Introduce AWS Security Mapping

[imjalpreet]

Description

This will allow flexible security mapping for AWS Lake Formation(and AWS Glue) and AWS S3 API calls, allowing for separate IAM roles or IAM credentials for specific users.

Motivation and Context

#20851

Impact

This PR introduces the ability to use multiple IAM roles / IAM credentials for different Presto Users to access AWS S3.
Follow-up PRs will allow the same for AWS Lake Formation.

Test Plan

Tested with different IAM Roles for different Presto Users when accessing AWS S3 using the Hive Connector

Contributor checklist

• Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Hive Changes
* Introduce AWS Security Mapping which will allow flexible mapping of Presto Users to AWS Credentials or IAM Roles for different AWS Services

[imjalpreet]

@tdcmeehan can you please help review this when you get a chance? Thanks

[steveburnett]

When you can, please add documentation for how users can specify IAM roles or IAM credentials. If I can help, let me know!

[imjalpreet]

@steveburnett Yes sure, I have a draft in my local, I will refine it and push it as well for your review.

[tdcmeehan]

Validate inputs

[imjalpreet]

Done

[elharo]

You might want to check the file exists here

[imjalpreet]

I have added the check in the getMappings method

[tdcmeehan]

Please clean up formatting. orElseGet in new line, appropriately indented.

[github-actions]

Codenotify: Notifying subscribers in CODENOTIFY files for diff 39e11a5...d23c401.

No notifications.

[imjalpreet]

@tdcmeehan sorry for the delay, please let me know in case you have more feedback. I have made the updates based on your previous review comments.

@steveburnett I have pushed the documentation as you had requested. Please let me know if you would like any changes.

[steveburnett]

@imjalpreet, when I try to build the doc from the branch in this PR I get the following error:

"python3 -m sphinx -b html -n -d target/doctrees -j auto src/main/sphinx target/html
Running Sphinx v4.4.0

Sphinx version error:
The sphinxcontrib.applehelp extension used by this project needs at least Sphinx v5.0; it therefore cannot be built with this version.
make: *** [html] Error 2"

I think this may be because this PR predates PR 21708.

Would you update this branch to pick up the change in PR 21708? I'm happy to try again after that.

[imjalpreet]

@steveburnett Thanks, I have rebased the branch on latest master.

[steveburnett]

@steveburnett Thanks, I have rebased the branch on latest master.

Thanks! A local doc build is successful now and I see your new docs in the result.

[steveburnett]

Thanks for the documentation! It makes sense to me. I commented on a few nits, and suggested moving some of the text to separate the s3 and lakeformation information as their own sections. Let me know what you think, and if any of my suggestions are unclear.

[tdcmeehan]

Overall looks good, just waiting for earlier comments to be addressed.

[imjalpreet]

@steveburnett Thank you for the review and suggestions, I have made the changes.

@tdcmeehan sorry for the delay, the review comments have been addressed.

[steveburnett]

LGTM! (docs)

Pull updated branch, new local build of docs, everything looks good. Thanks!

[imjalpreet]

@tdcmeehan just a reminder, all the comments were addressed.

[elharo]

This all looks to me like it belongs to a separate module, not presto-hive-common

[elharo]

I'd prefer not to add this dependency to common code. Anyway it can be isolated to just the aws package?

[imjalpreet]

I just realised that I am only using one class from this dependency in the class com.facebook.presto.hive.aws.security.s3.AWSS3SecurityMapping.

It is being used to form the credentials object here: https://github.com/prestodb/presto/pull/21622/files#diff-33e654b04e220ef6b736fee85d4cf10f15e0d5255c6af614ce8d4a2000db2b27R51.

We have a couple of options on how we can exclude the aws dependency from hive-common:

1. Make a clone(or similar class) of the BasicAWSCredentials class within Presto and use that here
2. Rather than creating the credentials object here, modify the current implementation and keep the access key and secret key as is in this class and, create the credentials object when required.

CC: @tdcmeehan

[tdcmeehan]

Option 1 sounds fine to me, because we just need the key and secret key, and those can just be opaque strings.

[elharo]

and vice versa

[elharo]

log message not really needed; level debug at most

[tdcmeehan]

This all looks to me like it belongs to a separate module, not presto-hive-common

@imjalpreet what do you think about this?

I know that Lake Formation also supports Iceberg tables. Would that mean it would need to be placed in a common module?

[imjalpreet]

This all looks to me like it belongs to a separate module, not presto-hive-common

what do you think about this?

I know that Lake Formation also supports Iceberg tables. Would that mean it would need to be placed in a common module?

@elharo @tdcmeehan The reason I had to include these classes in hive-common as these classes would be used from both presto-hive and presto-hive-metastore. What would be the ideal package that you think these should be included in? I can try to see if that would be possible.

[imjalpreet]

@tdcmeehan @elharo I have updated the PR based on the discussion and review comments. Please let me know if there are any additional comments.

[elharo]

configFile is not an argument so this should be an IllegalStateException or an IOException, not an IllegalArgumentException. I'm tempted to say we shouldn't check for existence here at all.

[imjalpreet]

I have moved this check to where the file is getting used as you suggested

[elharo]

Yes, definitely don't check in getConfig. Possibly check when the object is created or when the file is read, but not in the getter method.

[elharo]

Do we explicitly mark things nullable? This is nullable.

[imjalpreet]

Added the annotation

[elharo]

do you want this to be nullable? It is.

I'm a little surprised the object is mutable.

[imjalpreet]

do you want this to be nullable? It is.

I don't think this will ever be null since null is not an acceptable value for Duration. Do you see any issue?

[imjalpreet]

I'm a little surprised the object is mutable.

Since new users can be added or credentials for existing users might be modified at any time. To make that change dynamic without a cluster restart, I have made this object mutable.

[elharo]

All someone has to do to make this null is pass null to this method. If that's nopt OK, put a requireNonNull here. If it is OK, annotate it as nullable.

[elharo]

You might want to check the file exists here

[elharo]

orElse in an assert feels strange to me. Just use get(). If it's not present the assert will fail

[imjalpreet]

Modified this

[elharo]

Personal preference, but I try to stick to a single test framework for simplicity. Mixing and matching is confusing

[elharo]

use the expectedExceptions parameter in the @Test annotation instead

[imjalpreet]

Moved to exceptedExceptions.

There are many classes in Presto that are using assertThatThrownBy along with TestNG. We can plan the refactor later.

[elharo]

private

[elharo]

requireNonNull really isn't needed in private test code

[imjalpreet]

@elharo I have added some changes and comments above, please let me know in case you have more comments.

[elharo]

Is "security mapping" defined somewhere else? This is not a term I've heard before.

[imjalpreet]

It's not a generic term, we named it like that since it maps different Presto User Identities to AWS Credentials. Let me know if you have any ideas on the naming.

[elharo]

I think you just need to say that in the docs and the code then.

[imjalpreet]

The current explanation here on line 389-390: "... allowing for separate credentials or IAM roles for specific users." do you think we should rephrase this better? We tried to explain what we mean by security mapping here.

[imjalpreet]

There are more details on what each mapping should include in the following lines

[elharo]

But you still never say what a security mapping is. You need to define that. Easiest way might be to rewrite the first paragraph without using the phrase "security mapping".

[imjalpreet]

Sure, I will rephrase it.

[elharo]

This is awkward. Anyway there could be two constructors or two classes to handle the two different cases?

[imjalpreet]

In my initial design, I had both of them(AWS S3 and AWS Lake Formation) as separate features, which meant both had their own set of configs to enable the feature. I felt it would be similar code for both the features and since they are a subset of AWS services, we could have a common feature that can be used either for S3 or Lake Formation depending upon the use-case.

Since only one constructor can be annotated with @JsonCreator, we had to do it this way since we use this class to parse the Json File which has the mappings.

[elharo]

These is methods really make me think adding some subclasses would clean this up.

[imjalpreet]

Just thinking out loud, if I add a new parameter in the json file at the beginning something like service which can have two values s3 or lakeformation. Instead of the "is" methods, I can introduce the getServiceName method based on which the relevant feature would be enabled, for eg. in AWSS3SecurityMappingConfigurationProvider#updateConfiguration I will enable it only if service is S3.

Do you think this would be more readable/cleaner?

done

[imjalpreet]

@tdcmeehan Can you please have another look in case you have any other comments?

[elharo]

But you still never say what a security mapping is. You need to define that. Easiest way might be to rewrite the first paragraph without using the phrase "security mapping".

[elharo]

delete "thus"

[tdcmeehan]

Unaddressed

[imjalpreet]

Updated it, somehow missed it earlier.

[elharo]

All someone has to do to make this null is pass null to this method. If that's nopt OK, put a requireNonNull here. If it is OK, annotate it as nullable.

[elharo]

It looks like AWSLakeFormationSecurityMapping and AWSS3SecurityMapping should have a common, possibly abstract, SecurityMapping superclass. That might allow you to avoid some of the problems in AWSSecurityMappings which could work exclusively with the supertype.

[imjalpreet]

Sure, let me see what is the best way to simplify the implementation.

[imjalpreet]

@elharo I have refactored the previous implementation to try to address the points you mentioned, can you please have a look and let me know if this looks better? I have kept a separate commit for now.

[elharo]

I haven't seen this annotation before. Where is this coming from?

[imjalpreet]

This is part of the below dependency:

<dependency>
            <groupId>javax.validation</groupId>
            <artifactId>validation-api</artifactId>
</dependency>

This is being used in a few more places already in Presto like com.facebook.presto.server.InternalCommunicationConfig#isRequiredSharedSecretSet, com.facebook.presto.sql.analyzer.FeaturesConfig#isSpillerSpillPathsConfiguredIfSpillEnabled

[imjalpreet]

@elharo Thank you for the review.

@tdcmeehan The PR is ready for a final review from your side.

[imjalpreet]

@tdcmeehan just a reminder, this PR is ready for final review.

[tdcmeehan]

Just a couple of nits, happy to merge once addressed

[tdcmeehan]

Suggested change

	verify(
	checkArgument(

[imjalpreet]

@tdcmeehan just wanted to confirm, I used verify since the expression I was trying to evaluate was not an argument to this method. Is it still okay to use checkArgument?

[tdcmeehan]

I think checkArgument is more appropriate, because it throws an illegal argument exception, which more accurately describes the problem by my read.

[imjalpreet]

Sure, I have updated it to checkArgument.