[FEATURE REQUEST] On-Premise S3 & Remote Signing

[c-thiel]

Is your feature request related to a problem? Please describe.
Currently Polaris only works for AWS S3. It would be great to get support for on-prem deployments as well!

Describe the solution you'd like
Add an additional storage profile similar to the AWS one which allows custom Endpoint configuration. Test with MinIO or Ceph. Grant access via remote signing.

Describe alternatives you've considered
I don't think there is any?

Additional context
Remote signing spec: https://github.com/apache/iceberg/blob/main/aws/src/main/resources/s3-signer-open-api.yaml

[mjf-89]

It would be great to know if such feature is already on the roadmap or not. I would be personally interested in contributing here because currently I'm working for a company where we have everything on-premise. We are using Iceberg with a legacy Hive Standalone Metastore and we are looking for a REST alternative. Polaris is really promising but the lack of support for on premise S3 provider will hinder its adoption.

[chris922]

When I watched the demo on Snowflake site this was the first thing I noticed - where to configure the S3 endpoint etc.

I can also support here, maybe in development but also testing it with some S3 alternatives. I've got access to Dell ECS, NetApp StorageGRID, MinIO

[guitcastro]

The main point is that only few S3 compatible services have support for Security Token Service (STS). Minio does have support for it.

[mjf-89]

@guitcastro It might be possible to implement remote signing for on prem S3 implementations other than minio. But that would mean implement also the remote signing open API spec and that is probably outside the scope of polaris?

[guitcastro]

@mjf-89 I don't know more than you. I am not maintainer, my comment is just based on how the S3 auth are implemented.

[dimas-b]

@mjf-89 : could you provide more details (perhaps a link) about the remote signing open API spec that you mentioned above?

[snazy]

The main point is that only few S3 compatible services have support for Security Token Service (STS). Minio does have support for it.

STS is needed for credential-vending, as currently implement.

The actual request signing doesn't interact w/ any remote service. The client (in this case Iceberg) asks the resource (Polaris) to return a signed URL for every particular S3 request.

[mjf-89]

@dimas-b sure, in the openapi spec of the rest catalog you can see that there are currently two supported delegated access mechanisms, vended credentials and remote signing:

https://github.com/apache/iceberg/blob/e9364faabcc67eef6c61af2ecdf7bcf9a3fef602/open-api/rest-catalog-open-api.yaml#L1488

And here you can find the openapi spec for the remote signing service:

https://github.com/apache/iceberg/blob/e9364faabcc67eef6c61af2ecdf7bcf9a3fef602/aws/src/main/resources/s3-signer-open-api.yaml

I don't know of any open source implemention of that openapi spec, however I think that Tabular is based on such a thing. Or at least that is what I guessed reading their blog posts:

https://tabular.io/blog/securing-the-data-lake-part-1/

Where I have interpreted the "authorized file access request" as a presigned url that the remote signing service is giving back to the engine to access the data files.

[c-thiel]

I agree that STS is the better solution if available, but not all S3 Services support it. It would be nice to add it at a fallback for on-premise deployments.
@mjf-89 there are currently two open-source catalogs that support it, Project Nessie and the TIP Iceberg Catalog - links go roughly to the corresponding code sections.

[mjf-89]

@c-thiel thank you very much, last time that I checked on Nessie the iceberg rest api was still not implemented and S3 remote signing was definitely not there, TIP was completely outside my radar but it seem really promising, especially for the customization freedom on the authz side. Happy to see that the landscape of iceberg rest catalog is evolving so rapidly.

As for Polaris I hope that remote signing can be implemented as a fallback for those S3 implementations that do not have an sts endpoint like you have said.

[dimas-b]

Remote Signing can be a useful feature. I'd support adding it to Polaris.

1. The catalog does not expose any long of mid-term credentials to the client (reduces risk of credential leaks and makes access revocation is immediate, if/when it happens).
2. Client session runtime is not limited by STS session restrictions (extremely long client sessions are possible at the expense of slightly slower storage I/O calls).
3. The catalog can (hypothetically) make finer-grained access decisions that are not expressible in terms of STS policies.

[dimas-b]

@mjf-89 :

I don't know of any open source implemention of that openapi spec

Just FYI: Nessie supports that.

[mjf-89]

@dimas-b thank you, as @c-thiel already mentioned both Nessie and TIP actually support that feature.

One question that I have regards the performance implications of remote signing. I feel like it could introduce quite a bit of latency to the queries, of course mich depend on the implementation of both the runtime and the catalog.

Another thing to be noted is that not all the runtimes actually support such feature. As an example I think that currently trino lacks such support: trinodb/trino#21189

[heartblast]

Since the temporary credential feature provided by S3 differs from that of MinIO, adjustments are required to support MinIO. Specifically, the Polaris Catalog must obtain a security token from an OAuth service such as Keycloak to utilize MinIO's temporary credential feature, and the configuration must allow for STS (Security Token Service) endpoint settings to enable this integration.

[mmgaggle]

Ceph supports IAM/STS, both AssumeRole and AssumeRoleWithWebIdentity. I can test to make sure this works as expected in that context.

[mmgaggle]

@mjf-89 It would be more powerful if the engine sent the GetObject requests to the catalog, and the catalog signed them using its own credential, or using a credential is generates (ie you might want it to AssumeRole before signing for tracking purposes). If the catalog returned a pre-signed url for an object, then if an attacker were to snoop on the engine to catalog traffic they would have access to the object. A signed request has protection against replay attacks.

[lefebsy]

Since the temporary credential feature provided by S3 differs from that of MinIO, adjustments are required to support MinIO. Specifically, the Polaris Catalog must obtain a security token from an OAuth service such as Keycloak to utilize MinIO's temporary credential feature, and the configuration must allow for STS (Security Token Service) endpoint settings to enable this integration.

Hello,
In fact MinIO support STS assumeRole API out of the box. The documentation explain you can setup an external idp like keycloak, but it will work with MinIO alone. I have done a quick test after forking polaris.

[lefebsy]

Hello,

I can try to contribute to this feature request.
I have coded a polaris core storage implementation, copy of the aws, without the required arnRole parameter, replaced by endpoint, path style, and credentials.
You can choose a strategy for the client calling catalog :

• "vending token" with default STS assume role like aws. It is working with MinIO, and should works also with Dell ECS, NetApp StorageGRID, etc...
• "vending keys" :
• if you do not care a lot about security the catalog can send his own keys to the client
• you can also store in catalog keys dedicated to clients. You can then revoke them externally without breaking the catalog.

You can also choose a strategy during the creation of the catalog (cli, curl api) by passing catalog & or client keys by direct value, or environnement name variable.
In case of the variable name, you have to be sure that Polaris can find them inside is running environnement, of course. A kubernetes production deployment should be suited for this configuration (envFromSecrets deployed to Polaris pods)

Let me know your opinion about this design. The code is ready, I still have to read the "PR guide" and check requirements.

[mmgaggle]

@lefebsy If you can point me to a branch, I can try it against Ceph

[lefebsy]

@lefebsy If you can point me to a branch, I can try it against Ceph

Thank you ! I have no access to a rados gateway it could be a good test.
https://github.com/lefebsy/polaris/tree/refs/heads/s3compatible
The PR is under review #389

@mmgaggle If you need specific modification to be compliant with Ceph-rgw tell me :)
(Curiosity : Is it a Ceph supporting NVMe over Fabrics ? I've heard perfs are awsome...)

[ang6300]

@lefebsy I tried with this
https://github.com/lefebsy/polaris/tree/refs/heads/s3compatible

I am testing it against on premise s3 storage but did not find what option to specify custom s3 and sts endpoint. Tried to add these to spark-default.conf but not working.

spark.hadoop.fs.s3a.endpoint
spark.hadoop.fs.s3a.assumed.role.sts.endpoint
spark.hadoop.fs.s3a.aws.credentials.provider
spark.hadoop.fs.s3a.assumed.role.credentials.provider
spark.hadoop.fs.s3a.access.key
spark.hadoop.fs.s3a.secret.key
spark.hadoop.fs.s3a.path.style.access

Further testing shows spark_sql loads AWS credential from environment variables. Set up all the variables and able to write metadata to on premise s3 bucket but failed to write the parquet file.
s3://polaris-sg/sg_db1/table1/data/00000-0-49bf02f5-8632-45b1-be33-95e1658e3a33-0-00001.parquet

24/12/11 23:35:52 ERROR DataWritingSparkTask: Aborting commit for partition 0 (task 0, attempt 0, stage 0.0)
24/12/11 23:35:53 WARN S3FileIO: Encountered failure when deleting batch
software.amazon.awssdk.services.s3.model.S3Exception: The AWS Access Key Id you provided does not exist in our records. (Service: S3, Status Code: 403, Request ID: P25DMBEE3XBK20XP, Extended Request ID: iXnMbkU52j2tRqGjmIARh2tttxdcNBl0RhlTrLSXapP/250/Mlms0dH2K0OMoawTldRdt37pHAfZWRSXoFm/fw==)

I believe it is expecting to get temporary access key/STS token from AWS STS endpoint using the assumerole ARN provided to run_spark_sql.sh.

It does not use this environment variable:
export AWS_ENDPOINT_URL_STS="https://sts.example.com"

Can you update your code to allow custom STS endpoint?

Appreciate any help. Thank you.

[lefebsy]

Hello @ang6300 ,

Parameters are described here :
https://github.com/lefebsy/polaris/blob/refs/heads/s3compatible/spec/polaris-management-service.yml#L906

You can have a look to the non-regression tests script to find example to create catalog and how to configure spark-sql :
https://github.com/lefebsy/polaris/blob/refs/heads/s3compatible/regtests/run_spark_sql_s3compatible.sh

You tried to setup S3 in spark confs, but it's useless : S3 endpoint and S3 keys are defined in the catalog inside Polaris.
Spark will retrieve the endpoint from Polaris catalog response, alongside the STS, during vended-credential negotiation with the catalog.

TL;DR :

Create the catalog :

curl -s -i -X POST -H "Authorization: Bearer ${POLARIS_BEARER_TOKEN}" \
      -H 'Accept: application/json' \
      -H 'Content-Type: application/json' \
      http://${POLARIS_HOST:-localhost}:8181/api/management/v1/catalogs \
      -d "{
            \"name\": \"my-minio-wh\",
            \"id\": 100,
            \"type\": \"INTERNAL\",
            \"readOnly\": false,
            \"properties\": {
              \"default-base-location\": \"${S3_LOCATION}\"
            },
            \"storageConfigInfo\": {
              \"storageType\": \"S3_COMPATIBLE\",
              \"allowedLocations\": [\"${S3_LOCATION}/\"],
              \"s3.endpoint\": \"https://localhost:9000\"
              \"s3.path-style-access\": true,
              \"s3.credentials.catalog.access-key-id\": \"S3_ACCESS_KEY_VAR_NAME\",
              \"s3.credentials.catalog.secret-access-key\": \"S3_SECRET_KEY_VAR_NAME\"
            }
          }"

Use the catalog :

${SPARK_HOME}/bin/spark-sql \
  --conf spark.sql.extensions=org.apache.iceberg.spark.extensions.IcebergSparkSessionExtensions \
  --conf spark.sql.catalog.polaris=org.apache.iceberg.spark.SparkCatalog \
  --conf spark.sql.catalog.polaris.type=rest \
  --conf spark.sql.catalog.polaris.uri=http://${POLARIS_HOST:-localhost}:8181/api/catalog \
  --conf spark.sql.catalog.polaris.header.X-Iceberg-Access-Delegation=vended-credentials \
  --conf spark.sql.catalog.polaris.token="${POLARIS_BEARER_TOKEN}" \
  --conf spark.sql.catalog.polaris.warehouse=my-minio-wh \
  --conf spark.sql.defaultCatalog=polaris

Et voilà :)

[ang6300]

Hello @lefebsy

Thank you for all the details.
If I read it correctly, the run_spark_sql_s3compatible.sh does not use role arn.

Is it possible to use role-arn but with custom sts endpoint

[trino-user@trino-m regtests]$ grep role run_spark_sql.sh

./run_spark_sql.sh [S3-location AWS-IAM-role]

- [AWS-IAM-role] - The AWS IAM role for catalog to assume when accessing the S3 location.

./run_spark_sql.sh s3://my-bucket/path arn:aws:iam::123456789001:role/my-role

echo "Usage: ./run_spark_sql.sh [S3-location AWS-IAM-role]"

Currently I am able to use run_spark_sql.sh with S3-location AWS-IAM-role with on premise s3 compatible storage.
It creates the metadata object but not the parquet.

aws s3 ls --recursive s3://polaris-sg/sg_db1
2024-12-11 23:34:03 1072 sg_db1/table1/metadata/00000-e77a2d71-ee13-4bd7-89a8-2450650d5249.metadata.json

failed to write the parquet file.
s3://polaris-sg/sg_db1/table1/data/00000-0-49bf02f5-8632-45b1-be33-95e1658e3a33-0-00001.parquet

The polaris-sg bucket is on s3 compatible storage, not on AWS S3.

[lefebsy]

Correct, the RoleArn is not used/implemented.
The STS will still be valid only for the ressource queried by spark from the catalog (a dedicated policy is build for each query).

Could you explain what's the purpose of roleArn in your use case outside AWS ?

[ang6300]

Thank you lefebsy.
End user wants to use roleArn for security reason.

[lefebsy]

Hello @ang6300,

Roles are always for security reasons ;)
I am asking this to understand wich test could be ok to check global security behavior expected, in case I add roleArn in this implementation.
Adding this parameter is quite easy. Testing if it's correctly done is harder.

You can try again.

I have updated the code with roleArn. Be carefull I've also reformated parameters in CamelCase :

• specs : https://github.com/lefebsy/polaris/blob/refs/heads/s3compatible/spec/polaris-management-service.yml#L910

• ex : https://github.com/lefebsy/polaris/blob/refs/heads/s3compatible/regtests/run_spark_sql_s3compatible.sh#L171

[ang6300]

Hello @lefebsy,
Thank you very much for making the changes.
I will redo the testing next week.