Add support for presigned URLs in the lakeFS API

[ozkatz]

This one requires discussion :)

Currently, lakeFS users have 2 options when reading and writing data:

1. Involve lakeFS in the data path: this typically means either using the s3 gateway to read/write data, or to use the data operations in the lakeFS API (get_object, put_object)
2. Use lakeFS for metadata only, with direct read/write to the underlying object store.

This requires a pretty hard tradeoff: (1) has implications regarding security (data going through the lakeFS server) as well as added operational complexity (i.e. the need to size a lakeFS installation for the required bandwidth) and potentially cost implications if the lakeFS installation is outside the AWS account and VPC used by its consumers (such as in lakeFS Cloud).

As for (2), it has a different set of problems: Once the metadata operation is done, direct access to the object store requires authentication and authorization. This means managing 2 different auth* systems: one for lakeFS and one for the underlying object store. Keeping both of them in sync is very hard (i.e. how do I give every user permissions to read only the exact underlying objects in a repository?)

This PR introduces pre-signed URLs as a middle ground. It allows receiving short-lived pre-signed URLs from GetObject, StatObject and ListObjects with the optional presign=true query parameter, as well as limited write support using GetPhysicalAddress where the address returned is pre-signed for a write operation.

This PR currently does not handle Multipart uploads, this could be added later (and is probably a requirement before it resolves #3160)

---

This is currently in draft and requires discussion. I don't plan on merging this unless we agree this is desired.

[arielshaqed]

Yay, this is a great direction!

One worry is how to use this from lakeFSFS, because I would really like to use this from lakeFSFS. While this is certainly not the only client, it's a pretty important one. Here I am not sure how to use this and get the optimizations from S3A and other underlying FileSystems.

[arielshaqed]

Neat stuff! Can you open an issue optionally to rewrite lakectl fs {upload,cat} --direct to use this redirecting mode? It will make it so much simpler and more natural!

Approving as a satisfied future user of this, obviously not as a versioning engine team member.

(Still not sure how to use it efficiently in lakeFSFS, but that's a different matter!)

[arielshaqed]

Nit: I think

Suggested change

	response.PresignedUrl = StringPtr(preSignedURL)
	response.PresignedUrl = &preSignedURL

is more readable as well as more efficient.

[arielshaqed]

When I think of it this is really neat: I will be able to read all contents of an entire directory with a single listObjects on lakeFS.

[arielshaqed]

I think that this should be a POST endpoint that redirects!

[nopcoder]

Very cool! Added some comments.
And general question - do we want the pre sign duration configuration controlled in one location / settings?

[nopcoder]

Can be done once at NewAdater and leave here just pointer check.

[ozkatz]

Done

[nopcoder]

We depends on credentials - string format of a type we don't control? Just making sure we do not need to call any explicit function to format the string.

[ozkatz]

Good catch, it's supposed to be the account name extracted from the credentials! Fixed.

[itaiad200]

How is it safe to return a string containing the credentials?

[ozkatz]

@itaiad200 you caught this too, changed :)

[itaiad200]

Thanks - I think this can bring value to our users!

[itaiad200]

IIRC the default is 1000 objects in ListObjects. It means you're adding 1000 sequential calls to aws in a single lakeFS call. Doesn't seem like it can really scale. We've seen cases of users performing a >300 RPS of ListObjects, if we're planning to continue supporting this scale, we need to find other solutions for ListObjects. Can we get all 1000 links in a single API call to aws?

[itaiad200]

We should also consider the error rate. If AWS has 4 9s', the probability of 1000 calls to succeed is ~90%.

[ozkatz]

GetPreSignedURL Doesn't do any network calls.
Pre-signed URLs are constructed locally by the adapter

[itaiad200]

Shouldn't this be a block package-level const?

[ozkatz]

Good call - moved

[itaiad200]

Notice that the above was changed with the merge of #4900

[itaiad200]

Heads up @N-o-Z @guy-har who are working on Azure gen v2 now

[itaiad200]

How is it safe to return a string containing the credentials?

[itaiad200]

Same here - if we define it equally in 2 different places, let's move it up the packages stack.

[ozkatz]

moved

[itaiad200]

Here too

[ozkatz]

moved

[itaiad200]

Thanks for adding tests for the Stat operation! Can we also add tests to all other new operations?
Also - let's validate that the links work as expected too

[ozkatz]

You're right - I'm still trying to get this test to pass via Esti, no luck yet :( will add the additional tests for links as well once I do.

[itaiad200]

Why do we need it in symlinks?

[ozkatz]

Good catch! We do not. removed

[nopcoder]

Suggested change

	blockStoreType := viper.GetViper().GetString("blockstore_type")
	expected := ""
	switch blockStoreType {
	case block.BlockstoreTypeS3:
	expected = "X-Amz-Signature="
	case block.BlockstoreTypeGS:
	expected = "X-Goog-Signature="
	case block.BlockstoreTypeAzure:
	expected = "sv="
	default:
	t.Skip("Only GS, S3 and Azure Blob supported for pre-signed urls")
	}
	ctx, _, repo := setupTest(t)
	defer tearDownTest(repo)
	_, _ = uploadFileRandomData(ctx, t, repo, mainBranch, "foo/bar", true)
	// Get Object
	preSign := true
	response, err := client.StatObjectWithResponse(ctx, repo, mainBranch, &api.StatObjectParams{
	Path: "foo/bar",
	Presign: &preSign,
	})
	require.NoError(t, err, "failed to stat object with presign=true")
	signedUrl := response.JSON200.PhysicalAddress
	if !strings.HasPrefix(signedUrl, "http") {
	t.Errorf("exected an HTTP(s) URL instead of an object store URI, got %s", signedUrl)
	}
	if !strings.Contains(signedUrl, expected) {
	t.Errorf("expected a signed URL, got %s", signedUrl)
	}
	blockStoreType := viper.GetString("blockstore.type")
	expectedKey := ""
	switch blockStoreType {
	case block.BlockstoreTypeS3:
	expectedKey = "X-Amz-Signature"
	case block.BlockstoreTypeGS:
	expectedKey = "X-Goog-Signature"
	case block.BlockstoreTypeAzure:
	expectedKey = "sv"
	default:
	t.Skip("Only GS, S3 and Azure Blob supported for pre-signed urls")
	}
	ctx, _, repo := setupTest(t)
	defer tearDownTest(repo)
	_, _ = uploadFileRandomData(ctx, t, repo, mainBranch, "foo/bar", true)
	response, err := client.StatObjectWithResponse(ctx, repo, mainBranch, &api.StatObjectParams{
	Path: "foo/bar",
	Presign: swag.Bool(true),
	})
	require.NoError(t, err, "failed to stat object with presign=true")
	require.NotNil(t, response.JSON200, "successful response")
	signedURL := response.JSON200.PhysicalAddress
	parsedSignedURL, err := url.Parse(signedURL)
	require.NoErrorf(t, err, "failed to parse url - %s", signedURL)
	require.Truef(t, strings.HasPrefix(parsedSignedURL.Scheme, "http"), "URL scheme http(s) - %s", signedURL)
	require.NotEmptyf(t, parsedSignedURL.Query().Get(expectedKey), "signature expected in key '%s' - %s", expectedKey, signedURL)

[nopcoder]

LGTM! - additional comments for your consideration

Changes applied.

[itaiad200]

@ozkatz Still missing tests for most of the APIs to get the links, including validations that links actually work.

[ozkatz]

You're right @itaiad200 - Merged too early. Tests added in #5035