(polaris) branch main updated: add AWS_SESSION_TOKEN_EXPIRES_AT_MS (#1160)

Tue, 11 Mar 2025 14:01:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

emaynard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git


The following commit(s) were added to refs/heads/main by this push:
     new 10ee64d07 add AWS_SESSION_TOKEN_EXPIRES_AT_MS (#1160)
10ee64d07 is described below

commit 10ee64d073bfe57aaa9b94116708a93cc3ef3f4f
Author: Juichang Lu <[email protected]>
AuthorDate: Tue Mar 11 17:01:03 2025 -0400

    add AWS_SESSION_TOKEN_EXPIRES_AT_MS (#1160)
    
    * add AWS_SESSION_TOKEN_EXPIRES_AT_MS
    
    * spotless
    
    * add expiration time to aws integration tests
    
    ---------
    
    Co-authored-by: David Lu <[email protected]>
---
 .../core/storage/PolarisCredentialProperty.java    |  4 +++
 .../aws/AwsCredentialsStorageIntegration.java      | 10 +++++---
 .../storage/cache/StorageCredentialCacheEntry.java |  4 +++
 .../storage/cache/StorageCredentialCacheTest.java  |  1 +
 .../aws/AwsCredentialsStorageIntegrationTest.java  | 29 ++++++++++++++++++----
 5 files changed, 40 insertions(+), 8 deletions(-)

diff --git 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisCredentialProperty.java
 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisCredentialProperty.java
index c79aaf595..2f21a84fd 100644
--- 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisCredentialProperty.java
+++ 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/PolarisCredentialProperty.java
@@ -23,6 +23,10 @@ public enum PolarisCredentialProperty {
   AWS_KEY_ID(String.class, "s3.access-key-id", "the aws access key id"),
   AWS_SECRET_KEY(String.class, "s3.secret-access-key", "the aws access key 
secret"),
   AWS_TOKEN(String.class, "s3.session-token", "the aws scoped access token"),
+  AWS_SESSION_TOKEN_EXPIRES_AT_MS(
+      String.class,
+      "s3.session-token-expires-at-ms",
+      "the time the aws session token expires, in milliseconds"),
   CLIENT_REGION(
       String.class, "client.region", "region to configure client for making 
requests to AWS"),
 
diff --git 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java
 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java
index f522b77b5..591a67f15 100644
--- 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java
+++ 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java
@@ -83,9 +83,13 @@ public class AwsCredentialsStorageIntegration
     credentialMap.put(PolarisCredentialProperty.AWS_TOKEN, 
response.credentials().sessionToken());
     Optional.ofNullable(response.credentials().expiration())
         .ifPresent(
-            i ->
-                credentialMap.put(
-                    PolarisCredentialProperty.EXPIRATION_TIME, 
String.valueOf(i.toEpochMilli())));
+            i -> {
+              credentialMap.put(
+                  PolarisCredentialProperty.EXPIRATION_TIME, 
String.valueOf(i.toEpochMilli()));
+              credentialMap.put(
+                  PolarisCredentialProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS,
+                  String.valueOf(i.toEpochMilli()));
+            });
 
     if (storageConfig.getRegion() != null) {
       credentialMap.put(PolarisCredentialProperty.CLIENT_REGION, 
storageConfig.getRegion());
diff --git 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheEntry.java
 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheEntry.java
index 6417cde0f..71068e936 100644
--- 
a/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheEntry.java
+++ 
b/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheEntry.java
@@ -42,6 +42,10 @@ public class StorageCredentialCacheEntry {
     if 
(credsMap.containsKey(PolarisCredentialProperty.GCS_ACCESS_TOKEN_EXPIRES_AT)) {
       return 
Long.parseLong(credsMap.get(PolarisCredentialProperty.GCS_ACCESS_TOKEN_EXPIRES_AT));
     }
+    if 
(credsMap.containsKey(PolarisCredentialProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS))
 {
+      return Long.parseLong(
+          
credsMap.get(PolarisCredentialProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS));
+    }
     if (credsMap.containsKey(PolarisCredentialProperty.EXPIRATION_TIME)) {
       return 
Long.parseLong(credsMap.get(PolarisCredentialProperty.EXPIRATION_TIME));
     }
diff --git 
a/polaris-core/src/test/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheTest.java
 
b/polaris-core/src/test/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheTest.java
index 367204875..74182eac1 100644
--- 
a/polaris-core/src/test/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheTest.java
+++ 
b/polaris-core/src/test/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheTest.java
@@ -397,6 +397,7 @@ public class StorageCredentialCacheTest {
                   ImmutableMap.<PolarisCredentialProperty, String>builder()
                       .put(PolarisCredentialProperty.AWS_KEY_ID, "key_id_" + 
finalI)
                       .put(PolarisCredentialProperty.AWS_SECRET_KEY, 
"key_secret_" + finalI)
+                      
.put(PolarisCredentialProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS, expireTime)
                       .put(PolarisCredentialProperty.EXPIRATION_TIME, 
expireTime)
                       .buildOrThrow())));
       if (res.size() == number) return res;
diff --git 
a/polaris-core/src/test/java/org/apache/polaris/service/storage/aws/AwsCredentialsStorageIntegrationTest.java
 
b/polaris-core/src/test/java/org/apache/polaris/service/storage/aws/AwsCredentialsStorageIntegrationTest.java
index 5ef145d65..9a6886753 100644
--- 
a/polaris-core/src/test/java/org/apache/polaris/service/storage/aws/AwsCredentialsStorageIntegrationTest.java
+++ 
b/polaris-core/src/test/java/org/apache/polaris/service/storage/aws/AwsCredentialsStorageIntegrationTest.java
@@ -21,6 +21,7 @@ package org.apache.polaris.service.storage.aws;
 import static org.assertj.core.api.Assertions.assertThat;
 
 import jakarta.annotation.Nonnull;
+import java.time.Instant;
 import java.util.EnumMap;
 import java.util.List;
 import java.util.Set;
@@ -49,6 +50,8 @@ import software.amazon.awssdk.services.sts.model.Credentials;
 
 class AwsCredentialsStorageIntegrationTest {
 
+  public static final Instant EXPIRE_TIME = Instant.now().plusMillis(3600_000);
+
   public static final AssumeRoleResponse ASSUME_ROLE_RESPONSE =
       AssumeRoleResponse.builder()
           .credentials(
@@ -56,6 +59,7 @@ class AwsCredentialsStorageIntegrationTest {
                   .accessKeyId("accessKey")
                   .secretAccessKey("secretKey")
                   .sessionToken("sess")
+                  .expiration(EXPIRE_TIME)
                   .build())
           .build();
   public static final String AWS_PARTITION = "aws";
@@ -93,7 +97,10 @@ class AwsCredentialsStorageIntegrationTest {
         .isNotEmpty()
         .containsEntry(PolarisCredentialProperty.AWS_TOKEN, "sess")
         .containsEntry(PolarisCredentialProperty.AWS_KEY_ID, "accessKey")
-        .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, "secretKey");
+        .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, "secretKey")
+        .containsEntry(
+            PolarisCredentialProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS,
+            String.valueOf(EXPIRE_TIME.toEpochMilli()));
   }
 
   @ParameterizedTest
@@ -255,7 +262,10 @@ class AwsCredentialsStorageIntegrationTest {
             .isNotEmpty()
             .containsEntry(PolarisCredentialProperty.AWS_TOKEN, "sess")
             .containsEntry(PolarisCredentialProperty.AWS_KEY_ID, "accessKey")
-            .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, 
"secretKey");
+            .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, 
"secretKey")
+            .containsEntry(
+                PolarisCredentialProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS,
+                String.valueOf(EXPIRE_TIME.toEpochMilli()));
         break;
       default:
         throw new IllegalArgumentException("Unknown aws partition: " + 
awsPartition);
@@ -353,7 +363,10 @@ class AwsCredentialsStorageIntegrationTest {
         .isNotEmpty()
         .containsEntry(PolarisCredentialProperty.AWS_TOKEN, "sess")
         .containsEntry(PolarisCredentialProperty.AWS_KEY_ID, "accessKey")
-        .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, "secretKey");
+        .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, "secretKey")
+        .containsEntry(
+            PolarisCredentialProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS,
+            String.valueOf(EXPIRE_TIME.toEpochMilli()));
   }
 
   @Test
@@ -445,7 +458,10 @@ class AwsCredentialsStorageIntegrationTest {
         .isNotEmpty()
         .containsEntry(PolarisCredentialProperty.AWS_TOKEN, "sess")
         .containsEntry(PolarisCredentialProperty.AWS_KEY_ID, "accessKey")
-        .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, "secretKey");
+        .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, "secretKey")
+        .containsEntry(
+            PolarisCredentialProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS,
+            String.valueOf(EXPIRE_TIME.toEpochMilli()));
   }
 
   @Test
@@ -507,7 +523,10 @@ class AwsCredentialsStorageIntegrationTest {
         .isNotEmpty()
         .containsEntry(PolarisCredentialProperty.AWS_TOKEN, "sess")
         .containsEntry(PolarisCredentialProperty.AWS_KEY_ID, "accessKey")
-        .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, "secretKey");
+        .containsEntry(PolarisCredentialProperty.AWS_SECRET_KEY, "secretKey")
+        .containsEntry(
+            PolarisCredentialProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS,
+            String.valueOf(EXPIRE_TIME.toEpochMilli()));
   }
 
   @ParameterizedTest

Reply via email to