XJDKC commented on code in PR #2523: URL: https://github.com/apache/polaris/pull/2523#discussion_r2372923920
########## runtime/service/src/main/java/org/apache/polaris/service/identity/AwsIamServiceIdentityConfiguration.java: ########## @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.polaris.service.identity; + +import java.util.Optional; +import org.apache.polaris.core.identity.resolved.ResolvedAwsIamServiceIdentity; + +/** + * Configuration for an AWS IAM service identity used by Polaris to access AWS services. + * + * <p>This includes the IAM ARN and optionally, static credentials (access key, secret key, and + * session token). If credentials are provided, they will be used to construct a {@link + * ResolvedAwsIamServiceIdentity}; otherwise, the AWS default credential provider chain is used. + */ +public interface AwsIamServiceIdentityConfiguration extends ResolvableServiceIdentityConfiguration { + + /** The IAM role or user ARN representing the service identity. */ + String iamArn(); + + /** + * Optional AWS access key ID associated with the IAM identity. If not provided, the AWS default + * credential chain will be used. + */ + Optional<String> accessKeyId(); Review Comment: I will open a PR to consolidate `UserSecretReference` and `ServiceSecretReference` based on the feedback from part 2. **`UserSecretsManager` and `ServiceIdentityRegistry` Comparison** `ServiceIdentityRegistry` is analogous to `ServiceSecretsManager`, but it does **not** need to implement `deleteSecret`. And the logic of `readSecret` and `writeSecret` are also slight different. **Note that `ServiceIdentityInfoDpo` is a combination of `ServiceIdentityType` + `ServiceSecretReference`.** This means `discoverServiceIdentity(ServiceIdentityType serviceIdentityType);` is very similar to `UserSecretsManager::writeSecret`, but instead of writing a secret and getting a reference to it, `ServiceIdentityRegistry` will claim a service identity from a pool and return a reference. Similar to `readSecret`, for `ServiceIdentityRegistry`, we pass in a `ServiceIdentityInfoDpo` (containing the identity type and reference). `ServiceIdentityRegistry` then returns a `ResolvedServiceIdentity`. If we compare these two classes: | `UserSecretsManager` | `ServiceIdentityRegistry` | | -------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | | `SecretReference writeSecret(String secret, PolarisEntityCore forEntity);` | `Optional<ServiceIdentityInfoDpo> discoverServiceIdentity(ServiceIdentityType serviceIdentityType);` | | `String readSecret(SecretReference secretReference);` | `Optional<ResolvedServiceIdentity> resolveServiceIdentity(ServiceIdentityInfoDpo serviceIdentityInfo);` | | `void deleteSecret(SecretReference secretReference);` | *N/A* | `ResolvableServiceIdentityConfiguration` is only a static way to configure the pool (via application.properties), it's a class used by quarkus framework to deserialize the config, I'm not sure if I can push the methods into protected methods. For a real Polaris vendor, the vendor must implement a dynamic `ServiceIdentityRegistry`. I can make `resolve` taking a `ServiceSecretReference` as an argument. But `ResolvableServiceIdentityConfiguration` tends to be a class for holding the pure config without caring about generating the reference to it. ```java @Override default Optional<ResolvedAwsIamServiceIdentity> resolve(@Nonnull String realmIdentifier) { if (iamArn() == null) { return Optional.empty(); } else { return Optional.of( new ResolvedAwsIamServiceIdentity( DefaultServiceIdentityRegistry.buildIdentityInfoReference( realmIdentifier, ServiceIdentityType.AWS_IAM), iamArn(), awsCredentialsProvider())); } } ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
