SigV4 Auth Support for Catalog Federation - Part 2: Connection Config Persistence

polaris-core/src/main/java/org/apache/polaris/core/connection/AuthenticationParametersDpo.java

@@ -18,15 +18,18 @@
  */
 package org.apache.polaris.core.connection;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonSubTypes;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import jakarta.annotation.Nonnull;
 import java.util.Map;
 import org.apache.polaris.core.admin.model.AuthenticationParameters;
 import org.apache.polaris.core.admin.model.BearerAuthenticationParameters;
 import org.apache.polaris.core.admin.model.OAuthClientCredentialsParameters;
+import org.apache.polaris.core.admin.model.SigV4AuthenticationParameters;
 import org.apache.polaris.core.connection.iceberg.IcebergCatalogPropertiesProvider;
-import org.apache.polaris.core.secrets.UserSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 
 /**
  * The internal persistence-object counterpart to AuthenticationParameters defined in the API model.
@@ -40,6 +43,7 @@
   @JsonSubTypes.Type(value = OAuthClientCredentialsParametersDpo.class, name = "1"),
   @JsonSubTypes.Type(value = BearerAuthenticationParametersDpo.class, name = "2"),
   @JsonSubTypes.Type(value = ImplicitAuthenticationParametersDpo.class, name = "3"),
+  @JsonSubTypes.Type(value = SigV4AuthenticationParametersDpo.class, name = "4"),
 })
 public abstract class AuthenticationParametersDpo implements IcebergCatalogPropertiesProvider {
 
@@ -58,11 +62,16 @@ public int getAuthenticationTypeCode() {
     return authenticationTypeCode;
   }
 
-  public abstract AuthenticationParameters asAuthenticationParametersModel();
+  @JsonIgnore
+  public AuthenticationType getAuthenticationType() {
+    return AuthenticationType.fromCode(authenticationTypeCode);
+  }
+
+  public abstract @Nonnull AuthenticationParameters asAuthenticationParametersModel();
 
   public static AuthenticationParametersDpo fromAuthenticationParametersModelWithSecrets(
       AuthenticationParameters authenticationParameters,
-      Map<String, UserSecretReference> secretReferences) {
+      Map<String, SecretReference> secretReferences) {
     final AuthenticationParametersDpo config;
     switch (authenticationParameters.getAuthenticationType()) {
       case OAUTH:
@@ -85,6 +94,18 @@ public static AuthenticationParametersDpo fromAuthenticationParametersModelWithS
       case IMPLICIT:
         config = new ImplicitAuthenticationParametersDpo();
         break;
+      case SIGV4:
+        // SigV4 authentication is not secret-based
+        SigV4AuthenticationParameters sigV4AuthenticationParametersModel =
+            (SigV4AuthenticationParameters) authenticationParameters;
+        config =
+            new SigV4AuthenticationParametersDpo(
+                sigV4AuthenticationParametersModel.getRoleArn(),
+                sigV4AuthenticationParametersModel.getRoleSessionName(),
+                sigV4AuthenticationParametersModel.getExternalId(),
+                sigV4AuthenticationParametersModel.getSigningRegion(),
+                sigV4AuthenticationParametersModel.getSigningName());
+        break;
       default:
         throw new IllegalStateException(
             "Unsupported authentication type: " + authenticationParameters.getAuthenticationType());

polaris-core/src/main/java/org/apache/polaris/core/connection/AuthenticationType.java

@@ -34,6 +34,7 @@ public enum AuthenticationType {
   OAUTH(1),
   BEARER(2),
   IMPLICIT(3),
+  SIGV4(4),
   ;
 
   private static final AuthenticationType[] REVERSE_MAPPING_ARRAY;
@@ -66,7 +67,7 @@ public enum AuthenticationType {
    * NULL_TYPE if not found
    *
    * @param authTypeCode code associated to the authentication type
-   * @return ConnectionType corresponding to that code or null if mapping not found
+   * @return AuthenticationType corresponding to that code or null if mapping not found
    */
   public static @Nonnull AuthenticationType fromCode(int authTypeCode) {
     // ensure it is within bounds

polaris-core/src/main/java/org/apache/polaris/core/connection/BearerAuthenticationParametersDpo.java

@@ -25,7 +25,7 @@
 import org.apache.iceberg.rest.auth.OAuth2Properties;
 import org.apache.polaris.core.admin.model.AuthenticationParameters;
 import org.apache.polaris.core.admin.model.BearerAuthenticationParameters;
-import org.apache.polaris.core.secrets.UserSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 import org.apache.polaris.core.secrets.UserSecretsManager;
 
 /**
@@ -35,16 +35,16 @@
 public class BearerAuthenticationParametersDpo extends AuthenticationParametersDpo {
 
   @JsonProperty(value = "bearerTokenReference")
-  private final UserSecretReference bearerTokenReference;
+  private final SecretReference bearerTokenReference;
 
   public BearerAuthenticationParametersDpo(
       @JsonProperty(value = "bearerTokenReference", required = true) @Nonnull
-          UserSecretReference bearerTokenReference) {
+          SecretReference bearerTokenReference) {
     super(AuthenticationType.BEARER.getCode());
     this.bearerTokenReference = bearerTokenReference;
   }
 
-  public @Nonnull UserSecretReference getBearerTokenReference() {
+  public @Nonnull SecretReference getBearerTokenReference() {
     return bearerTokenReference;
   }
 
@@ -56,7 +56,7 @@ public BearerAuthenticationParametersDpo(
   }
 
   @Override
-  public AuthenticationParameters asAuthenticationParametersModel() {
+  public @Nonnull AuthenticationParameters asAuthenticationParametersModel() {
     return BearerAuthenticationParameters.builder()
         .setAuthenticationType(AuthenticationParameters.AuthenticationTypeEnum.BEARER)
         .build();

polaris-core/src/main/java/org/apache/polaris/core/connection/ConnectionConfigInfoDpo.java

@@ -18,6 +18,7 @@
  */
 package org.apache.polaris.core.connection;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonSubTypes;
@@ -26,6 +27,7 @@
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.annotation.Nonnull;
+import jakarta.annotation.Nullable;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URL;
@@ -36,7 +38,8 @@
 import org.apache.polaris.core.connection.hadoop.HadoopConnectionConfigInfoDpo;
 import org.apache.polaris.core.connection.iceberg.IcebergCatalogPropertiesProvider;
 import org.apache.polaris.core.connection.iceberg.IcebergRestConnectionConfigInfoDpo;
-import org.apache.polaris.core.secrets.UserSecretReference;
+import org.apache.polaris.core.identity.dpo.ServiceIdentityInfoDpo;
+import org.apache.polaris.core.secrets.SecretReference;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -64,22 +67,29 @@ public abstract class ConnectionConfigInfoDpo implements IcebergCatalogPropertie
   // The authentication parameters for the connection
   private final AuthenticationParametersDpo authenticationParameters;
 
+  // The Polaris service identity info of the connection
+  private final ServiceIdentityInfoDpo serviceIdentity;
+
   public ConnectionConfigInfoDpo(
       @JsonProperty(value = "connectionTypeCode", required = true) int connectionTypeCode,
       @JsonProperty(value = "uri", required = true) @Nonnull String uri,
       @JsonProperty(value = "authenticationParameters", required = true) @Nonnull
-          AuthenticationParametersDpo authenticationParameters) {
-    this(connectionTypeCode, uri, authenticationParameters, true);
+          AuthenticationParametersDpo authenticationParameters,
+      @JsonProperty(value = "serviceIdentity", required = false) @Nullable
+          ServiceIdentityInfoDpo serviceIdentity) {
+    this(connectionTypeCode, uri, authenticationParameters, serviceIdentity, true);
   }
 
   protected ConnectionConfigInfoDpo(
       int connectionTypeCode,
       @Nonnull String uri,
       @Nonnull AuthenticationParametersDpo authenticationParameters,
+      @Nullable ServiceIdentityInfoDpo serviceIdentity,
       boolean validateUri) {
     this.connectionTypeCode = connectionTypeCode;
     this.uri = uri;
     this.authenticationParameters = authenticationParameters;
+    this.serviceIdentity = serviceIdentity;
     if (validateUri) {
       validateUri(uri);
     }
@@ -89,6 +99,11 @@ public int getConnectionTypeCode() {
     return connectionTypeCode;
   }
 
+  @JsonIgnore
+  public ConnectionType getConnectionType() {
+    return ConnectionType.fromCode(connectionTypeCode);
+  }
+
   public String getUri() {
     return uri;
   }
@@ -97,6 +112,10 @@ public AuthenticationParametersDpo getAuthenticationParameters() {
     return authenticationParameters;
   }
 
+  public @Nullable ServiceIdentityInfoDpo getServiceIdentity() {
+    return serviceIdentity;
+  }
+
   private static final ObjectMapper DEFAULT_MAPPER;
 
   static {
@@ -138,7 +157,7 @@ protected void validateUri(String uri) {
    */
   public static ConnectionConfigInfoDpo fromConnectionConfigInfoModelWithSecrets(
       ConnectionConfigInfo connectionConfigurationModel,
-      Map<String, UserSecretReference> secretReferences) {
+      Map<String, SecretReference> secretReferences) {
     ConnectionConfigInfoDpo config = null;
     final AuthenticationParametersDpo authenticationParameters;
     switch (connectionConfigurationModel.getConnectionType()) {
@@ -152,6 +171,7 @@ public static ConnectionConfigInfoDpo fromConnectionConfigInfoModelWithSecrets(
             new IcebergRestConnectionConfigInfoDpo(
                 icebergRestConfigModel.getUri(),
                 authenticationParameters,
+                null /*Service Identity Info*/,
                 icebergRestConfigModel.getRemoteCatalogName());
         break;
       case HADOOP:
@@ -164,6 +184,7 @@ public static ConnectionConfigInfoDpo fromConnectionConfigInfoModelWithSecrets(
             new HadoopConnectionConfigInfoDpo(
                 hadoopConfigModel.getUri(),
                 authenticationParameters,
+                null /*Service Identity Info*/,
                 hadoopConfigModel.getWarehouse());
         break;
       default:
@@ -173,6 +194,15 @@ public static ConnectionConfigInfoDpo fromConnectionConfigInfoModelWithSecrets(
     return config;
   }
 
+  /**
+   * Creates a new copy of the ConnectionConfigInfoDpo with the given service identity info.
+   *
+   * @param serviceIdentityInfo The service identity info to set.
+   * @return A new copy of the ConnectionConfigInfoDpo with the given service identity info.
+   */
+  public abstract ConnectionConfigInfoDpo withServiceIdentity(
+      @Nonnull ServiceIdentityInfoDpo serviceIdentityInfo);
+
   /**
    * Produces the correponding API-model ConnectionConfigInfo for this persistence object; many
    * fields are one-to-one direct mappings, but some fields, such as secretReferences, might only be

polaris-core/src/main/java/org/apache/polaris/core/connection/OAuthClientCredentialsParametersDpo.java

@@ -35,7 +35,7 @@
 import org.apache.iceberg.rest.auth.OAuth2Util;
 import org.apache.polaris.core.admin.model.AuthenticationParameters;
 import org.apache.polaris.core.admin.model.OAuthClientCredentialsParameters;
-import org.apache.polaris.core.secrets.UserSecretReference;
+import org.apache.polaris.core.secrets.SecretReference;
 import org.apache.polaris.core.secrets.UserSecretsManager;
 
 /**
@@ -53,7 +53,7 @@ public class OAuthClientCredentialsParametersDpo extends AuthenticationParameter
   private final String clientId;
 
   @JsonProperty(value = "clientSecretReference")
-  private final UserSecretReference clientSecretReference;
+  private final SecretReference clientSecretReference;
 
   @JsonProperty(value = "scopes")
   private final List<String> scopes;
@@ -62,7 +62,7 @@ public OAuthClientCredentialsParametersDpo(
       @JsonProperty(value = "tokenUri", required = false) @Nullable String tokenUri,
       @JsonProperty(value = "clientId", required = true) @Nonnull String clientId,
       @JsonProperty(value = "clientSecretReference", required = true) @Nonnull
-          UserSecretReference clientSecretReference,
+          SecretReference clientSecretReference,
       @JsonProperty(value = "scopes", required = false) @Nullable List<String> scopes) {
     super(AuthenticationType.OAUTH.getCode());
 
@@ -82,11 +82,11 @@ public OAuthClientCredentialsParametersDpo(
     return clientId;
   }
 
-  public @Nonnull UserSecretReference getClientSecretReference() {
+  public @Nonnull SecretReference getClientSecretReference() {
     return clientSecretReference;
   }
 
-  public @Nonnull List<String> getScopes() {
+  public @Nullable List<String> getScopes() {
     return scopes;
   }
 
@@ -115,7 +115,7 @@ public OAuthClientCredentialsParametersDpo(
   }
 
   @Override
-  public AuthenticationParameters asAuthenticationParametersModel() {
+  public @Nonnull AuthenticationParameters asAuthenticationParametersModel() {
     return OAuthClientCredentialsParameters.builder()
         .setAuthenticationType(AuthenticationParameters.AuthenticationTypeEnum.OAUTH)
         .setTokenUri(getTokenUri())