Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#4992] support credential vending framework #4995

Merged
merged 10 commits into from
Oct 15, 2024

Conversation

FANNG1
Copy link
Contributor

@FANNG1 FANNG1 commented Sep 23, 2024

What changes were proposed in this pull request?

support credential vending framework

Why are the changes needed?

Fix: #4992

Does this PR introduce any user-facing change?

no

How was this patch tested?

  1. add UT
  2. propose a draft PR in [#4994][#4369] feat(core): support S3 credential vending #4966 , and could run pass S3 token with Gravitino IcebergRESTServer

@FANNG1 FANNG1 force-pushed the credential-framework branch from 55c1ad6 to bdf04fa Compare September 23, 2024 10:26
import java.util.Map;

/** Interface representing a credential with type, expiration time, and additional information. */
public interface Credential {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the purpose of put it to common package?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It maybe used in the client side.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please give me an example about how to use it in client side?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Take Spark read Iceberg table for example,

// Fetch credential from Gravitino
Credential  credentail = gravitinoClient.fetchCredential(NameIdentifier identifer,  String credentialType)

// Transform credential properties to engine specific properties
Map  credentailProperties = CredentialUtils.toIcebergProperties(credential)

// using credential properties to construct FileIO
FileIO file = new FileIO(credentailProperties)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If so, I would suggest you move to API module, not in common module.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, this seems reasonable

ServiceLoader<CredentialProvider> serviceLoader =
ServiceLoader.load(CredentialProvider.class, classLoader);
List<Class<? extends CredentialProvider>> providers =
Streams.stream(serviceLoader.iterator())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the consideration of using service loader?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Different catalogs may use different credential providers so that users could place the s3 provider in catalogA, place gcs provider in catalogB, so we using service loader to load corresponding jar in catalog classpaths.

*
* <p>A credential provider is responsible for managing and retrieving credentials.
*/
public interface CredentialProvider {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can change to like public interface Credential extends Closeable to avoid defining void stop() here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

*
* @return a map of credential information.
*/
Map<String, String> getCredentialInfo();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest change the style of getXXX to xxx, like credentialType().

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to define an interface for Token like Hadoop?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest that you can refer to Hadoop's Credentials, Token and TokenIdentifer to see how to define our credential system.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Credential is like Token in hadoop, the difference is Token in hadoop focus on the security of the identifer, while we focus on how to represent diverse tokens like S3-token, AKSK, delegation token with different properties.

Copy link
Contributor Author

@FANNG1 FANNG1 Oct 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The concrete Credential has the clear definition , take S3TokenCredential for example

public class S3TokenCredential implements Credential {
  private String accessKeyId;
  private String secretAccessKey;
  private String sessionToken;
  private long expireMs;

  public S3TokenCredential(
      String accessKeyId, String secretAccessKey, String sessionToken, long expireMs) {
    this.accessKeyId = accessKeyId;
    this.secretAccessKey = secretAccessKey;
    this.sessionToken = sessionToken;
    this.expireMs = expireMs;
  }

  @Override
  public String getCredentialType() {
    return CredentialConstants.S3_TOKEN_CREDENTIAL_TYPE;
  }

  @Override
  public long getExpireTime() {
    return expireMs;
  }

  @Override
  public Map<String, String> getCredentialInfo() {
    return (new ImmutableMap.Builder<String, String>())
        .put(S3Properties.GRAVITINO_S3_ACCESS_KEY_ID, accessKeyId)
        .put(S3Properties.GRAVITINO_S3_SECRET_ACCESS_KEY, secretAccessKey)
        .put(S3Properties.GRAVITINO_S3_TOKEN, sessionToken)
        .build();
  }
}

@@ -28,6 +28,7 @@ plugins {

dependencies {
implementation(project(":api"))
implementation(project(":catalogs:catalog-common"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dependency here looks strange if you only want to define two properties in catalog-common, it is easy to introduce the cyclic dependency.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

catalog-common is mainly used to define some properties used by catalog, client, connectors, I think it's ok to add the dependence here.

Copy link
Contributor

@jerryshao jerryshao Oct 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it's weird to make common module rely on catalog-common module, which have different purposes and easy to introduce cyclic dependency, please change it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

public interface Credential {

/**
* Returns the type of the credential. It should same with the credential type of the credential
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"It should be the same with..."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"It should be the same as..."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

*
* @return the expiration time as a long.
*/
long expireTimeMs();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"expireTimeInMs"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

import java.util.Map;

/** Interface representing a credential with type, expiration time, and additional information. */
public interface Credential {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please give me an example about how to use it in client side?

package org.apache.gravitino.credential;

/** Contains context information to get credential from credential provider. */
public interface Context {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rename to CredentialContext, CatalogCredentialContext, something like this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

* LocationContext is generated when user requesting resources associated with storage location like
* table, fileset, etc.
*/
public class LocationContext implements Context {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can rename this class name to PathBasedCredentialContext, and change from "locations" to "paths".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

return userName;
}

public Set<String> getWriteLocations() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"writePaths"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@FANNG1
Copy link
Contributor Author

FANNG1 commented Oct 14, 2024

@jerryshao comments are addressed, please help to review again

/** Credential type in the credential. */
public static final String CREDENTIAL_TYPE = "credential-type";
/** Credential expire time at ms since the epoch. */
public static final String EXPIRE_TIME_AT_MS = "expire-time-at-ms";
Copy link
Contributor

@jerryshao jerryshao Oct 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can also define these two property keys in Credential, you don't have to create a new class to maintain them.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also please change to "expire-time-in-ms".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

@jerryshao jerryshao merged commit 53bd227 into apache:main Oct 15, 2024
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Subtask] support credential vending framework
3 participants