Skip to content

Commit 6b957ec

Browse files
authored
[Catalog Federation] Add Connection Credential Vendors for Other Auth Types (#2782)
Add Connection Credential Vendors for Other Auth Types This change is a prerequisite for enabling connection credential caching. By making PolarisCredentialManager the central entry point for obtaining connection credentials, we can introduce caching cleanly and manage all credential flows in a consistent way.
1 parent 1513d32 commit 6b957ec

File tree

36 files changed

+731
-142
lines changed

36 files changed

+731
-142
lines changed

extensions/federation/hadoop/src/main/java/org/apache/polaris/extensions/federation/hadoop/HadoopFederatedCatalogFactory.java

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,6 @@
3131
import org.apache.polaris.core.connection.ConnectionType;
3232
import org.apache.polaris.core.connection.hadoop.HadoopConnectionConfigInfoDpo;
3333
import org.apache.polaris.core.credentials.PolarisCredentialManager;
34-
import org.apache.polaris.core.secrets.UserSecretsManager;
3534
import org.slf4j.Logger;
3635
import org.slf4j.LoggerFactory;
3736

@@ -44,7 +43,6 @@ public class HadoopFederatedCatalogFactory implements ExternalCatalogFactory {
4443
@Override
4544
public Catalog createCatalog(
4645
ConnectionConfigInfoDpo connectionConfigInfoDpo,
47-
UserSecretsManager userSecretsManager,
4846
PolarisCredentialManager polarisCredentialManager) {
4947
// Currently, Polaris supports Hadoop federation only via IMPLICIT authentication.
5048
// Hence, prior to initializing the configuration, ensure that the catalog uses
@@ -59,15 +57,13 @@ public Catalog createCatalog(
5957
String warehouse = ((HadoopConnectionConfigInfoDpo) connectionConfigInfoDpo).getWarehouse();
6058
HadoopCatalog hadoopCatalog = new HadoopCatalog(conf, warehouse);
6159
hadoopCatalog.initialize(
62-
warehouse,
63-
connectionConfigInfoDpo.asIcebergCatalogProperties(
64-
userSecretsManager, polarisCredentialManager));
60+
warehouse, connectionConfigInfoDpo.asIcebergCatalogProperties(polarisCredentialManager));
6561
return hadoopCatalog;
6662
}
6763

6864
@Override
6965
public GenericTableCatalog createGenericCatalog(
70-
ConnectionConfigInfoDpo connectionConfig, UserSecretsManager userSecretsManager) {
66+
ConnectionConfigInfoDpo connectionConfig, PolarisCredentialManager polarisCredentialManager) {
7167
// TODO implement
7268
throw new UnsupportedOperationException(
7369
"Generic table federation to this catalog is not supported.");

extensions/federation/hive/src/main/java/org/apache/polaris/extensions/federation/hive/HiveFederatedCatalogFactory.java

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,6 @@
3030
import org.apache.polaris.core.connection.ConnectionType;
3131
import org.apache.polaris.core.connection.hive.HiveConnectionConfigInfoDpo;
3232
import org.apache.polaris.core.credentials.PolarisCredentialManager;
33-
import org.apache.polaris.core.secrets.UserSecretsManager;
3433
import org.slf4j.Logger;
3534
import org.slf4j.LoggerFactory;
3635

@@ -43,7 +42,6 @@ public class HiveFederatedCatalogFactory implements ExternalCatalogFactory {
4342
@Override
4443
public Catalog createCatalog(
4544
ConnectionConfigInfoDpo connectionConfigInfoDpo,
46-
UserSecretsManager userSecretsManager,
4745
PolarisCredentialManager polarisCredentialManager) {
4846
// Currently, Polaris supports Hive federation only via IMPLICIT authentication.
4947
// Hence, prior to initializing the configuration, ensure that the catalog uses
@@ -72,15 +70,13 @@ public Catalog createCatalog(
7270
// Kerberos instances are not suitable because Kerberos ties a single identity to the server.
7371
HiveCatalog hiveCatalog = new HiveCatalog();
7472
hiveCatalog.initialize(
75-
warehouse,
76-
connectionConfigInfoDpo.asIcebergCatalogProperties(
77-
userSecretsManager, polarisCredentialManager));
73+
warehouse, connectionConfigInfoDpo.asIcebergCatalogProperties(polarisCredentialManager));
7874
return hiveCatalog;
7975
}
8076

8177
@Override
8278
public GenericTableCatalog createGenericCatalog(
83-
ConnectionConfigInfoDpo connectionConfig, UserSecretsManager userSecretsManager) {
79+
ConnectionConfigInfoDpo connectionConfig, PolarisCredentialManager polarisCredentialManager) {
8480
// TODO implement
8581
throw new UnsupportedOperationException(
8682
"Generic table federation to this catalog is not supported.");

polaris-core/src/main/java/org/apache/polaris/core/catalog/ExternalCatalogFactory.java

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@
2121
import org.apache.iceberg.catalog.Catalog;
2222
import org.apache.polaris.core.connection.ConnectionConfigInfoDpo;
2323
import org.apache.polaris.core.credentials.PolarisCredentialManager;
24-
import org.apache.polaris.core.secrets.UserSecretsManager;
2524

2625
/**
2726
* Factory interface for creating external catalog handles based on connection configuration.
@@ -35,25 +34,23 @@ public interface ExternalCatalogFactory {
3534
* Creates a catalog handle for the given connection configuration.
3635
*
3736
* @param connectionConfig the connection configuration
38-
* @param userSecretsManager the user secrets manager for handling user-provided credentials
39-
* @param polarisCredentialManager the credential manager for generating temporary credentials
37+
* @param polarisCredentialManager the credential manager for generating connection credentials
4038
* that Polaris uses to access external systems
4139
* @return the initialized catalog
4240
* @throws IllegalStateException if the connection configuration is invalid
4341
*/
4442
Catalog createCatalog(
45-
ConnectionConfigInfoDpo connectionConfig,
46-
UserSecretsManager userSecretsManager,
47-
PolarisCredentialManager polarisCredentialManager);
43+
ConnectionConfigInfoDpo connectionConfig, PolarisCredentialManager polarisCredentialManager);
4844

4945
/**
5046
* Creates a generic table catalog for the given connection configuration.
5147
*
5248
* @param connectionConfig the connection configuration
53-
* @param userSecretsManager the user secrets manager for handling credentials
49+
* @param polarisCredentialManager the credential manager for generating connection credentials
50+
* that Polaris uses to access external systems
5451
* @return the initialized catalog
5552
* @throws IllegalStateException if the connection configuration is invalid
5653
*/
5754
GenericTableCatalog createGenericCatalog(
58-
ConnectionConfigInfoDpo connectionConfig, UserSecretsManager userSecretsManager);
55+
ConnectionConfigInfoDpo connectionConfig, PolarisCredentialManager polarisCredentialManager);
5956
}

polaris-core/src/main/java/org/apache/polaris/core/connection/BearerAuthenticationParametersDpo.java

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -21,13 +21,9 @@
2121
import com.fasterxml.jackson.annotation.JsonProperty;
2222
import com.google.common.base.MoreObjects;
2323
import jakarta.annotation.Nonnull;
24-
import java.util.Map;
25-
import org.apache.iceberg.rest.auth.OAuth2Properties;
2624
import org.apache.polaris.core.admin.model.AuthenticationParameters;
2725
import org.apache.polaris.core.admin.model.BearerAuthenticationParameters;
28-
import org.apache.polaris.core.credentials.PolarisCredentialManager;
2926
import org.apache.polaris.core.secrets.SecretReference;
30-
import org.apache.polaris.core.secrets.UserSecretsManager;
3127

3228
/**
3329
* The internal persistence-object counterpart to BearerAuthenticationParameters defined in the API
@@ -49,13 +45,6 @@ public BearerAuthenticationParametersDpo(
4945
return bearerTokenReference;
5046
}
5147

52-
@Override
53-
public @Nonnull Map<String, String> asIcebergCatalogProperties(
54-
UserSecretsManager secretsManager, PolarisCredentialManager credentialManager) {
55-
String bearerToken = secretsManager.readSecret(getBearerTokenReference());
56-
return Map.of(OAuth2Properties.TOKEN, bearerToken);
57-
}
58-
5948
@Override
6049
public @Nonnull AuthenticationParameters asAuthenticationParametersModel() {
6150
return BearerAuthenticationParameters.builder()

polaris-core/src/main/java/org/apache/polaris/core/connection/ImplicitAuthenticationParametersDpo.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,6 @@
2424
import org.apache.polaris.core.admin.model.AuthenticationParameters;
2525
import org.apache.polaris.core.admin.model.ImplicitAuthenticationParameters;
2626
import org.apache.polaris.core.credentials.PolarisCredentialManager;
27-
import org.apache.polaris.core.secrets.UserSecretsManager;
2827

2928
/**
3029
* The internal persistence-object counterpart to ImplicitAuthenticationParameters defined in the
@@ -38,7 +37,9 @@ public ImplicitAuthenticationParametersDpo() {
3837

3938
@Override
4039
public @Nonnull Map<String, String> asIcebergCatalogProperties(
41-
UserSecretsManager secretsManager, PolarisCredentialManager credentialManager) {
40+
PolarisCredentialManager credentialManager) {
41+
// Return only metadata properties - credentials are handled by ConnectionCredentialVendor
42+
// Implicit auth has no metadata properties
4243
return Map.of();
4344
}
4445

polaris-core/src/main/java/org/apache/polaris/core/connection/OAuthClientCredentialsParametersDpo.java

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,6 @@
3737
import org.apache.polaris.core.admin.model.OAuthClientCredentialsParameters;
3838
import org.apache.polaris.core.credentials.PolarisCredentialManager;
3939
import org.apache.polaris.core.secrets.SecretReference;
40-
import org.apache.polaris.core.secrets.UserSecretsManager;
4140

4241
/**
4342
* The internal persistence-object counterpart to OAuthClientCredentialsParameters defined in the
@@ -97,20 +96,14 @@ public OAuthClientCredentialsParametersDpo(
9796
Objects.requireNonNullElse(scopes, List.of(OAuth2Properties.CATALOG_SCOPE)));
9897
}
9998

100-
@JsonIgnore
101-
private @Nonnull String getCredentialAsConcatenatedString(UserSecretsManager secretsManager) {
102-
String clientSecret = secretsManager.readSecret(getClientSecretReference());
103-
return COLON_JOINER.join(clientId, clientSecret);
104-
}
105-
10699
@Override
107100
public @Nonnull Map<String, String> asIcebergCatalogProperties(
108-
UserSecretsManager secretsManager, PolarisCredentialManager credentialManager) {
101+
PolarisCredentialManager credentialManager) {
102+
// Return only metadata properties - credentials are handled by ConnectionCredentialVendor
109103
HashMap<String, String> properties = new HashMap<>();
110104
if (getTokenUri() != null) {
111105
properties.put(OAuth2Properties.OAUTH2_SERVER_URI, getTokenUri());
112106
}
113-
properties.put(OAuth2Properties.CREDENTIAL, getCredentialAsConcatenatedString(secretsManager));
114107
properties.put(OAuth2Properties.SCOPE, getScopesAsString());
115108
return properties;
116109
}

polaris-core/src/main/java/org/apache/polaris/core/connection/SigV4AuthenticationParametersDpo.java

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,6 @@
2929
import org.apache.polaris.core.admin.model.AuthenticationParameters;
3030
import org.apache.polaris.core.admin.model.SigV4AuthenticationParameters;
3131
import org.apache.polaris.core.credentials.PolarisCredentialManager;
32-
import org.apache.polaris.core.secrets.UserSecretsManager;
3332

3433
/**
3534
* The internal persistence-object counterpart to SigV4AuthenticationParameters defined in the API
@@ -95,14 +94,14 @@ public SigV4AuthenticationParametersDpo(
9594
@Nonnull
9695
@Override
9796
public Map<String, String> asIcebergCatalogProperties(
98-
UserSecretsManager secretsManager, PolarisCredentialManager credentialManager) {
97+
PolarisCredentialManager credentialManager) {
98+
// Return only metadata properties - credentials are handled by ConnectionCredentialVendor
9999
ImmutableMap.Builder<String, String> builder = ImmutableMap.builder();
100100
builder.put(AuthProperties.AUTH_TYPE, AuthProperties.AUTH_TYPE_SIGV4);
101101
builder.put(AwsProperties.REST_SIGNER_REGION, getSigningRegion());
102102
if (getSigningName() != null) {
103103
builder.put(AwsProperties.REST_SIGNING_NAME, getSigningName());
104104
}
105-
// Connection credentials are handled by ConnectionConfigInfoDpo
106105
return builder.build();
107106
}
108107

polaris-core/src/main/java/org/apache/polaris/core/connection/hadoop/HadoopConnectionConfigInfoDpo.java

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,6 @@
3535
import org.apache.polaris.core.credentials.connection.ConnectionCredentials;
3636
import org.apache.polaris.core.identity.dpo.ServiceIdentityInfoDpo;
3737
import org.apache.polaris.core.identity.provider.ServiceIdentityProvider;
38-
import org.apache.polaris.core.secrets.UserSecretsManager;
3938

4039
/**
4140
* The internal persistence-object counterpart to {@link
@@ -73,16 +72,14 @@ public String toString() {
7372

7473
@Override
7574
public @Nonnull Map<String, String> asIcebergCatalogProperties(
76-
UserSecretsManager secretsManager, PolarisCredentialManager credentialManager) {
75+
PolarisCredentialManager credentialManager) {
7776
HashMap<String, String> properties = new HashMap<>();
7877
properties.put(CatalogProperties.URI, getUri());
7978
if (getWarehouse() != null) {
8079
properties.put(CatalogProperties.WAREHOUSE_LOCATION, getWarehouse());
8180
}
82-
// Add authentication-specific properties
83-
properties.putAll(
84-
getAuthenticationParameters()
85-
.asIcebergCatalogProperties(secretsManager, credentialManager));
81+
// Add authentication-specific metadata (non-credential properties)
82+
properties.putAll(getAuthenticationParameters().asIcebergCatalogProperties(credentialManager));
8683
// Add connection credentials from Polaris credential manager
8784
ConnectionCredentials connectionCredentials = credentialManager.getConnectionCredentials(this);
8885
properties.putAll(connectionCredentials.credentials());

polaris-core/src/main/java/org/apache/polaris/core/connection/hive/HiveConnectionConfigInfoDpo.java

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,6 @@
3535
import org.apache.polaris.core.credentials.connection.ConnectionCredentials;
3636
import org.apache.polaris.core.identity.dpo.ServiceIdentityInfoDpo;
3737
import org.apache.polaris.core.identity.provider.ServiceIdentityProvider;
38-
import org.apache.polaris.core.secrets.UserSecretsManager;
3938

4039
/**
4140
* The internal persistence-object counterpart to {@link
@@ -72,17 +71,16 @@ public String toString() {
7271

7372
@Override
7473
public @Nonnull Map<String, String> asIcebergCatalogProperties(
75-
UserSecretsManager secretsManager, PolarisCredentialManager polarisCredentialManager) {
74+
PolarisCredentialManager polarisCredentialManager) {
7675
HashMap<String, String> properties = new HashMap<>();
7776
properties.put(CatalogProperties.URI, getUri());
7877
if (getWarehouse() != null) {
7978
properties.put(CatalogProperties.WAREHOUSE_LOCATION, getWarehouse());
8079
}
8180
if (getAuthenticationParameters() != null) {
82-
// Add authentication-specific properties
81+
// Add authentication-specific metadata (non-credential properties)
8382
properties.putAll(
84-
getAuthenticationParameters()
85-
.asIcebergCatalogProperties(secretsManager, polarisCredentialManager));
83+
getAuthenticationParameters().asIcebergCatalogProperties(polarisCredentialManager));
8684
// Add connection credentials from Polaris credential manager
8785
ConnectionCredentials connectionCredentials =
8886
polarisCredentialManager.getConnectionCredentials(this);

polaris-core/src/main/java/org/apache/polaris/core/connection/iceberg/IcebergCatalogPropertiesProvider.java

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@
2121
import jakarta.annotation.Nonnull;
2222
import java.util.Map;
2323
import org.apache.polaris.core.credentials.PolarisCredentialManager;
24-
import org.apache.polaris.core.secrets.UserSecretsManager;
2524

2625
/**
2726
* Configuration wrappers which ultimately translate their contents into Iceberg properties and
@@ -31,6 +30,8 @@
3130
*/
3231
public interface IcebergCatalogPropertiesProvider {
3332
@Nonnull
34-
Map<String, String> asIcebergCatalogProperties(
35-
UserSecretsManager secretsManager, PolarisCredentialManager credentialManager);
33+
default Map<String, String> asIcebergCatalogProperties(
34+
PolarisCredentialManager credentialManager) {
35+
return Map.of();
36+
}
3637
}

0 commit comments

Comments
 (0)