Support GCS vended credentials from Iceberg REST catalog

Author: kaveti

lib/trino-filesystem-gcs/src/main/java/io/trino/filesystem/gcs/GcsFileSystem.java

@@ -76,23 +76,32 @@ public class GcsFileSystem
     private final long writeBlockSizeBytes;
     private final int pageSize;
     private final int batchSize;
+    private final Optional<EncryptionKey> defaultEncryptionKey;
+    private final Optional<EncryptionKey> defaultDecryptionKey;
 
     public GcsFileSystem(ListeningExecutorService executorService, Storage storage, int readBlockSizeBytes, long writeBlockSizeBytes, int pageSize, int batchSize)
+    {
+        this(executorService, storage, readBlockSizeBytes, writeBlockSizeBytes, pageSize, batchSize, Optional.empty(), Optional.empty());
+    }
+
+    public GcsFileSystem(ListeningExecutorService executorService, Storage storage, int readBlockSizeBytes, long writeBlockSizeBytes, int pageSize, int batchSize, Optional<EncryptionKey> defaultEncryptionKey, Optional<EncryptionKey> defaultDecryptionKey)
     {
         this.executorService = requireNonNull(executorService, "executorService is null");
         this.storage = requireNonNull(storage, "storage is null");
         this.readBlockSizeBytes = readBlockSizeBytes;
         this.writeBlockSizeBytes = writeBlockSizeBytes;
         this.pageSize = pageSize;
         this.batchSize = batchSize;
+        this.defaultEncryptionKey = requireNonNull(defaultEncryptionKey, "defaultEncryptionKey is null");
+        this.defaultDecryptionKey = requireNonNull(defaultDecryptionKey, "defaultDecryptionKey is null");
     }
 
     @Override
     public TrinoInputFile newInputFile(Location location)
     {
         GcsLocation gcsLocation = new GcsLocation(location);
         checkIsValidFile(gcsLocation);
-        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.empty(), Optional.empty(), Optional.empty());
+        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.empty(), Optional.empty(), defaultDecryptionKey);
     }
 
     @Override
@@ -108,7 +117,7 @@ public TrinoInputFile newInputFile(Location location, long length)
     {
         GcsLocation gcsLocation = new GcsLocation(location);
         checkIsValidFile(gcsLocation);
-        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.of(length), Optional.empty(), Optional.empty());
+        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.of(length), Optional.empty(), defaultDecryptionKey);
     }
 
     @Override
@@ -124,7 +133,7 @@ public TrinoInputFile newInputFile(Location location, long length, Instant lastM
     {
         GcsLocation gcsLocation = new GcsLocation(location);
         checkIsValidFile(gcsLocation);
-        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.of(length), Optional.of(lastModified), Optional.empty());
+        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.of(length), Optional.of(lastModified), defaultDecryptionKey);
     }
 
     @Override
@@ -140,7 +149,7 @@ public TrinoOutputFile newOutputFile(Location location)
     {
         GcsLocation gcsLocation = new GcsLocation(location);
         checkIsValidFile(gcsLocation);
-        return new GcsOutputFile(gcsLocation, storage, writeBlockSizeBytes, Optional.empty());
+        return new GcsOutputFile(gcsLocation, storage, writeBlockSizeBytes, defaultEncryptionKey);
     }
 
     @Override

lib/trino-filesystem-gcs/src/main/java/io/trino/filesystem/gcs/GcsFileSystemFactory.java

@@ -17,11 +17,17 @@
 import com.google.inject.Inject;
 import io.trino.filesystem.TrinoFileSystem;
 import io.trino.filesystem.TrinoFileSystemFactory;
+import io.trino.filesystem.encryption.EncryptionKey;
 import io.trino.spi.security.ConnectorIdentity;
 import jakarta.annotation.PreDestroy;
 
+import java.util.Base64;
+import java.util.Optional;
+
 import static com.google.common.util.concurrent.MoreExecutors.listeningDecorator;
 import static io.airlift.concurrent.Threads.daemonThreadsNamed;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_DECRYPTION_KEY_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_ENCRYPTION_KEY_PROPERTY;
 import static java.lang.Math.toIntExact;
 import static java.util.Objects.requireNonNull;
 import static java.util.concurrent.Executors.newCachedThreadPool;
@@ -56,6 +62,18 @@ public void stop()
     @Override
     public TrinoFileSystem create(ConnectorIdentity identity)
     {
-        return new GcsFileSystem(executorService, storageFactory.create(identity), readBlockSizeBytes, writeBlockSizeBytes, pageSize, batchSize);
+        Optional<EncryptionKey> defaultEncryptionKey = extractEncryptionKey(identity, EXTRA_CREDENTIALS_GCS_ENCRYPTION_KEY_PROPERTY);
+        Optional<EncryptionKey> defaultDecryptionKey = extractEncryptionKey(identity, EXTRA_CREDENTIALS_GCS_DECRYPTION_KEY_PROPERTY);
+        return new GcsFileSystem(executorService, storageFactory.create(identity), readBlockSizeBytes, writeBlockSizeBytes, pageSize, batchSize, defaultEncryptionKey, defaultDecryptionKey);
+    }
+
+    private static Optional<EncryptionKey> extractEncryptionKey(ConnectorIdentity identity, String extraCredentialKey)
+    {
+        String base64Key = identity.getExtraCredentials().get(extraCredentialKey);
+        if (base64Key == null) {
+            return Optional.empty();
+        }
+        byte[] keyBytes = Base64.getDecoder().decode(base64Key);
+        return Optional.of(new EncryptionKey(keyBytes, "AES256"));
     }
 }

lib/trino-filesystem-gcs/src/main/java/io/trino/filesystem/gcs/GcsStorageFactory.java

@@ -14,6 +14,9 @@
 package io.trino.filesystem.gcs;
 
 import com.google.api.gax.retrying.RetrySettings;
+import com.google.auth.oauth2.AccessToken;
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.cloud.NoCredentials;
 import com.google.cloud.storage.Storage;
 import com.google.cloud.storage.StorageOptions;
 import com.google.inject.Inject;
@@ -22,11 +25,18 @@
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.time.Duration;
+import java.util.Date;
 import java.util.Map;
 import java.util.Optional;
 
 import static com.google.cloud.storage.StorageRetryStrategy.getUniformStorageRetryStrategy;
 import static com.google.common.net.HttpHeaders.USER_AGENT;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_NO_AUTH_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_EXPIRES_AT_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_PROJECT_ID_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_SERVICE_HOST_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_USER_PROJECT_PROPERTY;
 import static java.util.Objects.requireNonNull;
 
 public class GcsStorageFactory
@@ -59,14 +69,45 @@ public GcsStorageFactory(GcsFileSystemConfig config, GcsAuth gcsAuth)
     public Storage create(ConnectorIdentity identity)
     {
         try {
+            Map<String, String> extraCredentials = identity.getExtraCredentials();
+            boolean noAuth = Boolean.parseBoolean(extraCredentials.getOrDefault(EXTRA_CREDENTIALS_GCS_NO_AUTH_PROPERTY, "false"));
+            String vendedOAuthToken = extraCredentials.get(EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY);
+
             StorageOptions.Builder storageOptionsBuilder = StorageOptions.newBuilder();
-            if (projectId != null) {
-                storageOptionsBuilder.setProjectId(projectId);
+
+            String effectiveProjectId = extraCredentials.getOrDefault(EXTRA_CREDENTIALS_GCS_PROJECT_ID_PROPERTY, projectId);
+            if (effectiveProjectId != null) {
+                storageOptionsBuilder.setProjectId(effectiveProjectId);
             }
 
-            gcsAuth.setAuth(storageOptionsBuilder, identity);
+            if (noAuth) {
+                storageOptionsBuilder.setCredentials(NoCredentials.getInstance());
+            }
+            else if (vendedOAuthToken != null) {
+                Date expirationTime = null;
+                String expiresAt = extraCredentials.get(EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_EXPIRES_AT_PROPERTY);
+                if (expiresAt != null) {
+                    expirationTime = new Date(Long.parseLong(expiresAt));
+                }
+                AccessToken accessToken = new AccessToken(vendedOAuthToken, expirationTime);
+                storageOptionsBuilder.setCredentials(GoogleCredentials.create(accessToken));
+            }
+            else {
+                gcsAuth.setAuth(storageOptionsBuilder, identity);
+            }
 
-            endpoint.ifPresent(storageOptionsBuilder::setHost);
+            String vendedServiceHost = extraCredentials.get(EXTRA_CREDENTIALS_GCS_SERVICE_HOST_PROPERTY);
+            if (vendedServiceHost != null) {
+                storageOptionsBuilder.setHost(vendedServiceHost);
+            }
+            else {
+                endpoint.ifPresent(storageOptionsBuilder::setHost);
+            }
+
+            String vendedUserProject = extraCredentials.get(EXTRA_CREDENTIALS_GCS_USER_PROJECT_PROPERTY);
+            if (vendedUserProject != null) {
+                storageOptionsBuilder.setQuotaProjectId(vendedUserProject);
+            }
 
             // Note: without uniform strategy we cannot retry idempotent operations.
             // The trino-filesystem api does not violate the conditions for idempotency, see https://cloud.google.com/storage/docs/retry-strategy#java for details.

lib/trino-filesystem-gcs/src/test/java/io/trino/filesystem/gcs/TestGcsStorageFactory.java

@@ -14,12 +14,21 @@
 package io.trino.filesystem.gcs;
 
 import com.google.auth.Credentials;
+import com.google.auth.oauth2.AccessToken;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.cloud.NoCredentials;
 import com.google.cloud.storage.Storage;
+import com.google.common.collect.ImmutableMap;
 import io.trino.spi.security.ConnectorIdentity;
 import org.junit.jupiter.api.Test;
 
 import static io.trino.filesystem.gcs.GcsFileSystemConfig.AuthType;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_NO_AUTH_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_EXPIRES_AT_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_PROJECT_ID_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_SERVICE_HOST_PROPERTY;
+import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_USER_PROJECT_PROPERTY;
 import static org.assertj.core.api.Assertions.assertThat;
 
 final class TestGcsStorageFactory
@@ -38,4 +47,159 @@ void testApplicationDefaultCredentials()
 
         assertThat(actualCredentials).isEqualTo(NoCredentials.getInstance());
     }
+
+    @Test
+    void testVendedOAuthToken()
+            throws Exception
+    {
+        GcsFileSystemConfig config = new GcsFileSystemConfig().setAuthType(AuthType.APPLICATION_DEFAULT);
+        GcsStorageFactory storageFactory = new GcsStorageFactory(config, new ApplicationDefaultAuth());
+
+        ConnectorIdentity identity = ConnectorIdentity.forUser("test")
+                .withExtraCredentials(ImmutableMap.of(
+                        EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY, "ya29.test-token"))
+                .build();
+
+        try (Storage storage = storageFactory.create(identity)) {
+            Credentials credentials = storage.getOptions().getCredentials();
+            assertThat(credentials).isInstanceOf(GoogleCredentials.class);
+            GoogleCredentials googleCredentials = (GoogleCredentials) credentials;
+            AccessToken accessToken = googleCredentials.getAccessToken();
+            assertThat(accessToken).isNotNull();
+            assertThat(accessToken.getTokenValue()).isEqualTo("ya29.test-token");
+        }
+    }
+
+    @Test
+    void testVendedOAuthTokenWithExpiration()
+            throws Exception
+    {
+        GcsFileSystemConfig config = new GcsFileSystemConfig().setAuthType(AuthType.APPLICATION_DEFAULT);
+        GcsStorageFactory storageFactory = new GcsStorageFactory(config, new ApplicationDefaultAuth());
+
+        ConnectorIdentity identity = ConnectorIdentity.forUser("test")
+                .withExtraCredentials(ImmutableMap.of(
+                        EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY, "ya29.test-token",
+                        EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_EXPIRES_AT_PROPERTY, "1700000000000"))
+                .build();
+
+        try (Storage storage = storageFactory.create(identity)) {
+            Credentials credentials = storage.getOptions().getCredentials();
+            assertThat(credentials).isInstanceOf(GoogleCredentials.class);
+            GoogleCredentials googleCredentials = (GoogleCredentials) credentials;
+            AccessToken accessToken = googleCredentials.getAccessToken();
+            assertThat(accessToken).isNotNull();
+            assertThat(accessToken.getTokenValue()).isEqualTo("ya29.test-token");
+            assertThat(accessToken.getExpirationTime()).isNotNull();
+            assertThat(accessToken.getExpirationTime().getTime()).isEqualTo(1700000000000L);
+        }
+    }
+
+    @Test
+    void testVendedProjectId()
+            throws Exception
+    {
+        GcsFileSystemConfig config = new GcsFileSystemConfig()
+                .setAuthType(AuthType.APPLICATION_DEFAULT)
+                .setProjectId("static-project");
+        GcsStorageFactory storageFactory = new GcsStorageFactory(config, new ApplicationDefaultAuth());
+
+        ConnectorIdentity identity = ConnectorIdentity.forUser("test")
+                .withExtraCredentials(ImmutableMap.of(
+                        EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY, "ya29.test-token",
+                        EXTRA_CREDENTIALS_GCS_PROJECT_ID_PROPERTY, "vended-project"))
+                .build();
+
+        try (Storage storage = storageFactory.create(identity)) {
+            assertThat(storage.getOptions().getProjectId()).isEqualTo("vended-project");
+        }
+    }
+
+    @Test
+    void testVendedServiceHost()
+            throws Exception
+    {
+        GcsFileSystemConfig config = new GcsFileSystemConfig()
+                .setAuthType(AuthType.APPLICATION_DEFAULT);
+        GcsStorageFactory storageFactory = new GcsStorageFactory(config, new ApplicationDefaultAuth());
+
+        ConnectorIdentity identity = ConnectorIdentity.forUser("test")
+                .withExtraCredentials(ImmutableMap.of(
+                        EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY, "ya29.test-token",
+                        EXTRA_CREDENTIALS_GCS_SERVICE_HOST_PROPERTY, "https://custom-storage.googleapis.com"))
+                .build();
+
+        try (Storage storage = storageFactory.create(identity)) {
+            assertThat(storage.getOptions().getHost()).isEqualTo("https://custom-storage.googleapis.com");
+        }
+    }
+
+    @Test
+    void testVendedNoAuth()
+            throws Exception
+    {
+        GcsFileSystemConfig config = new GcsFileSystemConfig().setAuthType(AuthType.APPLICATION_DEFAULT);
+        GcsStorageFactory storageFactory = new GcsStorageFactory(config, new ApplicationDefaultAuth());
+
+        ConnectorIdentity identity = ConnectorIdentity.forUser("test")
+                .withExtraCredentials(ImmutableMap.of(
+                        EXTRA_CREDENTIALS_GCS_NO_AUTH_PROPERTY, "true"))
+                .build();
+
+        try (Storage storage = storageFactory.create(identity)) {
+            assertThat(storage.getOptions().getCredentials()).isEqualTo(NoCredentials.getInstance());
+        }
+    }
+
+    @Test
+    void testNoAuthTakesPriorityOverOAuthToken()
+            throws Exception
+    {
+        GcsFileSystemConfig config = new GcsFileSystemConfig().setAuthType(AuthType.APPLICATION_DEFAULT);
+        GcsStorageFactory storageFactory = new GcsStorageFactory(config, new ApplicationDefaultAuth());
+
+        ConnectorIdentity identity = ConnectorIdentity.forUser("test")
+                .withExtraCredentials(ImmutableMap.of(
+                        EXTRA_CREDENTIALS_GCS_NO_AUTH_PROPERTY, "true",
+                        EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY, "ya29.test-token"))
+                .build();
+
+        try (Storage storage = storageFactory.create(identity)) {
+            assertThat(storage.getOptions().getCredentials()).isEqualTo(NoCredentials.getInstance());
+        }
+    }
+
+    @Test
+    void testVendedUserProject()
+            throws Exception
+    {
+        GcsFileSystemConfig config = new GcsFileSystemConfig()
+                .setAuthType(AuthType.APPLICATION_DEFAULT);
+        GcsStorageFactory storageFactory = new GcsStorageFactory(config, new ApplicationDefaultAuth());
+
+        ConnectorIdentity identity = ConnectorIdentity.forUser("test")
+                .withExtraCredentials(ImmutableMap.of(
+                        EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY, "ya29.test-token",
+                        EXTRA_CREDENTIALS_GCS_USER_PROJECT_PROPERTY, "billing-project"))
+                .build();
+
+        try (Storage storage = storageFactory.create(identity)) {
+            assertThat(storage.getOptions().getQuotaProjectId()).isEqualTo("billing-project");
+        }
+    }
+
+    @Test
+    void testStaticConfigUsedWithoutVendedCredentials()
+            throws Exception
+    {
+        GcsFileSystemConfig config = new GcsFileSystemConfig()
+                .setAuthType(AuthType.APPLICATION_DEFAULT)
+                .setProjectId("static-project");
+        GcsStorageFactory storageFactory = new GcsStorageFactory(config, new ApplicationDefaultAuth());
+
+        try (Storage storage = storageFactory.create(ConnectorIdentity.ofUser("test"))) {
+            assertThat(storage.getOptions().getProjectId()).isEqualTo("static-project");
+            assertThat(storage.getOptions().getCredentials()).isEqualTo(NoCredentials.getInstance());
+        }
+    }
 }

lib/trino-filesystem/src/main/java/io/trino/filesystem/gcs/GcsFileSystemConstants.java

@@ -0,0 +1,28 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.filesystem.gcs;
+
+public final class GcsFileSystemConstants
+{
+    public static final String EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY = "internal$gcs_oauth2_token";
+    public static final String EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_EXPIRES_AT_PROPERTY = "internal$gcs_oauth2_token_expires_at";
+    public static final String EXTRA_CREDENTIALS_GCS_PROJECT_ID_PROPERTY = "internal$gcs_project_id";
+    public static final String EXTRA_CREDENTIALS_GCS_SERVICE_HOST_PROPERTY = "internal$gcs_service_host";
+    public static final String EXTRA_CREDENTIALS_GCS_NO_AUTH_PROPERTY = "internal$gcs_no_auth";
+    public static final String EXTRA_CREDENTIALS_GCS_USER_PROJECT_PROPERTY = "internal$gcs_user_project";
+    public static final String EXTRA_CREDENTIALS_GCS_ENCRYPTION_KEY_PROPERTY = "internal$gcs_encryption_key";
+    public static final String EXTRA_CREDENTIALS_GCS_DECRYPTION_KEY_PROPERTY = "internal$gcs_decryption_key";
+
+    private GcsFileSystemConstants() {}
+}