Re: [PR] Enforce that S3 credentials are vended when requested [polaris]

Wed, 01 Oct 2025 13:58:47 -0700 


HonahX commented on code in PR #2711:
URL: https://github.com/apache/polaris/pull/2711#discussion_r2395885700


##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -70,19 +71,25 @@ public AwsCredentialsStorageIntegration(
 
   /** {@inheritDoc} */
   @Override
-  public AccessConfig getSubscopedCreds(
+  public AccessConfig getAccessConfig(
       @Nonnull RealmConfig realmConfig,
       boolean allowListOperation,
       @Nonnull Set<String> allowedReadLocations,
       @Nonnull Set<String> allowedWriteLocations,
-      Optional<String> refreshCredentialsEndpoint) {
+      Optional<String> refreshCredentialsEndpoint,
+      boolean credentialsRequired) {
     int storageCredentialDurationSeconds =
         realmConfig.getConfig(STORAGE_CREDENTIAL_DURATION_SECONDS);
     AwsStorageConfigurationInfo storageConfig = config();
     String region = storageConfig.getRegion();
     AccessConfig.Builder accessConfig = AccessConfig.builder();
 
-    if (shouldUseSts(storageConfig)) {
+    boolean shouldUseSts = shouldUseSts(storageConfig);
+    Preconditions.checkArgument(

Review Comment:
   I think this error will be wrapped in to an error SubScopedResult and 
finally be thrown as `UnprocessableEntityException` in the 
`StorageCredentialCache` line 155. Just check if this is intended



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheKey.java:
##########
@@ -69,6 +73,7 @@ static StorageCredentialCacheKey of(
         allowedListAction,
         allowedReadLocations,
         allowedWriteLocations,
-        refreshCredentialsEndpoint);
+        refreshCredentialsEndpoint,
+        credentialsRequired);

Review Comment:
   [non-blocker] I think this implies some extra cache miss for azure and gcp 
where `credentialsRequired` does not make any difference. 
   
   Do we have some general use-case of the `credentialsRequired` on gcp and 
azure, such that we could unify the credential existence check at 
`storageCredentialCache`, such that the persistence/credentialVendor just do 
its best effort to generate an access config, and let the cache api to decide 
whether the result is valid?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to