-
Notifications
You must be signed in to change notification settings - Fork 331
SigV4 Auth Support for Catalog Federation - Part 3: Service Identity Info Injection #2523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
dennishuo
merged 17 commits into
apache:main
from
XJDKC:rxing-catalog-federation-sigv4-part-3
Oct 4, 2025
Merged
Changes from all commits
Commits
Show all changes
17 commits
Select commit
Hold shift + click to select a range
cd82949
Service Identity Injection
XJDKC 8fcf998
Resolved some comments
XJDKC 0b5e902
Merge remote-tracking branch 'apache/main' into rxing-catalog-federat…
XJDKC 1f2ac2b
Return injected service identity info in response
XJDKC 46f9690
Use AwsCredentialsProvider to retrieve the credentials
XJDKC 0e7be85
Move some logic to ServiceIdentityConfiguration
XJDKC 613a2fa
Merge remote-tracking branch 'apache/main' into rxing-catalog-federat…
XJDKC e386298
Resolved more comments
XJDKC 0cfc5eb
Merge remote-tracking branch 'apache/main' into rxing-catalog-federat…
XJDKC fe883ce
Merge remote-tracking branch 'apache/main' into rxing-catalog-federat…
XJDKC 870d682
Rename ServiceIdentityRegistry to ServiceIdentityProvider
XJDKC 8d46702
Rename ResolvedServiceIdentity to ServiceIdentityCredential
XJDKC cf4b751
Simplify the logic and add more tests
XJDKC 7def8e8
Merge remote-tracking branch 'apache/main' into rxing-catalog-federat…
XJDKC dfa36aa
Use SecretReference and fix some small issues
XJDKC dede7a5
Resolved more comments
XJDKC f14b5d3
Disable Catalog Federation
XJDKC File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
100 changes: 100 additions & 0 deletions
100
...ain/java/org/apache/polaris/core/identity/credential/AwsIamServiceIdentityCredential.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,100 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
| package org.apache.polaris.core.identity.credential; | ||
|
|
||
| import jakarta.annotation.Nonnull; | ||
| import jakarta.annotation.Nullable; | ||
| import org.apache.polaris.core.admin.model.AwsIamServiceIdentityInfo; | ||
| import org.apache.polaris.core.admin.model.ServiceIdentityInfo; | ||
| import org.apache.polaris.core.identity.ServiceIdentityType; | ||
| import org.apache.polaris.core.identity.dpo.AwsIamServiceIdentityInfoDpo; | ||
| import org.apache.polaris.core.identity.dpo.ServiceIdentityInfoDpo; | ||
| import org.apache.polaris.core.secrets.SecretReference; | ||
| import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; | ||
| import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; | ||
|
|
||
| /** | ||
| * Represents an AWS IAM service identity credential used by Polaris to authenticate to AWS | ||
| * services. | ||
| * | ||
| * <p>This credential encapsulates: | ||
| * | ||
| * <ul> | ||
| * <li>The IAM ARN (role or user) representing the Polaris service identity | ||
| * <li>An {@link AwsCredentialsProvider} that supplies AWS credentials (access key, secret key, | ||
| * and optional session token) | ||
| * </ul> | ||
| * | ||
| * <p>Polaris uses this identity to assume customer-provided IAM roles when accessing remote | ||
| * catalogs with SigV4 authentication. The {@link AwsCredentialsProvider} can be configured to use | ||
| * either: | ||
| * | ||
| * <ul> | ||
| * <li>Static credentials (for testing or single-tenant deployments) | ||
| * <li>DefaultCredentialsProvider (which chains through various AWS credential sources) | ||
| * <li>Custom credential providers (for vendor-specific secret management) | ||
| * </ul> | ||
| */ | ||
| public class AwsIamServiceIdentityCredential extends ServiceIdentityCredential { | ||
|
|
||
| /** IAM role or user ARN representing the Polaris service identity. */ | ||
| private final String iamArn; | ||
|
|
||
| /** AWS credentials provider for accessing AWS services. */ | ||
| private final AwsCredentialsProvider awsCredentialsProvider; | ||
|
|
||
| public AwsIamServiceIdentityCredential(@Nullable String iamArn) { | ||
| this(null, iamArn, DefaultCredentialsProvider.builder().build()); | ||
| } | ||
|
|
||
| public AwsIamServiceIdentityCredential( | ||
| @Nullable String iamArn, @Nonnull AwsCredentialsProvider awsCredentialsProvider) { | ||
| this(null, iamArn, awsCredentialsProvider); | ||
| } | ||
|
|
||
| public AwsIamServiceIdentityCredential( | ||
| @Nullable SecretReference secretReference, | ||
| @Nullable String iamArn, | ||
| @Nonnull AwsCredentialsProvider awsCredentialsProvider) { | ||
| super(ServiceIdentityType.AWS_IAM, secretReference); | ||
| this.iamArn = iamArn; | ||
| this.awsCredentialsProvider = awsCredentialsProvider; | ||
| } | ||
|
|
||
| public @Nullable String getIamArn() { | ||
| return iamArn; | ||
| } | ||
|
|
||
| public @Nonnull AwsCredentialsProvider getAwsCredentialsProvider() { | ||
| return awsCredentialsProvider; | ||
| } | ||
|
|
||
| @Override | ||
| public @Nonnull ServiceIdentityInfoDpo asServiceIdentityInfoDpo() { | ||
| return new AwsIamServiceIdentityInfoDpo(getIdentityInfoReference()); | ||
| } | ||
|
|
||
| @Override | ||
| public @Nonnull ServiceIdentityInfo asServiceIdentityInfoModel() { | ||
| return AwsIamServiceIdentityInfo.builder() | ||
| .setIdentityType(ServiceIdentityInfo.IdentityTypeEnum.AWS_IAM) | ||
| .setIamArn(getIamArn()) | ||
| .build(); | ||
| } | ||
| } |
91 changes: 91 additions & 0 deletions
91
.../src/main/java/org/apache/polaris/core/identity/credential/ServiceIdentityCredential.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
| package org.apache.polaris.core.identity.credential; | ||
|
|
||
| import jakarta.annotation.Nonnull; | ||
| import jakarta.annotation.Nullable; | ||
| import org.apache.polaris.core.admin.model.ServiceIdentityInfo; | ||
| import org.apache.polaris.core.identity.ServiceIdentityType; | ||
| import org.apache.polaris.core.identity.dpo.ServiceIdentityInfoDpo; | ||
| import org.apache.polaris.core.secrets.SecretReference; | ||
| import software.amazon.awssdk.annotations.NotNull; | ||
|
|
||
| /** | ||
| * Represents a service identity credential used by Polaris to authenticate to external systems. | ||
| * | ||
| * <p>This class encapsulates both the service identity metadata (e.g., AWS IAM ARN) and the | ||
| * associated credentials (e.g., AWS access keys) needed to authenticate as the Polaris service when | ||
| * accessing external catalog services. | ||
| * | ||
| * <p>The credential contains: | ||
| * | ||
| * <ul> | ||
| * <li>Identity type (e.g., AWS_IAM) | ||
| * <li>A {@link SecretReference} that serves as a unique identifier for this service identity | ||
| * instance (used for lookups and persistence) | ||
| * <li>The actual authentication credentials (implementation-specific, e.g., | ||
| * AwsCredentialsProvider) | ||
| * </ul> | ||
| */ | ||
| public abstract class ServiceIdentityCredential { | ||
| private final ServiceIdentityType identityType; | ||
| private SecretReference identityInfoReference; | ||
XJDKC marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| public ServiceIdentityCredential(@Nonnull ServiceIdentityType identityType) { | ||
| this(identityType, null); | ||
| } | ||
|
|
||
| public ServiceIdentityCredential( | ||
| @Nonnull ServiceIdentityType identityType, @Nullable SecretReference identityInfoReference) { | ||
| this.identityType = identityType; | ||
| this.identityInfoReference = identityInfoReference; | ||
| } | ||
|
|
||
| public @NotNull ServiceIdentityType getIdentityType() { | ||
| return identityType; | ||
| } | ||
|
|
||
| public @Nonnull SecretReference getIdentityInfoReference() { | ||
| return identityInfoReference; | ||
| } | ||
|
|
||
| public void setIdentityInfoReference(@NotNull SecretReference identityInfoReference) { | ||
| this.identityInfoReference = identityInfoReference; | ||
| } | ||
|
|
||
| /** | ||
| * Converts this service identity credential into its corresponding persisted form (DPO). | ||
| * | ||
| * <p>The DPO contains only a reference to the credential, not the credential itself, as the | ||
| * actual secrets are managed externally. | ||
| * | ||
| * @return The persistence object representation | ||
| */ | ||
| public abstract @Nonnull ServiceIdentityInfoDpo asServiceIdentityInfoDpo(); | ||
|
|
||
| /** | ||
| * Converts this service identity credential into its API model representation. | ||
| * | ||
| * <p>The model contains identity information (e.g., IAM ARN) but excludes sensitive credentials | ||
| * such as access keys or session tokens. | ||
| * | ||
| * @return The API model representation for client responses | ||
| */ | ||
| public abstract @Nonnull ServiceIdentityInfo asServiceIdentityInfoModel(); | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.