Support Aws STS AssumeRoleWithWebIdentity #3170
Conversation
Co-authored-by: Alexandre Dutra <[email protected]>
…ting/DefaultMetricsReporter.java Co-authored-by: Alexandre Dutra <[email protected]>
…ting/DefaultMetricsReporter.java Co-authored-by: Alexandre Dutra <[email protected]>
…test/PolarisRestCatalogIntegrationBase.java Co-authored-by: Alexandre Dutra <[email protected]>
|
@adutra : could you double check quarkus auth integration changes (they LGTM) |
|
@cccs-cat001 : please resolve conflicts... otherwise CI does not run 🤷 |
adnanhemani
left a comment
adnanhemani
left a comment
There was a problem hiding this comment.
Based on the response here, I'm afraid I will be a -1 on this PR.
If the user has the ability to communicate with the "STS" service directly and bypass any access controls rules that the Polaris server has set, then Polaris should not be in the business of vending credentials to this client. By creating this approach, we are introducing a security loophole that is completely against Polaris' security modelling today.
If there is a dire need to use such Polaris authentication tokens with an on-prem "AWS-compatible" service using only the user's tokens, then the client should be modified to talk to STS directly to gain credentials without Polaris' involvement. IMO Polaris should not be involved in abetting ANY security loopholes.
Or we can look towards creating a similar security model as we have today whereby using the Polaris service credential or setting Polaris up as an intermediate token broker which the "STS" service trusts, a new credential can be minted for the client to access the storage layer.
(This is not a new problem that we are setting out to solve - look into IAM Roles for Service Accounts (IRSA) used by AWS EKS, which at its core, solves a very similar base problem. Trying to fit a simplistic solution to quick-solve a problem for a system we don't even fully support is a very dangerous precedence to set. Speeding through a solution for functionality is one thing, but to risk security postures while doing that is a whole different situation.)
I find the changes in this PR a bit invasive tbh. I would rather explore Quarkus OIDC token propagation techniques, and more specifically, I would try to inject https://quarkus.io/guides/security-openid-connect-client-reference#inject-tokens But I don't want to delay this PR that is extremely useful. I think we can go with the approach taken here and then switch to token propagation in a follow-up PR. |
I am completely failing to see what security loopholes we would be introducing by leveraging
Are you serious about allowing clients to talk to STS directly? THAT, indeed, would be a giant security loophole.
IMHO this is unrealistic, and over-engineered. That would require a form of token exchange and would be extremely hard to implement for little added-value. And again: let's please stop considering Polaris as an OAuth2 token broker. This is legacy behavior.
Can you clarify what "simplistic solution" you are talking about and what is this "system [that] we don't [...] fully support"? |
|
I support @adutra 's point about Polaris not acting as a token broker or authorization server. Polaris, in general, should be a resource server in OAuth2 terms. |
that looks pretty simple compared to all the changes I'm making tbh. Is everything set up so that I can just |
Injecting in That is to say, I think current |
You may need to add the |
True, at some point we'd need to pass the token as a parameter. @cccs-cat001 please don't rush into using token propagation if you can't find a simple path forward – what you have currently is perfectly acceptable. |
|
To be honest I'm very confused about the implementation in the PR as well. Not sure about other s3-compatible systems, but in the case of minio, (if I'm reading this correctly...) this option will only work if all catalog users have the ability to assume the role that's configured centrally on the catalog level and which also needs to have read/write privileges on all catalog locations. I fail to see how this can be useful to anyone. why would anyone hand out assume role privileges on what's basically a superuser? If the problem that the PR is trying to solve is simply to support those systems that only support |
|
@tokoko : AFAIK (and @cccs-cat001 may have a better answer) this feature is mostly intended for custom systems. Using the workflow it enables with AWS, for example, may be possible, yet whether it is the best approach with AWS is subject to specific user demands. I tend to agree that this may not be the best approach for MinIO or AWS S3. Nonetheless, I do not see why Polaris as an OSS project should not open this use case for deployments what may benefit from it. The feature is well isolated under a catalog property, there is no impact to other use cases. For reference, here's the related dev ML thread: https://lists.apache.org/thread/tm76ntbgdqt31r6402dro8vb7m4pdzzq |
This is only the standard pattern recommended by AWS for federated OIDC access - if you do not have a governance system in between. If you feel that's wrong, please feel free to drop links to the AWS documentation here that support your claim.
(Also mentioned in Laurent's email to the Dev ML regarding this approach) Isn't this possible today with how the code is written? If it isn't, what stops it? Is it a network policy? And as a result, are we betting the whole of Polaris' security posture on such a network policy? Is that truly wise? Let's compare this to the
Not sure I agree, we are enabling a use case here that does not align with our current security best practices. And to be clear, this is not as a result of there not being a better way of doing this, but rather because this is the fastest way of achieving this goal. Trampling security best practices for velocity is not something that we have a track record of within this project. I agree that this use case is a valid one - and that we should be supporting it. But I highly disagree in the way that this implementation does so. Rather than bending the security model that we have today (which generally can be stated like: Polaris user who is unprivileged with regards to storage credentials, authenticates and authorizes with Polaris in order to gain storage credentials) to fit this use case, we should be tailoring the implementation of this use case to fit the security model. |
|
Marking as draft as tests are failing for unknown reasons, they'll potentially be fixed with #3203, so we'll wait for that. |
github-project-automation
bot
moved this from PRs In Progress
to Done
in Basic Kanban Board
5 participants
Here is a preliminary pass at fixing #3038, I've added in an option to have the sts use assumeRoleWithWebIdentity and pass along the user credentials. This will allow the STS to know who is asking for credentials instead of the request coming from some shared service credentials.
We've found that using our on-prem S3 solution that the way Polaris accesses the STS results in connectivity errors, and the recommended way of accessing the STS is with a web identity token (A.K.A. access token), so adding this optional feature will result in Polaris being usable by more S3 appliances than just AWS :)
Checklist
CHANGELOG.md(if needed)site/content/in-dev/unreleased(if needed)