XJDKC opened a new pull request, #1900:
URL: https://github.com/apache/polaris/pull/1900
<!--
Possible security vulnerabilities: STOP here and contact
[email protected] instead!
Please update the title of the PR with a meaningful message - do not
leave it "empty" or "generated"
Please update this summary field:
The summary should cover these topics, if applicable:
* the motivation for the change
* a description of the status quo, for example the current behavior
* the desired behavior
* etc
PR checklist:
- Do a self-review of your code before opening a pull request
- Make sure that there's good test coverage for the changes included in
this PR
- Run tests locally before pushing a PR (./gradlew check)
- Code should have comments where applicable. Particularly
hard-to-understand
areas deserve good in-line documentation.
- Include changes and enhancements to the documentation (in
site/content/in-dev/unreleased)
- For Work In Progress Pull Requests, please use the Draft PR feature.
Make sure to add the information BELOW this comment.
Everything in this comment will NOT be added to the PR description.
-->
## Milestones
This is Part 2 of the [[Splitting] Initial SigV4 Auth Support for Catalog
Federation](https://github.com/apache/polaris/pull/1805). Upcoming parts will
build on this system:
* #1899
* SigV4 Auth Support for Catalog Federation - Part 2: Connection Config
Persistence
* SigV4 Auth Support for Catalog Federation - Part 3: Service Identity Info
Injection
* SigV4 Auth Support for Catalog Federation - Part 4: Connection Credential
Manager
## Introduction
This PR introduces DPOs (data persistence objects) that allow Polaris to
persist SigV4 authentication parameters and service identity references
associated with remote catalog connections.
The core idea is to persist a reference to Polaris's own service credentials
(e.g. AWS IAM user) rather than the credentials themselves. This enables
secure, pluggable credential resolution from external secret stores (e.g. a
vault or secret manager) and supports the ability to assume user-specified
roles at runtime via SigV4.
## Design Overview
Each `ConnectionConfigInfoDpo` (used for remote catalog federation) now
contains a ServiceIdentityInfoDpo, which in turn holds a
ServiceSecretReference. This design allows:
* Polaris to store only references to its service identity (e.g. AWS IAM
user)
* The actual credentials to be stored securely in a vault or secret manager
* Runtime resolution of credentials based on these references
* Role assumption using `SigV4AuthenticationParametersDpo` (supplied by the
user)
This separation of identity metadata and authentication parameters provides
a secure and flexible foundation for credential management.
## Key Components
* `SigV4AuthenticationParametersDpo`: Holds user-supplied role assumption
parameters like:
* `roleArn`
* `roleSessionName`: optional
* `externalId`: optional
* `ServiceIdentityInfoDpo`: Stores metadata about the Polaris-side service
identity, including a secret reference.
* `AwsIamServiceIdentityInfoDpo`:
* `ServiceSecretReference`: Specialized version of ServiceIdentityInfoDpo
for AWS IAM. It includes:
* `iamArn`: Polaris's AWS user or role
* `ServiceSecretReference`: (points to credentials in a vault)
* `ServiceSecretReference`: Points to a credential (e.g., in a vault). This
is a logical URN or identifier — Polaris never persists raw secrets.
## Flowchart
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
