XJDKC opened a new pull request, #2759:
URL: https://github.com/apache/polaris/pull/2759
<!--
Possible security vulnerabilities: STOP here and contact
[email protected] instead!
Please update the title of the PR with a meaningful message - do not
leave it "empty" or "generated"
Please update this summary field:
The summary should cover these topics, if applicable:
* the motivation for the change
* a description of the status quo, for example the current behavior
* the desired behavior
* etc
PR checklist:
- Do a self-review of your code before opening a pull request
- Make sure that there's good test coverage for the changes included in
this PR
- Run tests locally before pushing a PR (./gradlew check)
- Code should have comments where applicable. Particularly
hard-to-understand
areas deserve good in-line documentation.
- Include changes and enhancements to the documentation (in
site/content/in-dev/unreleased)
- For Work In Progress Pull Requests, please use the Draft PR feature.
Make sure to add the information BELOW this comment.
Everything in this comment will NOT be added to the PR description.
-->
## Milestones
This is Part 3 of the [[Splitting] Initial SigV4 Auth Support for Catalog
Federation](https://github.com/apache/polaris/pull/1805). Upcoming parts will
build on this system:
* ~~#1899~~
* #2190
* #2523
* SigV4 Auth Support for Catalog Federation - Part 4: Connection Credential
Manager
## Introduction
This PR introduces a flexible connection credential management system for
Polaris. Building on Part 3's service identity management, this system combines
Polaris service identities with user-provided authentication parameters to
generate credentials for remote catalog access.
The core of this PR is the new `ConnectionCredentialVendor` interface, which:
* Generates connection credentials by combining service identity with user
auth parameters
* Supports different authentication types (SIGV4, OAuth) through CDI
* Provides on-demand credential generation
* Enables easy extension for new authentication types
## Key Components
1. **ConnectionCredentialVendor**
The central interface that defines how connection credentials are generated.
It combines Polaris service identities with user-provided authentication
parameters to produce the final credentials needed for remote catalog access.
This interface serves as the foundation for all authentication type-specific
implementations.
2. **DefaultPolarisCredentialManager**
The primary implementation that orchestrates credential generation. It uses
CDI to automatically select the appropriate vendor based on authentication
type, delegates the credential generation process, and provides consistent
error handling. This class integrates with the ServiceIdentityProvider from
Part 3 to resolve Polaris service identities.
3. **SigV4ConnectionCredentialVendor**
A reference implementation for AWS SigV4 authentication. It handles the
complex process of resolving AWS IAM credentials from service identities,
performing AWS STS AssumeRole operations, and generating temporary credentials
for catalog access. This implementation demonstrates best practices for vendor
development.
4. **@SupportsAuthType**
A CDI qualifier annotation that marks vendor implementations with their
supported authentication types. This enables automatic vendor selection at
runtime while maintaining type safety. The qualifier is essential for the
CDI-based pluggable architecture.
## Future Improvements
* Add credential caching support
* Migrate storage creds to this new framework
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
