Add S3 security mapping for native S3#22559
Conversation
|
@mosabua This is compatible with the legacy S3 feature and uses the same config properties (minus the |
nineinchnick
left a comment
nineinchnick
left a comment
There was a problem hiding this comment.
Are the tests based on some existing ones in the legacy FS? I haven't reviewed them for coverage.
There was a problem hiding this comment.
Why not add @NotNull to getConfigFilePath()?
There was a problem hiding this comment.
It's not needed because the code directly returns a non-null Optional. The validation annotations are for the Bean Validation framework to validate user-supplied values.
There was a problem hiding this comment.
Can this be checked in the config class?
There was a problem hiding this comment.
We can't use @FileExists because the file path can also be a URL. But we could use @AssertTrue. I'll add that.
There was a problem hiding this comment.
Actually, I'm going to make two configs.
There was a problem hiding this comment.
Would be easier to review if moving of this code to the loader was extracted to a separate commit.
There was a problem hiding this comment.
I completely agree, and tried to do that originally, but the code is restructured significantly. I didn't see a good way to do a clean refactoring.
Yeah .. we can just have it in the new docs as copy.. then cleaning up later will be easier. You want to do that or should I send a separate PR @electrum ? |
|
I copied over the documentation and cleaned it up a bit. |
mosabua
left a comment
mosabua
left a comment
There was a problem hiding this comment.
Just a couple of doc suggestions
There was a problem hiding this comment.
do we need to say what type of regex?
There was a problem hiding this comment.
And we should explain that the examples uses an OR and therefore matches for alice and bob
There was a problem hiding this comment.
Do we go into this level of detail in the other documentation? Note that this documentation is copied over from the original, so we could do a more major cleanup as a separate task.
There was a problem hiding this comment.
We should .. just have not gotten around to fixing that up.
There was a problem hiding this comment.
Let's follow-up with the docs improvement after this PR is merged.
There was a problem hiding this comment.
Path to the JSON
relative to ? or absolute? or both
There was a problem hiding this comment.
It can be relative or absolute. I don't think we discuss "relative to what" in every place that uses additional files, but it's relative to the server configuration directory. Do we have a place that discusses that to link to?
There was a problem hiding this comment.
Not sure we have a generic place .. maybe just go with Absolute or relative path to the JSON configuration file.
electrum
force-pushed
the
s3security
branch
2 times, most recently
from
0e0743d to
18b0e6f
Compare
|
@mosabua Thanks for the great review of the documentation. I believe I've addressed all of your comments. |
|
@nineinchnick The tests are based on the legacy S3 support. TestS3SecurityMapping What is not tested, either here or in the legacy version, is that the client configuration is correct. We would like to verify that the client is making the correct requests, i.e. using the correct access key, IAM role, KMS key ID, etc. This is what I investigated:
|
|
@electrum can we merge this PR, and the integration tests can be a followup? |
|
@anusudarsan yes, I don’t plan to work on integration tests |
| import static java.util.concurrent.Executors.newCachedThreadPool; | ||
|
|
||
| final class S3FileSystemLoader | ||
| implements Function<Location, TrinoFileSystemFactory> |
There was a problem hiding this comment.
Nit: this could be a dedicated interface
There was a problem hiding this comment.
We can introduce one later if it's need
| Location location, | ||
| Executor uploadExecutor) | ||
| { | ||
| this.mappingProvider = mappingProvider; |
| private static Supplier<S3SecurityMappings> mappingsProvider(Supplier<S3SecurityMappings> supplier, Optional<Duration> refreshPeriod) | ||
| { | ||
| return refreshPeriod | ||
| .map(refresh -> Suppliers.memoizeWithExpiration(supplier::get, refresh.toMillis(), MILLISECONDS)) |
There was a problem hiding this comment.
nit: static import: memoize*
|
@electrum let's merge it and follow-up with code and test improvements |
| - External ID for the IAM role trust policy when connecting to S3. | ||
| ::: | ||
|
|
||
| ## Security mapping |
There was a problem hiding this comment.
Maybe move this "copy from legacy docs" stuff to a separate commit
6 participants
Description
Release notes
(x) Release notes are required, with the following suggested text: