-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pass skip_credential_subscoping_indirection param to TaskFileIOSupplier #400
base: main
Are you sure you want to change the base?
pass skip_credential_subscoping_indirection param to TaskFileIOSupplier #400
Conversation
102e771
to
09d3b09
Compare
// Typically this setting is used in single-tenant server deployments that don't rely on | ||
// "credential-vending" and can use server-default environment variables or credential config | ||
// files for all storage access, or in test/dev scenarios. | ||
public static final Boolean SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION_DEFAULT = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather not have a separate public variable here; you can always get the default with SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION.defaultValue
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really close to me; if you can add some details on how you tested this I think we can merge it almost as-is. Thanks for working on this!
@@ -103,6 +103,22 @@ public static <T> Builder<T> builder() { | |||
.defaultValue(false) | |||
.build(); | |||
|
|||
// Config key for whether to skip credential-subscoping indirection entirely whenever trying |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we move this into the description? The description should ideally be detailed enough to understand the config without an additional comment explaining it.
Thanks for your input on this @eric-maynard ! |
I see, but how did you test it's working? i.e. how did you confirm that the credentials vended were not subscoped? |
I did some manual tests and verified it's working (it was not working in my setup when Polaris was subscoping the credentials because I cannot reach aws endpoints directly). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems a reasonable change - rather than saddling the PolarisApplication
with the details of the TaskFileIOSupplier
's configuration keys, we can push that lookup down into the thing that actually cares about it.
Boolean skipCredentialSubscopingIndirection = | ||
configurationStore.getConfiguration( | ||
null, PolarisConfiguration.SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION.key); | ||
TaskHandlerConfiguration taskConfig = configuration.getTaskHandler(); | ||
TaskExecutorImpl taskExecutor = | ||
new TaskExecutorImpl(taskConfig.executorService(), metaStoreManagerFactory); | ||
TaskFileIOSupplier fileIOSupplier = | ||
new TaskFileIOSupplier(metaStoreManagerFactory, fileIOFactory); | ||
new TaskFileIOSupplier( | ||
metaStoreManagerFactory, fileIOFactory, skipCredentialSubscopingIndirection); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd probably just pass the PolarisConfigurationStore
directly to the TaskFileIOSupplier
so that it can look up its own configuration keys.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your feedback
6288de6
to
b5a4142
Compare
Description
Fixes #379
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Checklist:
Please delete options that are not relevant.