Initial MVP implementation of Catalog Federation to remote Iceberg REST Catalogs

polaris-core/src/main/java/org/apache/polaris/core/secrets/UnsafeInMemorySecretsManager.java

@@ -27,7 +27,7 @@
 import java.util.Objects;
 import java.util.concurrent.ConcurrentHashMap;
 import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.polaris.core.entity.PolarisEntity;
+import org.apache.polaris.core.entity.PolarisEntityCore;
 
 /**
  * A minimal in-memory implementation of UserSecretsManager that should only be used for test and
@@ -48,7 +48,8 @@ public class UnsafeInMemorySecretsManager implements UserSecretsManager {
   /** {@inheritDoc} */
   @Override
   @Nonnull
-  public UserSecretReference writeSecret(@Nonnull String secret, @Nonnull PolarisEntity forEntity) {
+  public UserSecretReference writeSecret(
+      @Nonnull String secret, @Nonnull PolarisEntityCore forEntity) {
     // For illustrative purposes and to exercise the control flow of requiring both the stored
     // secret as well as the secretReferencePayload to recover the original secret, we'll use
     // basic XOR encryption and store the randomly generated key in the reference payload.

polaris-core/src/main/java/org/apache/polaris/core/secrets/UserSecretReference.java

@@ -18,8 +18,10 @@
  */
 package org.apache.polaris.core.secrets;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.base.MoreObjects;
+import com.google.common.base.Preconditions;
 import jakarta.annotation.Nonnull;
 import jakarta.annotation.Nullable;
 import java.util.HashMap;
@@ -56,7 +58,10 @@ public class UserSecretReference {
 
   /**
    * @param urn A string which should be self-sufficient to retrieve whatever secret material that
-   *     is stored in the remote secret store.
+   *     is stored in the remote secret store and also to identify an implementation of the
+   *     UserSecretsManager which is capable of interpreting this concrete UserSecretReference.
+   *     Should be of the form:
+   *     'urn:polaris-secret:<secret-manager-type>:<type-specific-identifier>
    * @param referencePayload Optionally, any additional information that is necessary to fully
    *     reconstitute the original secret based on what is retrieved by the {@code urn}; this
    *     payload may include hashes/checksums, encryption key ids, OTP encryption keys, additional
@@ -65,10 +70,28 @@ public class UserSecretReference {
   public UserSecretReference(
       @JsonProperty(value = "urn", required = true) @Nonnull String urn,
       @JsonProperty(value = "referencePayload") @Nullable Map<String, String> referencePayload) {
+    // TODO: Add better/standardized parsing and validation of URN syntax
+    Preconditions.checkArgument(
+        urn.startsWith("urn:polaris-secret:") && urn.split(":").length >= 4,
+        "Invalid secret URN '%s'; must be of the form "
+            + "'urn:polaris-secret:<secret-manager-type>:<type-specific-identifier>'",
+        urn);
     this.urn = urn;
     this.referencePayload = Objects.requireNonNullElse(referencePayload, new HashMap<>());
   }
 
+  /**
+   * Since UserSecretReference objects are specific to UserSecretManager implementations, the
+   * "secret-manager-type" portion of the URN should be used to validate that a URN is valid for a
+   * given implementation and to dispatch to the correct implementation at runtime if multiple
+   * concurrent implementations are possible in a given runtime environment.
+   */
+  @JsonIgnore
+  public String getUserSecretManagerTypeFromUrn() {
+    // TODO: Add better/standardized parsing and validation of URN syntax
+    return urn.split(":")[2];
+  }
+
   public @Nonnull String getUrn() {
     return urn;
   }

polaris-core/src/main/java/org/apache/polaris/core/secrets/UserSecretsManager.java

@@ -19,7 +19,7 @@
 package org.apache.polaris.core.secrets;
 
 import jakarta.annotation.Nonnull;
-import org.apache.polaris.core.entity.PolarisEntity;
+import org.apache.polaris.core.entity.PolarisEntityCore;
 
 /**
  * Manages secrets specified by users of the Polaris API, either directly or as an intermediary
@@ -32,25 +32,25 @@ public interface UserSecretsManager {
   /**
    * Persist the {@code secret} under a new URN {@code secretUrn} and return a {@code
    * UserSecretReference} that can subsequently be used by this same UserSecretsManager to retrieve
-   * the original secret. The {@code forEntity} is provided for an implementation to optionally
-   * extract other identifying metadata such as entity type, name, etc., to store alongside the
-   * remotely stored secret to facilitate operational management of the secrets outside of the core
-   * Polaris service (for example, to perform garbage-collection if the Polaris service fails to
-   * delete managed secrets in the external system when associated entities are deleted.
+   * the original secret. The {@code forEntity} is provided for an implementation to extract other
+   * identifying metadata such as entity type, id, name, etc., to store alongside the remotely
+   * stored secret to facilitate operational management of the secrets outside of the core Polaris
+   * service (for example, to perform garbage-collection if the Polaris service fails to delete
+   * managed secrets in the external system when associated entities are deleted).
    *
    * @param secret The secret to store
    * @param forEntity The PolarisEntity that is associated with the secret
    * @return A reference object that can be used to retrieve the secret which is safe to store in
    *     its entirety within a persisted PolarisEntity
    */
   @Nonnull
-  UserSecretReference writeSecret(@Nonnull String secret, @Nonnull PolarisEntity forEntity);
+  UserSecretReference writeSecret(@Nonnull String secret, @Nonnull PolarisEntityCore forEntity);
 
   /**
    * Retrieve a secret using the {@code secretReference}. See {@link UserSecretReference} for
    * details about identifiers and payloads.
    *
-   * @param secretReference Identifier and any associated payload used for retrieving the secret
+   * @param secretReference Reference object for retrieving the original secret
    * @return The stored secret, or null if it no longer exists
    */
   @Nonnull
@@ -60,7 +60,7 @@ public interface UserSecretsManager {
    * Delete a stored secret. See {@link UserSecretReference} for details about identifiers and
    * payloads.
    *
-   * @param secretReference Identifier and any associated payload used for retrieving the secret
+   * @param secretReference Reference object for retrieving the original secret
    */
   void deleteSecret(@Nonnull UserSecretReference secretReference);
 }

polaris-core/src/test/java/org/apache/polaris/core/connection/ConnectionConfigInfoDpoTest.java

@@ -45,7 +45,7 @@ void testOAuthClientCredentialsParameters() throws JsonProcessingException {
             + "    \"tokenUri\": \"https://myorg-my_account.snowflakecomputing.com/polaris/api/catalog/v1/oauth/tokens\","
             + "    \"clientId\": \"client-id\","
             + "    \"clientSecretReference\": {"
-            + "      \"urn\": \"urn:polaris-secret:keystore-id-12345\","
+            + "      \"urn\": \"urn:polaris-secret:secretmanager-impl:keystore-id-12345\","
             + "      \"referencePayload\": {"
             + "        \"hash\": \"a1b2c3\","
             + "        \"encryption-key\": \"z0y9x8\""
@@ -94,7 +94,7 @@ void testBearerAuthenticationParameters() throws JsonProcessingException {
             + "  \"authenticationParameters\": {"
             + "    \"authenticationTypeCode\": 2,"
             + "    \"bearerTokenReference\": {"
-            + "      \"urn\": \"urn:polaris-secret:keystore-id-12345\","
+            + "      \"urn\": \"urn:polaris-secret:secretmanager-impl:keystore-id-12345\","
             + "      \"referencePayload\": {"
             + "        \"hash\": \"a1b2c3\","
             + "        \"encryption-key\": \"z0y9x8\""