[#4994][#4369] feat(core): support S3 credential vending

[FANNG1]

What changes were proposed in this pull request?

support S3 credential vending, include s3 token and s3 static key

Why are the changes needed?

Fix: #4994
Fix: #4369

Does this PR introduce any user-facing change?

no

How was this patch tested?

add IT to do Iceberg operation by using S3 token

[FANNG1]

@yuqi1129 @jerqi @jerryshao please help to review when you have time, thanks

[FANNG1]

what do you mean about token and session-token?

[jerqi]

createS3Token?

[FANNG1]

updated

[jerqi]

Builder builder = StsClient.builder()
    .credentialsProvider(credentialsProvider);
if (StringUtils.isNotBlank(region)) {
      builder.region(Region.of(region));  
}
return builder.build();

[FANNG1]

updated

[jerqi]

createPolicy?

[FANNG1]

updated

[jerqi]

This is AWS Hadoop Credential provider names

    org.apache.hadoop.fs.s3a.TemporaryAWSCredentialsProvider,
    org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider,
    software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider,
    org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider

Do we need to refer to them? Many people may be used to using them.

[FANNG1]

This is for developers only, the user only care about credential provider type, like s3-token for this, I'm ok to use this name, do you have some suggestion?

[jerqi]

It's ok if it's only used by developers. But we need to make sure that s3-token is easy to understand by users.

[FANNG1]

Do you think s3-token and s3-secret-key is clear for users?

[jerqi]

What name do other systems use?

[FANNG1]

polaris use storage-type = s3 please refer to https://polaris.io/#tag/Polaris-Entities/Catalog, uc get s3 properties if the location is s3 schema, see https://docs.unitycatalog.io/server/configuration/

[jerqi]

Two consideration points.

1. GCP is gcp-token? Should be this aws-token?
2. I am not sure token is correct enough? Does S3 have multiple tokens? Do we support all?

[FANNG1]

1. GCP is gcs-token, I prefer to keep s3-token, because it's used for s3 storage.
2. We just support token from AsummRole, I think the name is simple and clear. You could provide your option if have better name.

[jerqi]

OK. I just discuss some possible names to make sure. I'm ok with current name.

[FANNG1]

@jerqi any other comments?

[jerqi]

LGTM.

[FANNG1]

@jerryshao @yuqi1129 , do you have time to take another look?

[jerryshao]

This is duplicated here and above, can you please consolidate them?

[FANNG1]

yes, they are different properties in S3TokenCredential and S3SecretKeyCredential with same name.

[jerryshao]

So please tell me what's the difference? If they're different, why do you use the same name and the same definition here?

[jerryshao]

You didn't address this comment.

[FANNG1]

sorry for miss this comment, Sts will response a sessionToken with AccessKeyId and secretAccessKey which is different from the AKSK, do you think we should use a different name like sessionAccessKeyId to make it more clear , but this maybe inconsistent with traditional s3 naming.

[FANNG1]

I update the comment for the properties

[jerryshao]

Make them final here and below.

[FANNG1]

updated

[jerryshao]

@FANNG1 please fix the ci problem.

[FANNG1]

@FANNG1 please fix the ci problem.

caused by temporal network error, fixed by rerun

[FANNG1]

@jerryshao any other comments?

[jerryshao]

Although the name of two key "static" and "session" are the same in S3, in the gravitino side, we can choose a different name to define, like "GRAVITINO_STATIC_S3_SECRET_ACCESS_KEY" and "GRAVITINO_SESSION_S3_SECRET_ACCESS_KEY"

[FANNG1]

ok

[jerryshao]

I mean that we can still follow AWS convention to use "s3-secret-access-key", but the definition here in Gravitino can be a more differentiable name. like:

public static final String GRAVITINO_S3_STATIC_SECRET_ACCESS_KEY = "s3-secret-access-key";

Also for other keys, what do you think? @FANNG1

[FANNG1]

ok

[FANNG1]

updated

[jerryshao]

Please make the CI pass.