[#4992] support credential vending framework #4995
Conversation
FANNG1
force-pushed
the
credential-framework
branch
from
55c1ad6
to
bdf04fa
Compare
| import java.util.Map; | ||
|
|
||
| /** Interface representing a credential with type, expiration time, and additional information. */ | ||
| public interface Credential { |
There was a problem hiding this comment.
What is the purpose of put it to common package?
There was a problem hiding this comment.
It maybe used in the client side.
There was a problem hiding this comment.
Can you please give me an example about how to use it in client side?
There was a problem hiding this comment.
Take Spark read Iceberg table for example,
// Fetch credential from Gravitino
Credential credentail = gravitinoClient.fetchCredential(NameIdentifier identifer, String credentialType)
// Transform credential properties to engine specific properties
Map credentailProperties = CredentialUtils.toIcebergProperties(credential)
// using credential properties to construct FileIO
FileIO file = new FileIO(credentailProperties)There was a problem hiding this comment.
If so, I would suggest you move to API module, not in common module.
There was a problem hiding this comment.
yes, this seems reasonable
| ServiceLoader<CredentialProvider> serviceLoader = | ||
| ServiceLoader.load(CredentialProvider.class, classLoader); | ||
| List<Class<? extends CredentialProvider>> providers = | ||
| Streams.stream(serviceLoader.iterator()) |
There was a problem hiding this comment.
What is the consideration of using service loader?
There was a problem hiding this comment.
Different catalogs may use different credential providers so that users could place the s3 provider in catalogA, place gcs provider in catalogB, so we using service loader to load corresponding jar in catalog classpaths.
| * | ||
| * <p>A credential provider is responsible for managing and retrieving credentials. | ||
| */ | ||
| public interface CredentialProvider { |
There was a problem hiding this comment.
I think you can change to like public interface Credential extends Closeable to avoid defining void stop() here.
| * | ||
| * @return a map of credential information. | ||
| */ | ||
| Map<String, String> getCredentialInfo(); |
There was a problem hiding this comment.
I would suggest change the style of getXXX to xxx, like credentialType().
There was a problem hiding this comment.
Do we need to define an interface for Token like Hadoop?
There was a problem hiding this comment.
I would suggest that you can refer to Hadoop's Credentials, Token and TokenIdentifer to see how to define our credential system.
There was a problem hiding this comment.
Credential is like Token in hadoop, the difference is Token in hadoop focus on the security of the identifer, while we focus on how to represent diverse tokens like S3-token, AKSK, delegation token with different properties.
There was a problem hiding this comment.
The concrete Credential has the clear definition , take S3TokenCredential for example
public class S3TokenCredential implements Credential {
private String accessKeyId;
private String secretAccessKey;
private String sessionToken;
private long expireMs;
public S3TokenCredential(
String accessKeyId, String secretAccessKey, String sessionToken, long expireMs) {
this.accessKeyId = accessKeyId;
this.secretAccessKey = secretAccessKey;
this.sessionToken = sessionToken;
this.expireMs = expireMs;
}
@Override
public String getCredentialType() {
return CredentialConstants.S3_TOKEN_CREDENTIAL_TYPE;
}
@Override
public long getExpireTime() {
return expireMs;
}
@Override
public Map<String, String> getCredentialInfo() {
return (new ImmutableMap.Builder<String, String>())
.put(S3Properties.GRAVITINO_S3_ACCESS_KEY_ID, accessKeyId)
.put(S3Properties.GRAVITINO_S3_SECRET_ACCESS_KEY, secretAccessKey)
.put(S3Properties.GRAVITINO_S3_TOKEN, sessionToken)
.build();
}
}
common/build.gradle.kts
Outdated
| @@ -28,6 +28,7 @@ plugins { | |||
|
|
|||
| dependencies { | |||
| implementation(project(":api")) | |||
| implementation(project(":catalogs:catalog-common")) | |||
There was a problem hiding this comment.
The dependency here looks strange if you only want to define two properties in catalog-common, it is easy to introduce the cyclic dependency.
There was a problem hiding this comment.
catalog-common is mainly used to define some properties used by catalog, client, connectors, I think it's ok to add the dependence here.
There was a problem hiding this comment.
No, it's weird to make common module rely on catalog-common module, which have different purposes and easy to introduce cyclic dependency, please change it.
| public interface Credential { | ||
|
|
||
| /** | ||
| * Returns the type of the credential. It should same with the credential type of the credential |
There was a problem hiding this comment.
"It should be the same with..."
There was a problem hiding this comment.
"It should be the same as..."
| * | ||
| * @return the expiration time as a long. | ||
| */ | ||
| long expireTimeMs(); |
| import java.util.Map; | ||
|
|
||
| /** Interface representing a credential with type, expiration time, and additional information. */ | ||
| public interface Credential { |
There was a problem hiding this comment.
Can you please give me an example about how to use it in client side?
| package org.apache.gravitino.credential; | ||
|
|
||
| /** Contains context information to get credential from credential provider. */ | ||
| public interface Context { |
There was a problem hiding this comment.
Please rename to CredentialContext, CatalogCredentialContext, something like this.
| * LocationContext is generated when user requesting resources associated with storage location like | ||
| * table, fileset, etc. | ||
| */ | ||
| public class LocationContext implements Context { |
There was a problem hiding this comment.
I think we can rename this class name to PathBasedCredentialContext, and change from "locations" to "paths".
| return userName; | ||
| } | ||
|
|
||
| public Set<String> getWriteLocations() { |
|
@jerryshao comments are addressed, please help to review again |
| /** Credential type in the credential. */ | ||
| public static final String CREDENTIAL_TYPE = "credential-type"; | ||
| /** Credential expire time at ms since the epoch. */ | ||
| public static final String EXPIRE_TIME_AT_MS = "expire-time-at-ms"; |
There was a problem hiding this comment.
I think you can also define these two property keys in Credential, you don't have to create a new class to maintain them.
There was a problem hiding this comment.
Also please change to "expire-time-in-ms".
What changes were proposed in this pull request?
support credential vending framework
Why are the changes needed?
Fix: #4992
Does this PR introduce any user-facing change?
no
How was this patch tested?