Pass principal name as part of aws subscoped credentials session name

[tokoko]

Is your feature request related to a problem? Please describe.

We are trying to monitor how different principals use the catalog. While Polaris listeners enable us to audit table reads on table level, we also need information regarding physical storage reads for each principal, for example to keep track of the s3 costs incurred by each. This seems to be impossible at the moment when using vended credentials as all subscoped credentials are produced by the same parent role and session name for each subscoped credential is a simple hardcoded value - "PolarisAwsCredentialsStorageIntegration".

Describe the solution you'd like

It would be ideal to use principal name as part of the session name so that the final value would look something like this "Polaris_TestPrincipal" (probably best to keep the prefix short as session name length is capped at 64 chars). This would enable users to use aws monitoring tools like CloudTrail to get better information about physical s3 reads.

Describe alternatives you've considered

No response

Additional context

No response

[dimas-b]

Hi @tokoko ! This request looks reasonable to me. It relates to the new WIP effort in #3170, I think. Let's finish that PR first, and then it should be easier to take the user name into account in normal AssumeRole requests too (I hope).

[dimas-b]

@cccs-cat001 : FYI and wondering whether something like that might be relevant to your use cases too 🤔

[cccs-cat001]

the way #3170 is set up, it has the STS know about the principal acting upon storage so we do get an idea of who's making the request. I think with these changes it'll actually make it easier to add the principal to the assumeRole requests too.

[tokoko]

Thanks for pointing out the other PR. The "hard" part in this one is providing principal information to the Integration class, which the other PR seems to be doing already. Happy to wait for it to merge first.

[adnanhemani]

Got curious about this issue, since I saw it linked. How is the principal information being propagated as part of #3170? Through the parsing of the user token?

So, in that case, principal information would still not be available for the AssumeRole code path since there is still no token? Am I missing something?

[tokoko]

pretty sure the PR changed since my last comment. It used to pass SecurityContext to Integration class which exposed PolarisPrincipal, now it's simply passing in a token which doesn't really help this issue.

[adnanhemani]

@tokoko I took a look at this today in depth. I don't see any other way to propagate the Principal information into AwsCredentialsStorageIntegration other than passing it in through the call chain - likely starting at StorageAccessConfigProvider.java where we can inject in the PolarisPrincipal bean. I looked into some other ways of injecting the principal information directly into AwsCredentialsStorageIntegration but I don't exactly see a workable path :(

If 3170 stays in its current form, we will have to plumb the principal information through separately. If you'd like to make this more thinly-scoped change, I'm very glad to help support you in making that change. Or if you'd prefer someone else pick it up, I may have time later. Let me know your thoughts and if this is a high-priority change you need - we can figure out how to make this more isolated change sooner than later.

[tokoko]

@adnanhemani I can take a stab at it myself, have been meaning to familiarize myself with the codebase anyway, thanks for the offer. I'll put together a draft PR for now and change it accordingly depending on how 3170 progresses.

I looked into some other ways of injecting the principal information directly into AwsCredentialsStorageIntegration but I don't exactly see a workable path

Even if there is one, I think StorageAccessConfigProvider is probably still a better starting point. You'd need PolarisPrincipal to be part of the cache key in storageCredentialCache.getOrGenerateSubScopeCreds call. Otherwise, credentials generated for one principal might get "leaked" to another.

[adnanhemani]

@tokoko Awesome! I'm looking forward to your contribution :) Please feel free to ping me on the Polaris Slack if I miss the PR and/or you need any help!

Otherwise, credentials generated for one principal might get "leaked" to another.

Yes, totally agreed!

[tokoko]

@adnanhemani PR is up at #3224. I managed to convince myself in the process that call chain is most likely unnecessarily long. I didn't really see a reason why it needs to go through metastore manager(s) when credentials don't come from metastore. Still decided to leave the chain as is to limit the scope.

[snazy]

I didn't really see a reason why it needs to go through metastore manager(s) when credentials don't come from metastore.

Yea, that's a very valid concern IMO. I could imagine that there's some potential to decouple things. Wanna take a stab on it?

[tokoko]

@snazy sure, I can try that as a follow-up.