FANNG1 commented on code in PR #5701:
URL: https://github.com/apache/gravitino/pull/5701#discussion_r1869368928
##########
bundles/aliyun-bundle/build.gradle.kts:
##########
@@ -25,8 +25,15 @@ plugins {
}
dependencies {
+ compileOnly(project(":api"))
+ compileOnly(project(":core"))
+ compileOnly(project(":catalogs:catalog-common"))
compileOnly(project(":catalogs:catalog-hadoop"))
compileOnly(libs.hadoop3.common)
+
+ implementation(libs.aliyun.credentials.sdk)
+ implementation(libs.sun.activation)
Review Comment:
please keep alphabetical order
##########
bundles/aliyun-bundle/src/main/java/org/apache/gravitino/oss/credential/policy/Condition.java:
##########
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.gravitino.oss.credential.policy;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Condition {
+
+ @JsonProperty("StringLike")
+ private StringLike stringLike;
+
+ private Condition(Builder builder) {
+ this.stringLike = builder.stringLike;
+ }
+
+ public static Builder builder() {
+ return new Builder();
+ }
+
+ public static class Builder {
+ private StringLike stringLike;
+
+ public Builder stringLike(StringLike stringLike) {
+ this.stringLike = stringLike;
+ return this;
+ }
+
+ public Condition build() {
+ return new Condition(this);
+ }
+ }
+
+ public StringLike getStringLike() {
Review Comment:
you could use `@SuppressWarnings("unused")`
##########
bundles/aliyun-bundle/build.gradle.kts:
##########
@@ -25,8 +25,15 @@ plugins {
}
dependencies {
+ compileOnly(project(":api"))
+ compileOnly(project(":core"))
+ compileOnly(project(":catalogs:catalog-common"))
compileOnly(project(":catalogs:catalog-hadoop"))
compileOnly(libs.hadoop3.common)
+
+ implementation(libs.aliyun.credentials.sdk)
+ implementation(libs.sun.activation)
+ implementation(libs.aliyun.kms.sdk)
Review Comment:
is it necessary to add this dependence?
##########
docs/iceberg-rest-service.md:
##########
@@ -128,16 +128,20 @@ To configure the JDBC catalog backend, set the
`gravitino.iceberg-rest.warehouse
#### OSS configuration
-Gravitino Iceberg REST service supports using static access-key-id and
secret-access-key to access OSS data.
+Gravitino Iceberg REST service supports using static access-key-id and
secret-access-key or generating temporary token to access OSS data.
-| Configuration item | Description
|
Default value | Required | Since Version |
-|------------------------------------------------|-------------------------------------------------------------------------------------------------------|---------------|----------|------------------|
-| `gravitino.iceberg-rest.io-impl` | The IO implementation for
`FileIO` in Iceberg, use `org.apache.iceberg.aliyun.oss.OSSFileIO` for OSS. |
(none) | No | 0.6.0-incubating |
-| `gravitino.iceberg-rest.oss-access-key-id` | The static access key ID
used to access OSS data. |
(none) | No | 0.7.0-incubating |
-| `gravitino.iceberg-rest.oss-secret-access-key` | The static secret access
key used to access OSS data. |
(none) | No | 0.7.0-incubating |
-| `gravitino.iceberg-rest.oss-endpoint` | The endpoint of Aliyun OSS
service. |
(none) | No | 0.7.0-incubating |
+| Configuration item | Description
| Default value | Required | Since Version |
+|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------|-----------------|----------|------------------|
+| `gravitino.iceberg-rest.io-impl` | The IO implementation
for `FileIO` in Iceberg, use `org.apache.iceberg.aliyun.oss.OSSFileIO` for OSS.
| (none) | No | 0.6.0-incubating |
+| `gravitino.iceberg-rest.oss-access-key-id` | The static access key ID
used to access OSS data.
| (none) | No | 0.7.0-incubating |
+| `gravitino.iceberg-rest.oss-secret-access-key` | The static secret access
key used to access OSS data.
| (none) | No | 0.7.0-incubating |
+| `gravitino.iceberg-rest.oss-endpoint` | The endpoint of Aliyun
OSS service.
| (none) | No | 0.7.0-incubating |
+| `gravitino.iceberg-rest.oss-region` | The region of the OSS
service, like `oss-cn-hangzhou`, only used when `credential-provider-type` is
`oss-token`. | (none) | No | 0.8.0-incubating |
+| `gravitino.iceberg-rest.oss-role-arn` | The ARN of the role to
access the OSS data, only used when `credential-provider-type` is `oss-token`.
| (none) | No | 0.8.0-incubating |
+| `gravitino.iceberg-rest.oss-external-id` | The OSS external id to
generate token, only used when `credential-provider-type` is `oss-token`.
| (none) | No | 0.8.0-incubating |
+| `gravitino.iceberg-rest.oss-token-expire-in-secs` | The OSS security token
expire time in secs, only used when `credential-provider-type` is `oss-token`.
| 3600 | No | 0.8.0-incubating |
-For other Iceberg OSS properties not managed by Gravitino like
`client.security-token`, you could config it directly by
`gravitino.iceberg-rest.client.security-token`.
Review Comment:
No need to remove this line?
##########
bundles/aliyun-bundle/src/main/java/org/apache/gravitino/oss/credential/OSSTokenProvider.java:
##########
@@ -0,0 +1,267 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.oss.credential;
+
+import com.aliyun.credentials.Client;
+import com.aliyun.credentials.models.Config;
+import com.aliyun.credentials.models.CredentialModel;
+import com.aliyun.credentials.utils.AuthConstant;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.net.URI;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.stream.Stream;
+import javax.annotation.Nullable;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.gravitino.credential.Credential;
+import org.apache.gravitino.credential.CredentialContext;
+import org.apache.gravitino.credential.CredentialProvider;
+import org.apache.gravitino.credential.OSSTokenCredential;
+import org.apache.gravitino.credential.PathBasedCredentialContext;
+import org.apache.gravitino.credential.config.OSSCredentialConfig;
+import org.apache.gravitino.oss.credential.policy.Condition;
+import org.apache.gravitino.oss.credential.policy.Effect;
+import org.apache.gravitino.oss.credential.policy.Policy;
+import org.apache.gravitino.oss.credential.policy.Statement;
+import org.apache.gravitino.oss.credential.policy.StringLike;
+
+/** Generates OSS token to access OSS data. */
+public class OSSTokenProvider implements CredentialProvider {
+ private final ObjectMapper objectMapper = new ObjectMapper();
+ private String accessKeyId;
+ private String secretAccessKey;
+ private String roleArn;
+ private String externalID;
+ private int tokenExpireSecs;
+ private String region;
+
+ /**
+ * Initializes the credential provider with catalog properties.
+ *
+ * @param properties catalog properties that can be used to configure the
provider. The specific
+ * properties required vary by implementation.
+ */
+ @Override
+ public void initialize(Map<String, String> properties) {
+ OSSCredentialConfig credentialConfig = new OSSCredentialConfig(properties);
+ this.roleArn = credentialConfig.ossRoleArn();
+ this.externalID = credentialConfig.externalID();
+ this.tokenExpireSecs = credentialConfig.tokenExpireInSecs();
+ this.accessKeyId = credentialConfig.accessKeyID();
+ this.secretAccessKey = credentialConfig.secretAccessKey();
+ this.region = credentialConfig.region();
+ }
+
+ /**
+ * Returns the type of credential, it should be identical in Gravitino.
+ *
+ * @return A string identifying the type of credentials.
+ */
+ @Override
+ public String credentialType() {
+ return OSSTokenCredential.OSS_TOKEN_CREDENTIAL_TYPE;
+ }
+
+ /**
+ * Obtains a credential based on the provided context information.
+ *
+ * @param context A context object providing necessary information for
retrieving credentials.
+ * @return A Credential object containing the authentication information
needed to access a system
+ * or resource. Null will be returned if no credential is available.
+ */
+ @Nullable
+ @Override
+ public Credential getCredential(CredentialContext context) {
+ if (!(context instanceof PathBasedCredentialContext)) {
+ return null;
+ }
+ PathBasedCredentialContext pathBasedCredentialContext =
(PathBasedCredentialContext) context;
+ CredentialModel credentialModel =
+ createOSSCredentialModel(
+ roleArn,
+ pathBasedCredentialContext.getReadPaths(),
+ pathBasedCredentialContext.getWritePaths(),
+ pathBasedCredentialContext.getUserName());
+ return new OSSTokenCredential(
+ credentialModel.accessKeyId,
+ credentialModel.accessKeySecret,
+ credentialModel.securityToken,
+ credentialModel.expiration);
+ }
+
+ private CredentialModel createOSSCredentialModel(
Review Comment:
ok
##########
bundles/aliyun-bundle/build.gradle.kts:
##########
@@ -25,8 +25,15 @@ plugins {
}
dependencies {
+ compileOnly(project(":api"))
+ compileOnly(project(":core"))
+ compileOnly(project(":catalogs:catalog-common"))
compileOnly(project(":catalogs:catalog-hadoop"))
compileOnly(libs.hadoop3.common)
+
+ implementation(libs.aliyun.credentials.sdk)
+ implementation(libs.sun.activation)
Review Comment:
why add this dependences?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
