Add support for S3 request signing

[adutra]

Fixes #32.

Design doc:

https://docs.google.com/document/d/1ygdia7u4bUHUt6n8XhZo48aKoIyyrCvKqan3XP25iB8/edit?usp=sharing

[singhpk234]

Thank you so much for this @adutra !

when ready please let us know (would be really helpful if you can share some description to walk us through your thought process), happy to help with reviews :) !

[snazy]

This looks like good 1st step.

As all signing requests will have to access the backend for every little data file chunk being accessed by clients, this implementation will cause quite a slow experience for users. Until we don't have a faster implementation (signed access-rules), I think we should label this feature as "experimental".

[snazy]

nope.
See ListObjects + ListObjectsV2 REST spec.

Be careful: Not all GET /{bucket/ requests are list-objects requests!
The "v1" list-objects has no required parameter, so you cannot just check for the presence of a req param. It could also be a get-bucket-cors or get-bucket-encryption or ...-policy or ...-website or ......
Nice, no?

Maybe it's okay to assume that every client uses the v2 api, which has a unique, required request param.

[adutra]

Ready for review. The test failures are unrelated to this change.

\cc @singhpk234 @snazy @dimas-b @metadaddy

[adutra]

FYI The name of the logical response type is a bit weird because it is inlined, instead of being a $ref in the OpanAPI spec.

[adutra]

FYI I refactored this class a bit, notably to facilitate subclassing, but there is no functional change in this class.

[RussellSpitzer]

Minor request here, but you could pull this and the new IntegerationTest Helpers out into a separate PR and reduce the size of this PR by a bit. I think that would also be a very fast review

[adutra]

Yup good idea!

#2384

[adutra]

Not directly referenced in this module.

[RussellSpitzer]

This is another change I would try to pull out to another PR, it's not related to this changeset correct?

[adutra]

Correct:

#2385

[adutra]

Refactored to become a method of CatalogEntity.

[adutra]

@RussellSpitzer FYI:

#2386
#2387

[RussellSpitzer]

Thanks! It definitely helps to keep this sort of refactor out of the larger functional change

[adutra]

Renamed to awsSystemCredentials because these are not "just" credentials for STS, they are server credentials.

[adutra]

In theory the response should include Cache-Control headers. This is left for a later improvement.

[snazy]

... but that would require clients to respect those 🤷

[adutra]

This is now ready again for review!

\cc @snazy @singhpk234 @flyrain @dimas-b

This PR is equivalent to Milestone 1 in the original design doc. Let's try to work incrementally and get this in, we are already working on getting a new PR for Milestone 2 and especially the authz checks that are not yet implemented. Thanks!

[singhpk234]

Hey Alex,
Thank a ton for all the work !
Is this understanding of M1 and M2 correct ? (take design doc above)

M1 - Simple, slow implementation with basic RBAC
- Not production ready – marked experimental
- Does not implement access checks based on S3 location
- Does not support HTTP proxies
- Corresponds to the current PR: https://github.com/apache/polaris/pull/2280 

M2 - Fast implementation with efficient RBAC
- Production-ready
- Implements [Access checks based on the S3 location](https://docs.google.com/document/d/1ygdia7u4bUHUt6n8XhZo48aKoIyyrCvKqan3XP25iB8/edit?tab=t.0#bookmark=id.hs05149qp3eo) 
- Supports HTTP proxies
- Implements "Nessie style" signed parameters

If yes, I am bit confused, if we know M2 is the one we eventually wanna make and M2 is a bit orthogonal to M1 why are making / investing on M1, a couple questions that would be really helpful to get your take :

1. How long it will take for us to get M2 post M1 ? (you mentioned M2 is already in works ?)
2. why are we making M1 if M1 is not production recommended and based on my understanding it will never be.
3. when both M2 and M1 are there when will a user use M1 over M2 ?
4. The route for M1 is /s3-sign/v1/{prefix}/namespaces/{namespace}/tables/{table} and for M2 its gonna be
   /s3-sign/v1/{prefix}/namespaces/{namespace}/tables/{table}/{signContext} or /s3-sign/v1/{prefix}/namespaces/{namespace}/tables/{table}?signContext={signedContext} checking this commit (please correct me If i am missing something) projectnessie/nessie@2c6b931 it will be earlier ? are we gonna introduce a new endpoint for M2 ?

[adutra]

If yes, I am bit confused, if we know M2 is the one we eventually wanna make and M2 is a bit orthogonal to M1 why are making / investing on M1, a couple questions that would be really helpful to get your take :

It's not orthogonal, M2 builds on top of M1.

1. How long it will take for us to get M2 post M1 ? (you mentioned M2 is already in works ?)

It depends if we want all the features in M2 or not. I would actually personally break M2 into smaller pieces. The most important piece is "Access checks based on the S3 location", which can be done in a few man-days. The "Nessie style" signed parameters would require a bit more than that, imo.

2. why are we making M1 if M1 is not production recommended and based on my understanding it will never be.

For the same reason we released the Events feature in incomplete state, with "beta" status: to get users feedback, and to work incrementally.

3. when both M2 and M1 are there when will a user use M1 over M2 ?

These are not "flavors" of remote signing. It's just one same feature, in two levels of maturity M1: experimental, M2: production-ready.

are we gonna introduce a new endpoint for M2 ?

Yes, if we adopt Nessie's strategy for fast remote signing as proposed in the doc (it's optional). Note: this isn't a breaking change, as it's not user facing.

Happy to discuss this topic more in depth in a Slack channel or during the next sync!

[dimas-b]

The proposed phased approach (M1/M2) SGTM 👍

[dimas-b]

Lots of comments 🙂 but the PR overall looks good 👍 Thanks for implementing this, @adutra !

[dimas-b]

I'm not sure it's worth advertising in ConfigResponse because it's not a standard endpoint, for which clients might want to check the endpoints list. Clients learn about it via loadTable responses, I guess 🤔

[adutra]

OK let's remove.

[dimas-b]

I'm not sure about the api/ constant... It related to our @Path annotations in the generated REST API classes, so it's usage is a bit obscure here. Could we make it a constant in the s3-sign-service module?

[adutra]

I agree, but I'm not sure a constant in s3-sign-service is the best solution. The api/ path segment doesn't seem to be a first-class citizen in our APIs, rather a bi-product. It's only declared as a server variable in the OpenAPI generator config, for example:

polaris/api/iceberg-service/build.gradle.kts

Line 86 in 1f4e748

serverVariables.put("basePath", "api/catalog")

polaris/api/polaris-catalog-service/build.gradle.kts

Line 116 in b6e247d

serverVariables.put("basePath", "api/catalog")

The management APi is actually a bit different, there is not basePath variable in polaris-management-service.yml, so the base path is hard-coded:

polaris/spec/polaris-management-service.yml

Line 26 in 04c8ee6

- url: "{scheme}://{host}/api/management/v1"

But the common characteristic is that api/is the first path segment of all Polaris APIs, but that is not enforced by any constraint.

I would say the right place for this segment would be in PolarisResourcePaths, but you will notice again that none of the paths include the api/ segment. Same for Iceberg's ResourcePaths. So it's really implicit 😅

All of this to say, let's declare a constant in PolarisResourcePaths and call it a day, wdyt?

[dimas-b]

+1 to PolarisResourcePaths

[dimas-b]

Is this a core concern? I suppose it is only relevant to the REST layer 🤔

[adutra]

Well the same could be said for all the methods in this class 😄
The package is org.apache.polaris.core.rest btw - so I guess REST is a core concern 🤷‍♂️

I think PolarisResourcePaths and PolarisEndpoints should not live in core ideally. But that's the way it is today.

[dimas-b]

oops, I did not actually look at the whole class, only at the diff 😅

Let's keep it for now and maybe refactor later.... In general, I'd like to untangle core from REST 😅

[dimas-b]

Does this have a reference Iceberg version number where the property becomes respected?

[adutra]

Iceberg 1.2.0. That's more than 2 years old, I'm not sure we need to mention it here. Wdyt?

[dimas-b]

That's fine... I was worries it might have been more recent ;)

[singhpk234]

Hey Alex,
Thanks for the response, TBH I am still unclear why do we wanna introduce an endpoint for M1 only to introduce a new one in M2 ? How can an public endpoint not be a user facing change ?
Apologies but I am not able to follow, As you suggested, definitely sync will be really helpful to discuss, meanwhile i request you to please bump this in the thread https://lists.apache.org/thread/xpf60ko823c7mlg5bhnddq3btvdsq5s1 too for more eyes, in case I am missing something.

[singhpk234]

[doubt] is there an assertion when even TABLE_REMOTE_SIGN is granted these two privieldges would be there ?

nit :

Suggested change

	2. Grant the `TABLE_REMOTE_SIGN` privilege to a catalog role. The role must also be granted the `TABLE_READ_DATA`
	and `TABLE_WRITE_DATA` privileges.
	2. Grant the `TABLE_REMOTE_SIGN` privilege to a catalog role. The catalog role must also be granted the `TABLE_READ_DATA`
	and `TABLE_WRITE_DATA` privileges.

[adutra]

is there an assertion when even TABLE_REMOTE_SIGN is granted these two privieldges would be there ?

Currently no.

[singhpk234]

Are we then failing during Runtime ? is this done mostly like at the time of granting there was both READ & WRITE but then admin revoked one of them so this grant needs to be revoked too ?

[adutra]

This is done by Polaris RBAC enforcement. The two PoalrisAuthorizableOperation instances used in remote signing are declared as follows:

  SIGN_S3_READ_REQUEST(EnumSet.of(TABLE_REMOTE_SIGN, TABLE_READ_DATA)),
  SIGN_S3_WRITE_REQUEST(EnumSet.of(TABLE_REMOTE_SIGN, TABLE_WRITE_DATA)),

Thus as you can see to authorize these operations, the role must have been granted 2 privileges: TABLE_REMOTE_SIGN and either TABLE_READ_DATA (for reads) or TABLE_WRITE_DATA (for writes).

[singhpk234]

It seems like either READ or WRITE works but the CHANGELOG gives an impression both is required ? should we update the wording ?

[adutra]

OK I updated the changelog!

[singhpk234]

I understand we discussed this before for federated catalog we should disable remote signing but during that time we didn;t support cred vending for them either, i wonder if its a good time to reconsider that remote signing would be possible too (ofc in a new PR)

[adutra]

Totally agree, I think we could discuss this possibility later on.

[singhpk234]

should we file a ticket so we can tackle this later as a community, WDYT ?

[adutra]

#3091

[singhpk234]

for each SIGN request a loadTable call is super expensive, if someone enables this in prod by accident for a table million of files the service might become unresponsive ?
[suggestion / optional to address] wondering for now if we should add a prod readiness check to keep this disabled for prod ?

[adutra]

for each SIGN request a loadTable call is super expensive

Indeed, that's where M2 will help because it will save us this loadTable call.

I will add a FIXME for now.

[suggestion / optional to address] wondering for now if we should add a prod readiness check to keep this disabled for prod ?

Good idea, will do 👍

[adutra]

Update on this topic: I was able to remove the loadTable call, replaced with a direct check of the PolarisEntity properties. That's going to be faster imho.

[singhpk234]

do we store the 3 properties in the entity properties asking because
i only see the StorageUtil#getLocationsUsedByTable passing TableMetada#properties and also not seeing it actually persisted in StorageUtil, am i missing something ?

[adutra]

Sorry, which 3 properties? I'm not sure I understand your question 😅

[singhpk234]

iceberg properties location, write.data.path, write.metadata.path, which is used for credential vending, I am not sure we persist them Entity, as the function StorageUtil#getLocationsUsedByTable has always worked in TableMetadata and not on Entity properties

[adutra]

Ah now I get it! Good question! I think there is a problem indeed.

For the base location, we're good, it is stored in the properties map:

polaris/polaris-core/src/main/java/org/apache/polaris/core/entity/table/IcebergTableLikeEntity.java

Line 119 in 07edd30

return getPropertiesAsMap().get(PolarisEntityConstants.ENTITY_BASE_LOCATION);

But afaict write.data.path and write.metadata.path are not stored in the entity 😞

I see a few options:

1. We could store write.data.path and write.metadata.path in the entity, but that will be a problem for catalogs created before the change.
2. We could go back to baseCatalog.loadTable(tableIdentifier) but that would be very slow.
3. We could just add a FIXME here + create a GitHub issue and wait for a better solution with M2.

Wdyt?

I would go with 3) since we know that this code path will be improved, but I'm fine with 2) as well.

[singhpk234]

[for my understanding] can you please elaborate this case more ?

[adutra]

By just looking at the request URI, it's not easy to know if the request is a write or a delete, or if it is a read or a list.

For example: the ListObjects operation is conceptually a LIST operation, and GetObject is conceptually a READ. But both requests use the GET method, so it's not easy to disambiguate.

Another example: the DeleteObject operation uses the DELETE method, but the DeleteObjects operation uses... the POST method 🤷‍♂️

I will add some comments to clarify.

[adutra]

Heads up: since this PR creates constant merge conflicts, I squashed the older commits to facilitate conflict resolution.

[binarycat0]

Hello everyone 👋 I would like to propose my help in implementing M2 (from proposed milestones).
As I see M2 can be split into 3 independent features: locations-check, nessir-style-signed-params, support-proxies.
I already have a solution for check-locations and ready to create a follow-up PR after this will be merged.

Could we agree on a timeline to merge?