FANNG1 commented on code in PR #5701: URL: https://github.com/apache/gravitino/pull/5701#discussion_r1865514938
########## bundles/aliyun-bundle/src/main/java/org/apache/gravitino/oss/credential/OSSTokenProvider.java: ########## @@ -0,0 +1,267 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.gravitino.oss.credential; + +import com.aliyun.credentials.Client; +import com.aliyun.credentials.models.Config; +import com.aliyun.credentials.models.CredentialModel; +import com.aliyun.credentials.utils.AuthConstant; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import java.io.IOException; +import java.net.URI; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; +import java.util.Set; +import java.util.stream.Stream; +import javax.annotation.Nullable; +import org.apache.commons.lang3.StringUtils; +import org.apache.gravitino.credential.Credential; +import org.apache.gravitino.credential.CredentialContext; +import org.apache.gravitino.credential.CredentialProvider; +import org.apache.gravitino.credential.OSSTokenCredential; +import org.apache.gravitino.credential.PathBasedCredentialContext; +import org.apache.gravitino.credential.config.OSSCredentialConfig; +import org.apache.gravitino.oss.credential.policy.Condition; +import org.apache.gravitino.oss.credential.policy.Effect; +import org.apache.gravitino.oss.credential.policy.Policy; +import org.apache.gravitino.oss.credential.policy.Statement; +import org.apache.gravitino.oss.credential.policy.StringLike; + +/** Generates OSS token to access OSS data. */ +public class OSSTokenProvider implements CredentialProvider { + private final ObjectMapper objectMapper = new ObjectMapper(); + private String accessKeyId; + private String secretAccessKey; + private String roleArn; + private String externalID; + private int tokenExpireSecs; + private String region; + + /** + * Initializes the credential provider with catalog properties. + * + * @param properties catalog properties that can be used to configure the provider. The specific + * properties required vary by implementation. + */ + @Override + public void initialize(Map<String, String> properties) { + OSSCredentialConfig credentialConfig = new OSSCredentialConfig(properties); + this.roleArn = credentialConfig.ossRoleArn(); + this.externalID = credentialConfig.externalID(); + this.tokenExpireSecs = credentialConfig.tokenExpireInSecs(); + this.accessKeyId = credentialConfig.accessKeyID(); + this.secretAccessKey = credentialConfig.secretAccessKey(); + this.region = credentialConfig.region(); + } + + /** + * Returns the type of credential, it should be identical in Gravitino. + * + * @return A string identifying the type of credentials. + */ + @Override + public String credentialType() { + return OSSTokenCredential.OSS_TOKEN_CREDENTIAL_TYPE; + } + + /** + * Obtains a credential based on the provided context information. + * + * @param context A context object providing necessary information for retrieving credentials. + * @return A Credential object containing the authentication information needed to access a system + * or resource. Null will be returned if no credential is available. + */ + @Nullable + @Override + public Credential getCredential(CredentialContext context) { + if (!(context instanceof PathBasedCredentialContext)) { + return null; + } + PathBasedCredentialContext pathBasedCredentialContext = (PathBasedCredentialContext) context; + CredentialModel credentialModel = + createOSSCredentialModel( + roleArn, + pathBasedCredentialContext.getReadPaths(), + pathBasedCredentialContext.getWritePaths(), + pathBasedCredentialContext.getUserName()); + return new OSSTokenCredential( + credentialModel.accessKeyId, + credentialModel.accessKeySecret, + credentialModel.securityToken, + credentialModel.expiration); + } + + private CredentialModel createOSSCredentialModel( Review Comment: Is there any reason to use `RAMRoleARN` to get credentials not `assumeRole` from STS directly? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org