obelix74 commented on code in PR #3327: URL: https://github.com/apache/polaris/pull/3327#discussion_r2651521963
########## polaris-core/src/main/java/org/apache/polaris/core/storage/CredentialVendingContext.java: ########## @@ -0,0 +1,99 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.core.storage; + +import java.util.Optional; +import org.apache.polaris.immutables.PolarisImmutable; + +/** + * Context information for credential vending operations. This context is used to provide metadata + * that can be attached to credentials as session tags (e.g., AWS STS session tags) for audit and + * correlation purposes in CloudTrail and similar logging systems. + * + * <p>When session tags are enabled, this context provides: + * + * <ul> + * <li>{@code catalogName} - The name of the catalog vending credentials + * <li>{@code namespace} - The namespace/database being accessed (e.g., "db.schema") + * <li>{@code tableName} - The name of the table being accessed + * <li>{@code requestId} - A unique request identifier for correlation with catalog audit logs + * </ul> + * + * <p>These values appear in cloud provider audit logs (e.g., AWS CloudTrail), enabling + * deterministic correlation between catalog operations and data access events. + */ +@PolarisImmutable +public interface CredentialVendingContext { Review Comment: I agree this would be a cleaner design. However, this would touch multiple layers (StorageCredentialCache, StorageCredentialsVendor, PolarisCredentialVendor, and all storage integrations). Given that #3270 is also refactoring this area, would you prefer I: 1. Implement this in the current PR, or 2. Defer to a follow-up PR after #3270 merges to avoid conflicts? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
