-
Notifications
You must be signed in to change notification settings - Fork 379
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[#4992] support credential vending framework #4995
Conversation
55c1ad6
to
bdf04fa
Compare
import java.util.Map; | ||
|
||
/** Interface representing a credential with type, expiration time, and additional information. */ | ||
public interface Credential { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the purpose of put it to common package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It maybe used in the client side.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please give me an example about how to use it in client side?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Take Spark read Iceberg table for example,
// Fetch credential from Gravitino
Credential credentail = gravitinoClient.fetchCredential(NameIdentifier identifer, String credentialType)
// Transform credential properties to engine specific properties
Map credentailProperties = CredentialUtils.toIcebergProperties(credential)
// using credential properties to construct FileIO
FileIO file = new FileIO(credentailProperties)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If so, I would suggest you move to API module, not in common module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, this seems reasonable
ServiceLoader<CredentialProvider> serviceLoader = | ||
ServiceLoader.load(CredentialProvider.class, classLoader); | ||
List<Class<? extends CredentialProvider>> providers = | ||
Streams.stream(serviceLoader.iterator()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the consideration of using service loader?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Different catalogs may use different credential providers so that users could place the s3 provider in catalogA, place gcs provider in catalogB, so we using service loader to load corresponding jar in catalog classpaths.
* | ||
* <p>A credential provider is responsible for managing and retrieving credentials. | ||
*/ | ||
public interface CredentialProvider { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can change to like public interface Credential extends Closeable
to avoid defining void stop()
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
* | ||
* @return a map of credential information. | ||
*/ | ||
Map<String, String> getCredentialInfo(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest change the style of getXXX
to xxx
, like credentialType()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to define an interface for Token
like Hadoop?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest that you can refer to Hadoop's Credentials
, Token
and TokenIdentifer
to see how to define our credential system.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Credential
is like Token
in hadoop, the difference is Token
in hadoop focus on the security of the identifer, while we focus on how to represent diverse tokens like S3-token, AKSK, delegation token with different properties.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The concrete Credential has the clear definition , take S3TokenCredential for example
public class S3TokenCredential implements Credential {
private String accessKeyId;
private String secretAccessKey;
private String sessionToken;
private long expireMs;
public S3TokenCredential(
String accessKeyId, String secretAccessKey, String sessionToken, long expireMs) {
this.accessKeyId = accessKeyId;
this.secretAccessKey = secretAccessKey;
this.sessionToken = sessionToken;
this.expireMs = expireMs;
}
@Override
public String getCredentialType() {
return CredentialConstants.S3_TOKEN_CREDENTIAL_TYPE;
}
@Override
public long getExpireTime() {
return expireMs;
}
@Override
public Map<String, String> getCredentialInfo() {
return (new ImmutableMap.Builder<String, String>())
.put(S3Properties.GRAVITINO_S3_ACCESS_KEY_ID, accessKeyId)
.put(S3Properties.GRAVITINO_S3_SECRET_ACCESS_KEY, secretAccessKey)
.put(S3Properties.GRAVITINO_S3_TOKEN, sessionToken)
.build();
}
}
common/build.gradle.kts
Outdated
@@ -28,6 +28,7 @@ plugins { | |||
|
|||
dependencies { | |||
implementation(project(":api")) | |||
implementation(project(":catalogs:catalog-common")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The dependency here looks strange if you only want to define two properties in catalog-common, it is easy to introduce the cyclic dependency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
catalog-common is mainly used to define some properties used by catalog, client, connectors, I think it's ok to add the dependence here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it's weird to make common module rely on catalog-common module, which have different purposes and easy to introduce cyclic dependency, please change it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
public interface Credential { | ||
|
||
/** | ||
* Returns the type of the credential. It should same with the credential type of the credential |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"It should be the same with..."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"It should be the same as..."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
* | ||
* @return the expiration time as a long. | ||
*/ | ||
long expireTimeMs(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"expireTimeInMs"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
import java.util.Map; | ||
|
||
/** Interface representing a credential with type, expiration time, and additional information. */ | ||
public interface Credential { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please give me an example about how to use it in client side?
package org.apache.gravitino.credential; | ||
|
||
/** Contains context information to get credential from credential provider. */ | ||
public interface Context { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please rename to CredentialContext
, CatalogCredentialContext
, something like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
* LocationContext is generated when user requesting resources associated with storage location like | ||
* table, fileset, etc. | ||
*/ | ||
public class LocationContext implements Context { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can rename this class name to PathBasedCredentialContext
, and change from "locations" to "paths".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
return userName; | ||
} | ||
|
||
public Set<String> getWriteLocations() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"writePaths"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@jerryshao comments are addressed, please help to review again |
/** Credential type in the credential. */ | ||
public static final String CREDENTIAL_TYPE = "credential-type"; | ||
/** Credential expire time at ms since the epoch. */ | ||
public static final String EXPIRE_TIME_AT_MS = "expire-time-at-ms"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can also define these two property keys in Credential
, you don't have to create a new class to maintain them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also please change to "expire-time-in-ms".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
What changes were proposed in this pull request?
support credential vending framework
Why are the changes needed?
Fix: #4992
Does this PR introduce any user-facing change?
no
How was this patch tested?