Skip to content

Relax ARN validation logic #3071

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Relax ARN validation logic #3071

wants to merge 1 commit into from
+3 −47

Conversation

@dimas-b
Copy link
Contributor

@dimas-b dimas-b commented Nov 17, 2025
edited
Loading

Following up on #3005, which allowed a wide range of ARN values in the validation RegEx, remove an additional explicit check for aws-cn being present in the ARN as a sub-string.

Update existing unit tests to process aws-cn ARNs as common aws ARNs.

Note: the old validation code does not look correct because it used to check for aws-cn anywhere in the ARN string, not just in its "partition" component.

Checklist

  • 🛡️ Don't disclose security issues! (contact security@apache.org)
  • 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
  • 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
  • 💡 Added comments for complex logic
  • 🧾 Updated CHANGELOG.md (if needed)
  • 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

@dimas-b
Relax ARN validation logic
faac5ac 
Following up on apache#3005, which allowed a wide range of ARN values in the validation RegEx, remove an additional explicit check for `aws-cn` being present in the ARN as a sub-string.

Update existing unit tests to process `aws-cn` ARNs as common `aws` ARNs.

Note: the old validation code does not look correct because it used to check for `aws-cn` anywhere in the ARN string, not just in its "partition" component.
@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Nov 17, 2025
@dimas-b
Copy link
Contributor Author

dimas-b commented Nov 17, 2025

Related dev ML discussion: https://lists.apache.org/thread/dxybjf4w4or1vmpb25zq6m5gso96rr4j

adnanhemani
adnanhemani reviewed Nov 17, 2025
View reviewed changes
...c/test/java/org/apache/polaris/service/storage/aws/AwsCredentialsStorageIntegrationTest.java
break;
case "aws-cn":
roleARN = "arn:aws-cn:iam::012345678901:role/jdoe";
region = "Beijing";
Copy link
Contributor

@adnanhemani adnanhemani Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Beijing" is not a valid AWS region name. I know this is not explicitly part of the PR - but relates heavily to the scope and should be changed before we open this.

Copy link
Contributor Author

@dimas-b dimas-b Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why should it be changed precisely?

Copy link
Contributor Author

@dimas-b dimas-b Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a unit test, it does not talk to AWS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flyrain flyrain Awaiting requested review from flyrain

@dennishuo dennishuo Awaiting requested review from dennishuo

@collado-mike collado-mike Awaiting requested review from collado-mike

1 more reviewer

@adnanhemani adnanhemani adnanhemani left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dimas-b @adnanhemani