Skip to content

core: Credential Vending Refactor #3699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
tokoko wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

core: Credential Vending Refactor #3699

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b53c9d4
chore: refactor credential vending
tokoko Feb 7, 2026
761e475
chore: credential vendor accepts polaris entity
tokoko Feb 7, 2026
22d0902
refactor: move orchestration logic from cache to access config provider
tokoko Feb 8, 2026
e58d7b4
fix: mocks for service tests
tokoko Feb 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 0 additions & 59 deletions ...e/src/main/java/org/apache/polaris/persistence/nosql/metastore/NoSqlMetaStoreManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,8 @@
package org.apache.polaris.persistence.nosql.metastore;

import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.apache.polaris.core.persistence.dao.entity.BaseResult.ReturnStatus.ENTITY_NOT_FOUND;
import static org.apache.polaris.core.persistence.dao.entity.BaseResult.ReturnStatus.GRANT_NOT_FOUND;
import static org.apache.polaris.core.persistence.dao.entity.BaseResult.ReturnStatus.SUBSCOPE_CREDS_ERROR;
import static org.apache.polaris.persistence.nosql.coretypes.mapping.EntityObjMappings.mapToEntity;
import static org.apache.polaris.persistence.nosql.coretypes.mapping.EntityObjMappings.mapToEntityNameLookupRecord;
import static org.apache.polaris.persistence.nosql.coretypes.mapping.EntityObjMappings.principalObjToPolarisPrincipalSecrets;
Expand All @@ -33,11 +31,9 @@
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.auth.PolarisPrincipal;
import org.apache.polaris.core.config.FeatureConfiguration;
import org.apache.polaris.core.entity.LocationBasedEntity;
import org.apache.polaris.core.entity.PolarisBaseEntity;
Expand Down Expand Up @@ -73,12 +69,10 @@
import org.apache.polaris.core.persistence.dao.entity.PrivilegeResult;
import org.apache.polaris.core.persistence.dao.entity.ResolvedEntitiesResult;
import org.apache.polaris.core.persistence.dao.entity.ResolvedEntityResult;
import org.apache.polaris.core.persistence.dao.entity.ScopedCredentialsResult;
import org.apache.polaris.core.persistence.pagination.Page;
import org.apache.polaris.core.persistence.pagination.PageToken;
import org.apache.polaris.core.policy.PolicyEntity;
import org.apache.polaris.core.policy.PolicyType;
import org.apache.polaris.core.storage.CredentialVendingContext;
import org.apache.polaris.persistence.nosql.metastore.privs.SecurableGranteePrivilegeTuple;

record NoSqlMetaStoreManager(
Expand Down Expand Up @@ -680,59 +674,6 @@ public void deletePrincipalSecrets(
});
}

// PolarisCredentialVendor

@Nonnull
@Override
public ScopedCredentialsResult getSubscopedCredsForEntity(
@Nonnull PolarisCallContext callCtx,
long catalogId,
long entityId,
@Nonnull PolarisEntityType entityType,
boolean allowListOperation,
@Nonnull Set<String> allowedReadLocations,
@Nonnull Set<String> allowedWriteLocations,
@Nonnull PolarisPrincipal polarisPrincipal,
Optional<String> refreshCredentialsEndpoint,
@Nonnull CredentialVendingContext credentialVendingContext) {

checkArgument(
!allowedReadLocations.isEmpty() || !allowedWriteLocations.isEmpty(),
"allowed_locations_to_subscope_is_required");

// reload the entity or error out if not found
var reloadedEntity = loadEntity(callCtx, catalogId, entityId, entityType);
if (reloadedEntity.getReturnStatus() != BaseResult.ReturnStatus.SUCCESS) {
return new ScopedCredentialsResult(
reloadedEntity.getReturnStatus(), reloadedEntity.getExtraInformation());
}

// get storage integration
var storageIntegration = ms(callCtx).loadPolarisStorageIntegration(reloadedEntity.getEntity());

// cannot be null
checkNotNull(
storageIntegration,
"storage_integration_not_exists, catalogId=%s, entityId=%s",
catalogId,
entityId);

try {
var creds =
storageIntegration.getSubscopedCreds(
callCtx.getRealmConfig(),
allowListOperation,
allowedReadLocations,
allowedWriteLocations,
polarisPrincipal,
refreshCredentialsEndpoint,
credentialVendingContext);
return new ScopedCredentialsResult(creds);
} catch (Exception ex) {
return new ScopedCredentialsResult(SUBSCOPE_CREDS_ERROR, ex.getMessage());
}
}

@Override
public boolean requiresEntityReload() {
return false;
Expand Down
67 changes: 0 additions & 67 deletions ...re/src/main/java/org/apache/polaris/core/persistence/AtomicOperationMetaStoreManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
import java.util.stream.IntStream;
import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.PolarisDiagnostics;
import org.apache.polaris.core.auth.PolarisPrincipal;
import org.apache.polaris.core.config.FeatureConfiguration;
import org.apache.polaris.core.entity.AsyncTaskType;
import org.apache.polaris.core.entity.CatalogEntity;
Expand Down Expand Up @@ -70,17 +69,14 @@
import org.apache.polaris.core.persistence.dao.entity.PrivilegeResult;
import org.apache.polaris.core.persistence.dao.entity.ResolvedEntitiesResult;
import org.apache.polaris.core.persistence.dao.entity.ResolvedEntityResult;
import org.apache.polaris.core.persistence.dao.entity.ScopedCredentialsResult;
import org.apache.polaris.core.persistence.pagination.Page;
import org.apache.polaris.core.persistence.pagination.PageToken;
import org.apache.polaris.core.policy.PolarisPolicyMappingRecord;
import org.apache.polaris.core.policy.PolicyEntity;
import org.apache.polaris.core.policy.PolicyMappingUtil;
import org.apache.polaris.core.policy.PolicyType;
import org.apache.polaris.core.storage.CredentialVendingContext;
import org.apache.polaris.core.storage.PolarisStorageConfigurationInfo;
import org.apache.polaris.core.storage.PolarisStorageIntegration;
import org.apache.polaris.core.storage.StorageAccessConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down Expand Up @@ -1526,69 +1522,6 @@ public void deletePrincipalSecrets(
return EntitiesResult.fromPage(Page.fromItems(loadedTasks));
}

/** {@inheritDoc} */
@Override
public @Nonnull ScopedCredentialsResult getSubscopedCredsForEntity(
@Nonnull PolarisCallContext callCtx,
long catalogId,
long entityId,
@Nonnull PolarisEntityType entityType,
boolean allowListOperation,
@Nonnull Set<String> allowedReadLocations,
@Nonnull Set<String> allowedWriteLocations,
@Nonnull PolarisPrincipal polarisPrincipal,
Optional<String> refreshCredentialsEndpoint,
@Nonnull CredentialVendingContext credentialVendingContext) {

// get meta store session we should be using
BasePersistence ms = callCtx.getMetaStore();
getDiagnostics()
.check(
!allowedReadLocations.isEmpty() || !allowedWriteLocations.isEmpty(),
"allowed_locations_to_subscope_is_required");

// reload the entity, error out if not found
EntityResult reloadedEntity = loadEntity(callCtx, catalogId, entityId, entityType);
if (reloadedEntity.getReturnStatus() != BaseResult.ReturnStatus.SUCCESS) {
return new ScopedCredentialsResult(
reloadedEntity.getReturnStatus(), reloadedEntity.getExtraInformation());
}

// TODO: Consider whether this independent lookup is safe for the model already or whether
// we need better atomicity semantics between the base entity and the embedded storage
// integration.

// get storage integration
PolarisStorageIntegration<PolarisStorageConfigurationInfo> storageIntegration =
((IntegrationPersistence) ms)
.loadPolarisStorageIntegration(callCtx, reloadedEntity.getEntity());

// cannot be null
getDiagnostics()
.checkNotNull(
storageIntegration,
"storage_integration_not_exists",
"catalogId={}, entityId={}",
catalogId,
entityId);

try {
StorageAccessConfig storageAccessConfig =
storageIntegration.getSubscopedCreds(
callCtx.getRealmConfig(),
allowListOperation,
allowedReadLocations,
allowedWriteLocations,
polarisPrincipal,
refreshCredentialsEndpoint,
credentialVendingContext);
return new ScopedCredentialsResult(storageAccessConfig);
} catch (Exception ex) {
return new ScopedCredentialsResult(
BaseResult.ReturnStatus.SUBSCOPE_CREDS_ERROR, ex.getMessage());
}
}

/** {@inheritDoc} */
@Override
public @Nonnull ResolvedEntityResult loadResolvedEntityById(
Expand Down
2 changes: 0 additions & 2 deletions polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisMetaStoreManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@
import org.apache.polaris.core.persistence.pagination.Page;
import org.apache.polaris.core.persistence.pagination.PageToken;
import org.apache.polaris.core.policy.PolarisPolicyMappingManager;
import org.apache.polaris.core.storage.PolarisCredentialVendor;

/**
* Polaris Metastore Manager manages all Polaris entities and associated grant records metadata for
Expand All @@ -62,7 +61,6 @@
public interface PolarisMetaStoreManager
extends PolarisSecretsManager,
PolarisGrantManager,
PolarisCredentialVendor,
PolarisPolicyMappingManager,
PolarisEventManager {

Expand Down
29 changes: 0 additions & 29 deletions ...c/main/java/org/apache/polaris/core/persistence/TransactionWorkspaceMetaStoreManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,8 @@
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.PolarisDiagnostics;
import org.apache.polaris.core.auth.PolarisPrincipal;
import org.apache.polaris.core.entity.LocationBasedEntity;
import org.apache.polaris.core.entity.PolarisBaseEntity;
import org.apache.polaris.core.entity.PolarisEntity;
Expand Down Expand Up @@ -56,12 +54,10 @@
import org.apache.polaris.core.persistence.dao.entity.PrivilegeResult;
import org.apache.polaris.core.persistence.dao.entity.ResolvedEntitiesResult;
import org.apache.polaris.core.persistence.dao.entity.ResolvedEntityResult;
import org.apache.polaris.core.persistence.dao.entity.ScopedCredentialsResult;
import org.apache.polaris.core.persistence.pagination.Page;
import org.apache.polaris.core.persistence.pagination.PageToken;
import org.apache.polaris.core.policy.PolicyEntity;
import org.apache.polaris.core.policy.PolicyType;
import org.apache.polaris.core.storage.CredentialVendingContext;

/**
* Wraps an existing impl of PolarisMetaStoreManager and delegates expected "read" operations
Expand Down Expand Up @@ -317,31 +313,6 @@ public void deletePrincipalSecrets(
throw illegalMethodError("loadTasks");
}

@Override
public @Nonnull ScopedCredentialsResult getSubscopedCredsForEntity(
Copy link
Contributor

@dimas-b dimas-b Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I agree that this change makes sense in general, polaris-core is traditionally sensitive to API changes (despite the standing evolution guidelines).

I'd propose to keep this method for now, even if it will be unused in OSS code.

Copy link
Contributor

@dimas-b dimas-b Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The NoSQL impl. can be replaced with a throw new UnsupportedOperationException(), but let's keep related code in polaris-core.

@Nonnull PolarisCallContext callCtx,
long catalogId,
long entityId,
@Nonnull PolarisEntityType entityType,
boolean allowListOperation,
@Nonnull Set<String> allowedReadLocations,
@Nonnull Set<String> allowedWriteLocations,
@Nonnull PolarisPrincipal polarisPrincipal,
Optional<String> refreshCredentialsEndpoint,
@Nonnull CredentialVendingContext credentialVendingContext) {
return delegate.getSubscopedCredsForEntity(
callCtx,
catalogId,
entityId,
entityType,
allowListOperation,
allowedReadLocations,
allowedWriteLocations,
polarisPrincipal,
refreshCredentialsEndpoint,
credentialVendingContext);
}

@Override
public @Nonnull ResolvedEntityResult loadResolvedEntityById(
@Nonnull PolarisCallContext callCtx,
Expand Down
62 changes: 0 additions & 62 deletions .../org/apache/polaris/core/persistence/transactional/TransactionalMetaStoreManagerImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@
import java.util.stream.IntStream;
import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.PolarisDiagnostics;
import org.apache.polaris.core.auth.PolarisPrincipal;
import org.apache.polaris.core.config.FeatureConfiguration;
import org.apache.polaris.core.entity.AsyncTaskType;
import org.apache.polaris.core.entity.CatalogEntity;
Expand Down Expand Up @@ -75,17 +74,14 @@
import org.apache.polaris.core.persistence.dao.entity.PrivilegeResult;
import org.apache.polaris.core.persistence.dao.entity.ResolvedEntitiesResult;
import org.apache.polaris.core.persistence.dao.entity.ResolvedEntityResult;
import org.apache.polaris.core.persistence.dao.entity.ScopedCredentialsResult;
import org.apache.polaris.core.persistence.pagination.Page;
import org.apache.polaris.core.persistence.pagination.PageToken;
import org.apache.polaris.core.policy.PolarisPolicyMappingRecord;
import org.apache.polaris.core.policy.PolicyEntity;
import org.apache.polaris.core.policy.PolicyMappingUtil;
import org.apache.polaris.core.policy.PolicyType;
import org.apache.polaris.core.storage.CredentialVendingContext;
import org.apache.polaris.core.storage.PolarisStorageConfigurationInfo;
import org.apache.polaris.core.storage.PolarisStorageIntegration;
import org.apache.polaris.core.storage.StorageAccessConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down Expand Up @@ -2011,64 +2007,6 @@ private PolarisEntityResolver resolveSecurableToRoleGrant(
return ms.runInTransaction(callCtx, () -> this.loadTasks(callCtx, ms, executorId, pageToken));
}

/** {@inheritDoc} */
@Override
public @Nonnull ScopedCredentialsResult getSubscopedCredsForEntity(
@Nonnull PolarisCallContext callCtx,
long catalogId,
long entityId,
@Nonnull PolarisEntityType entityType,
boolean allowListOperation,
@Nonnull Set<String> allowedReadLocations,
@Nonnull Set<String> allowedWriteLocations,
@Nonnull PolarisPrincipal polarisPrincipal,
Optional<String> refreshCredentialsEndpoint,
@Nonnull CredentialVendingContext credentialVendingContext) {

// get meta store session we should be using
TransactionalPersistence ms = ((TransactionalPersistence) callCtx.getMetaStore());
getDiagnostics()
.check(
!allowedReadLocations.isEmpty() || !allowedWriteLocations.isEmpty(),
"allowed_locations_to_subscope_is_required");

// reload the entity, error out if not found
EntityResult reloadedEntity = loadEntity(callCtx, catalogId, entityId, entityType);
if (reloadedEntity.getReturnStatus() != BaseResult.ReturnStatus.SUCCESS) {
return new ScopedCredentialsResult(
reloadedEntity.getReturnStatus(), reloadedEntity.getExtraInformation());
}

// get storage integration
PolarisStorageIntegration<PolarisStorageConfigurationInfo> storageIntegration =
ms.loadPolarisStorageIntegrationInCurrentTxn(callCtx, reloadedEntity.getEntity());

// cannot be null
getDiagnostics()
.checkNotNull(
storageIntegration,
"storage_integration_not_exists",
"catalogId={}, entityId={}",
catalogId,
entityId);

try {
StorageAccessConfig storageAccessConfig =
storageIntegration.getSubscopedCreds(
callCtx.getRealmConfig(),
allowListOperation,
allowedReadLocations,
allowedWriteLocations,
polarisPrincipal,
refreshCredentialsEndpoint,
credentialVendingContext);
return new ScopedCredentialsResult(storageAccessConfig);
} catch (Exception ex) {
return new ScopedCredentialsResult(
BaseResult.ReturnStatus.SUBSCOPE_CREDS_ERROR, ex.getMessage());
}
}

/** {@link #loadResolvedEntityById(PolarisCallContext, long, long, PolarisEntityType)} */
private @Nonnull ResolvedEntityResult loadResolvedEntityById(
@Nonnull PolarisCallContext callCtx,
Expand Down
Loading
Loading