dimas-b commented on code in PR #3327:
URL: https://github.com/apache/polaris/pull/3327#discussion_r2651967998
##########
polaris-core/src/main/java/org/apache/polaris/core/config/FeatureConfiguration.java:
##########
@@ -91,6 +91,19 @@ public static void enforceFeatureEnabledOrThrow(
.defaultValue(false)
.buildFeatureConfiguration();
+ public static final FeatureConfiguration<Boolean>
INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL =
+ PolarisConfiguration.<Boolean>builder()
+ .key("INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL")
+ .description(
+ "If set to true, session tags (catalog, namespace, table,
principal, roles) will be included\n"
+ + "in AWS STS AssumeRole requests for credential vending.
These tags appear in CloudTrail events,\n"
+ + "enabling correlation between catalog operations and S3
data access.\n"
+ + "Requires the IAM role trust policy to allow
sts:TagSession action.\n"
+ + "Note that enabling this feature leads to degradation in
temporary credential caching as \n"
+ + "catalog will no longer be able to reuse credentials for
different tables/namespaces/roles.")
Review Comment:
Principal was added as an small incremental change, IIRC.
I think the whole flow for generating `StorageAccessConfig` needs some
refactoring :sweat_smile: Cf.
https://github.com/apache/polaris/pull/3327#discussion_r2651225156
##########
polaris-core/src/main/java/org/apache/polaris/core/config/FeatureConfiguration.java:
##########
@@ -91,6 +91,19 @@ public static void enforceFeatureEnabledOrThrow(
.defaultValue(false)
.buildFeatureConfiguration();
+ public static final FeatureConfiguration<Boolean>
INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL =
+ PolarisConfiguration.<Boolean>builder()
+ .key("INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL")
+ .description(
+ "If set to true, session tags (catalog, namespace, table,
principal, roles) will be included\n"
+ + "in AWS STS AssumeRole requests for credential vending.
These tags appear in CloudTrail events,\n"
+ + "enabling correlation between catalog operations and S3
data access.\n"
+ + "Requires the IAM role trust policy to allow
sts:TagSession action.\n"
+ + "Note that enabling this feature leads to degradation in
temporary credential caching as \n"
+ + "catalog will no longer be able to reuse credentials for
different tables/namespaces/roles.")
Review Comment:
Principal was added as an small incremental change for a narrow use case,
IIRC.
I think the whole flow for generating `StorageAccessConfig` needs some
refactoring :sweat_smile: Cf.
https://github.com/apache/polaris/pull/3327#discussion_r2651225156
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
