Refactor to support Glue protocol (separate PR) #168
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Randgalt
changed the title
Randgalt
force-pushed
the
jordanz/refactor
branch
from
763cdce to
09d5c7f
Compare
mosiac1
requested changes
Jan 27, 2025
trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/signing/Signer.java
Outdated
Show resolved
Hide resolved
trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/signing/Signer.java
Outdated
Show resolved
Hide resolved
trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/TrinoAwsProxyServerModule.java
Outdated
Show resolved
Hide resolved
Randgalt
force-pushed
the
jordanz/refactor
branch
from
09d5c7f to
69f4d2c
Compare
mosiac1
reviewed
Jan 27, 2025
trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/signing/SigningServiceType.java
Show resolved
Hide resolved
|
@mosiac1 I've added another commit with the change to |
mosiac1
reviewed
Jan 27, 2025
| @@ -29,32 +29,65 @@ | |||
| @Target({TYPE, METHOD}) | |||
| public @interface ResourceSecurity | |||
| { | |||
| enum AccessType | |||
| sealed interface Access | |||
There was a problem hiding this comment.
Wouldn't we want Access and/or AccessType to be public scoped?
There was a problem hiding this comment.
What do you think of this approach? It removes the need for 1 intermediary class
Pasting a diff, I don't have a good way of explaining it in a comment
Index: trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurityDynamicFeature.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurityDynamicFeature.java b/trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurityDynamicFeature.java
--- a/trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurityDynamicFeature.java (revision 03c68f8ac6880af08e00422aaea199bc0addc3a6)
+++ b/trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurityDynamicFeature.java (date 1737999508310)
@@ -14,11 +14,10 @@
package io.trino.aws.proxy.server.rest;
import com.google.inject.Inject;
-import io.trino.aws.proxy.server.rest.ResourceSecurity.Access.PublicAccess;
-import io.trino.aws.proxy.server.rest.ResourceSecurity.Access.SigV4Access;
import io.trino.aws.proxy.server.rest.ResourceSecurity.AccessType;
+import io.trino.aws.proxy.server.rest.ResourceSecurity.AccessType.PublicAccessType;
+import io.trino.aws.proxy.server.rest.ResourceSecurity.AccessType.SigV4AccessType;
import io.trino.aws.proxy.spi.signing.SigningController;
-import io.trino.aws.proxy.spi.signing.SigningServiceType;
import jakarta.ws.rs.container.DynamicFeature;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.FeatureContext;
@@ -46,10 +45,10 @@
{
if (resourceInfo.getResourceClass().getPackageName().startsWith("io.trino.aws")) {
AccessType accessType = getAccessType(resourceInfo);
- switch (accessType.access()) {
- case PublicAccess _ -> {}
- case SigV4Access(SigningServiceType signingServiceType) ->
- context.register(new SecurityFilter(signingController, signingServiceType, requestLoggerController));
+ switch (accessType) {
+ case PublicAccessType _ -> {}
+ case SigV4AccessType sigV4 ->
+ context.register(new SecurityFilter(signingController, sigV4.getSigningServiceType(), requestLoggerController));
}
}
}
Index: trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurity.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurity.java b/trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurity.java
--- a/trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurity.java (revision 03c68f8ac6880af08e00422aaea199bc0addc3a6)
+++ b/trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/ResourceSecurity.java (date 1737999578942)
@@ -13,8 +13,8 @@
*/
package io.trino.aws.proxy.server.rest;
-import io.trino.aws.proxy.server.rest.ResourceSecurity.Access.PublicAccess;
-import io.trino.aws.proxy.server.rest.ResourceSecurity.Access.SigV4Access;
+import io.trino.aws.proxy.server.rest.ResourceSecurity.AccessType.PublicAccessType;
+import io.trino.aws.proxy.server.rest.ResourceSecurity.AccessType.SigV4AccessType;
import io.trino.aws.proxy.spi.signing.SigningServiceType;
import java.lang.annotation.Retention;
@@ -23,69 +23,56 @@
import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
-import static java.util.Objects.requireNonNull;
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface ResourceSecurity
{
- sealed interface Access
- {
- record PublicAccess()
- implements Access {}
-
- record SigV4Access(SigningServiceType signingServiceType)
- implements Access {}
- }
-
- abstract class AccessType
+ sealed interface AccessType
{
- private final Access access;
-
- public Access access()
- {
- return access;
- }
-
- protected AccessType(Access access)
- {
- this.access = requireNonNull(access, "access is null");
- }
- }
-
- class Public
- extends AccessType
- {
- public Public()
- {
- super(new PublicAccess());
- }
- }
-
- class S3
- extends AccessType
- {
- public S3()
- {
- super(new SigV4Access(SigningServiceType.S3));
- }
- }
+ sealed interface PublicAccessType
+ extends AccessType
+ permits Public
+ {}
- class Sts
- extends AccessType
+ non-sealed interface SigV4AccessType
+ extends AccessType
+ {
+ SigningServiceType getSigningServiceType();
+ }
+ }
+
+ final class Public
+ implements PublicAccessType
+ { }
+
+ final class S3
+ implements SigV4AccessType
{
- public Sts()
+ @Override
+ public SigningServiceType getSigningServiceType()
{
- super(new SigV4Access(SigningServiceType.STS));
+ return SigningServiceType.S3;
}
}
- class Logs
- extends AccessType
+ final class Sts
+ implements SigV4AccessType
{
- public Logs()
+ @Override
+ public SigningServiceType getSigningServiceType()
{
- super(new SigV4Access(SigningServiceType.LOGS));
+ return SigningServiceType.STS;
+ }
+ }
+
+ final class Logs
+ implements SigV4AccessType
+ {
+ @Override
+ public SigningServiceType getSigningServiceType()
+ {
+ return SigningServiceType.LOGS;
}
}
There was a problem hiding this comment.
Wouldn't we want Access and/or AccessType to be public scoped
It's public by default in annotations
There was a problem hiding this comment.
What do you think of this approach
sure - we can do that
| import java.util.Optional; | ||
|
|
||
| class Signers | ||
| { | ||
| static final String OVERRIDE_CONTENT_HASH = "__TRINO__OVERRIDE_CONTENT_HASH__"; | ||
|
|
||
| static final SigningApi aws4Signer = new InternalAwsS3V4Signer(); | ||
| static final SigningApi aws4Signer = new InternalAwsV4Signer(); |
There was a problem hiding this comment.
Could we use awsV4Signer to be consistent with the AWS names?
awsS34Signer is also quite confusing so awsS3V4Signer it slightly nicer
Randgalt
force-pushed
the
jordanz/refactor
branch
from
03c68f8 to
4cb1617
Compare
|
Changes made |
Changes to allow general AWS V4 signing and not just S3 signing. - Added `SigningTrait` to make signing configurable - Add traits to `SigningServiceType`
Abstract RemoteS3Facade's `remoteUri()` into a new interface that can be used/injected independently of S3 implementations.
Move the Request logging config into separate config class
Abstract new static methods so portions of module can be used in other contexts
This will allow new AccessTypes to be created outside of this project by third parties. Uses a technique where by the `ResourceSecurity` instantiates the AccessType assuming a no-arg constructor.
Randgalt
force-pushed
the
jordanz/refactor
branch
from
4cb1617 to
21ef861
Compare
mosiac1
approved these changes
Jan 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduce RemoteUriFacade
Abstract RemoteS3Facade's
remoteUri()into a new interfacethat can be used/injected independently of S3 implementations.
Give Request logger its own config
Move the Request logging config into separate config class
Abstract some common bindings of
Abstract new static methods so portions of module can be used in other contexts