feat: pass principal name as part of aws subscoped credentials session

[tokoko]

PR changes role session name of temporary credentials generated for s3 to contain principal name. The goal is to simplify audit of storage access with credentials generated by Polaris. PolarisPrincipal is injected in StorageAccessConfigProvider, used as part of a cache key and then value propagated through the call chain. Azure and Gcp integration classes also accept PolarisPrincipal, but the values are ignored for now.

This will probably also result in relatively increased amount of sts calls as credential requests for the same table by different principals will no longer hit the same cache.

Fixes #3196

Checklist

• 🛡️ Don't disclose security issues! (contact [email protected])
• 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
• 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
• 💡 Added comments for complex logic
• 🧾 Updated CHANGELOG.md (if needed)
• 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

[dimas-b]

Thanks for your contribution, @tokoko !

Overall the PR looks pretty good to me with some comments as noted below.

Given that it affects credential vending, I'd propose to also send a dev email about it for visibility (a custom for major changes in Polaris). Also, a CHANGELOG entry would be good to have for this.

[dimas-b]

Hi @tokoko : I think this PR is moving closer to completion. I have some more comments, but conceptually this PR LGTM 👍

[dimas-b]

CI appears to be stuck 🤷

[dimas-b]

Thanks, @tokoko ! From my POV the PR looks good, but let's collect some more reviews as it's a pretty fundamental change.

[dimas-b]

@adutra : do you have any comment on this? As for me, I'm ok with this approach, as I do not have a better alternative off the top of my head 😅

[adutra]

I think we can achieve the same by simply producing this bean from this profile class:

public static class Profile extends Profiles.DefaultProfile {
  @Override public Map<String, String> getConfigOverrides() {...}
  
  @Produces @RequestScoped produceTestAugmentor() { return new RootPrincipalAugmentor(...); }
}

But the current approach is fine too.

[tokoko]

The idea was to change it later from a simple toggle to something that will hold more information. Something like polaris.test.augmentor.identity: test_principal:test_principal_role. I ended up not requiring it, but it could still come in handy later...

[adutra]

Sounds good 👍

pinging @XN137 for awareness since I vaguely recall you were working on turning a bunch of manual setup code into proper Quarkus tests with CDI enabled.

[adutra]

I think we can achieve the same by simply producing this bean from this profile class:

public static class Profile extends Profiles.DefaultProfile {
  @Override public Map<String, String> getConfigOverrides() {...}
  
  @Produces @RequestScoped produceTestAugmentor() { return new RootPrincipalAugmentor(...); }
}

But the current approach is fine too.

[adnanhemani]

LGTM, two nits that don't require a code change but would be quick and easy to do if there is another revision :)

[adnanhemani]

LGTM! Thanks for this great contribution!!