSecretsManager which is capable of interpreting this concrete SecretReference. Should
+   *     be of the form:
    *     'urn:polaris-secret:&lt;secret-manager-type&gt;:&lt;type-specific-identifier&gt;
    * @param referencePayload Optionally, any additional information that is necessary to fully
    *     reconstitute the original secret based on what is retrieved by the {@code urn}; this
    *     payload may include hashes/checksums, encryption key ids, OTP encryption keys, additional
    *     protocol/version specifiers, etc., which are implementation-specific.
    */
-  public UserSecretReference(
+  public SecretReference(
       @JsonProperty(value = "urn", required = true) @Nonnull String urn,
       @JsonProperty(value = "referencePayload") @Nullable Map<String, String> referencePayload) {
     Preconditions.checkArgument(
@@ -117,8 +117,7 @@ public UserSecretReference(
   }
 
   /**
-   * Validates whether the given URN string matches the expected format for UserSecretReference
-   * URNs.
+   * Validates whether the given URN string matches the expected format for SecretReference URNs.
    *
    * @param urn The URN string to validate.
    * @return true if the URN is valid, false otherwise.
@@ -164,13 +163,13 @@ public static String buildUrnString(
   }
 
   /**
-   * Since UserSecretReference objects are specific to UserSecretManager implementations, the
+   * Since SecretReference objects are specific to UserSecretManager implementations, the
    * "secret-manager-type" portion of the URN should be used to validate that a URN is valid for a
    * given implementation and to dispatch to the correct implementation at runtime if multiple
    * concurrent implementations are possible in a given runtime environment.
    */
   @JsonIgnore
-  public String getUserSecretManagerType() {
+  public String getSecretManagerType() {
     Matcher matcher = URN_PATTERN.matcher(urn);
     Preconditions.checkState(matcher.matches(), "Invalid secret URN: " + urn);
     return matcher.group(1);
@@ -203,10 +202,10 @@ public int hashCode() {
 
   @Override
   public boolean equals(Object obj) {
-    if (obj == null || !(obj instanceof UserSecretReference)) {
+    if (obj == null || !(obj instanceof SecretReference)) {
       return false;
     }
-    UserSecretReference that = (UserSecretReference) obj;
+    SecretReference that = (SecretReference) obj;
     return Objects.equals(this.getUrn(), that.getUrn())
         && Objects.equals(this.getReferencePayload(), that.getReferencePayload());
   }

polaris-core/src/main/java/org/apache/polaris/core/secrets/ServiceSecretReference.java

@@ -48,8 +48,7 @@ public class UnsafeInMemorySecretsManager implements UserSecretsManager {
   /** {@inheritDoc} */
   @Override
   @Nonnull
-  public UserSecretReference writeSecret(
-      @Nonnull String secret, @Nonnull PolarisEntityCore forEntity) {
+  public SecretReference writeSecret(@Nonnull String secret, @Nonnull PolarisEntityCore forEntity) {
     // For illustrative purposes and to exercise the control flow of requiring both the stored
     // secret as well as the secretReferencePayload to recover the original secret, we'll use
     // basic XOR encryption and store the randomly generated key in the reference payload.
@@ -97,15 +96,15 @@ public UserSecretReference writeSecret(
     // key is ever shared and/or the key isn't a one-time-pad of the same length as the source
     // secret.
     referencePayload.put(ENCRYPTION_KEY, encryptedSecretKeyBase64);
-    UserSecretReference secretReference = new UserSecretReference(secretUrn, referencePayload);
+    SecretReference secretReference = new SecretReference(secretUrn, referencePayload);
     return secretReference;
   }
 
   /** {@inheritDoc} */
   @Override
   @Nonnull
-  public String readSecret(@Nonnull UserSecretReference secretReference) {
-    String secretManagerType = secretReference.getUserSecretManagerType();
+  public String readSecret(@Nonnull SecretReference secretReference) {
+    String secretManagerType = secretReference.getSecretManagerType();
     Preconditions.checkState(
         secretManagerType.equals(SECRET_MANAGER_TYPE),
         "Invalid secret manager type, expected: "
@@ -148,7 +147,7 @@ public String readSecret(@Nonnull UserSecretReference secretReference) {
 
   /** {@inheritDoc} */
   @Override
-  public void deleteSecret(@Nonnull UserSecretReference secretReference) {
+  public void deleteSecret(@Nonnull SecretReference secretReference) {
     rawSecretStore.remove(secretReference.getUrn());
   }
 }