Core, AWS, REST: Promote the S3 signing endpoint to the main spec

[adutra]

Dev ML discussion: https://lists.apache.org/thread/2kqdqb46j7jww36wwg4txv6pl2hqq9w7

This commit promotes the S3 remote signing endpoint from an AWS-specific implementation to a first-class REST catalog API endpoint.

This enables other storage providers (GCS, Azure, etc.) to eventually reuse the same signing endpoint pattern without duplicating the API definition.

OpenAPI Specification changes:

• Add /v1/{prefix}/namespaces/{namespace}/tables/{table}/sign/{provider} endpoint to the main REST catalog OpenAPI spec
• Define RemoteSignRequest, RemoteSignResult and RemoteSignResponse schemas
• Remove the separate s3-signer-open-api.yaml from the AWS module
• Update the Python client

Core Module changes (iceberg-core):

• Add RemoteSignRequest and RemoteSignResponse model classes, copied from the iceberg-aws module
• Add RemoteSignRequestParser and RemoteSignResponseParser for JSON serialization, copied from the iceberg-aws module
• Add SIGNER_URI and SIGNER_ENDPOINT properties to CatalogProperties for configuring the signing endpoint
• Add V1_TABLE_REMOTE_SIGN field and remoteSign() method to ResourcePaths
• Register the new endpoint in Endpoint.java
• Add abstract RemoteSignerServlet base class for remote signing tests, copied from the iceberg-aws module

AWS Module changes (iceberg-aws):

• Deprecate S3SignRequest and S3SignResponse for removal
• Deprecate S3SignRequestParser and S3SignResponseParser for removal
• Deprecate S3ObjectMapper for removal
• Refactor S3SignerServlet to extend RemoteSignerServlet
• Update S3V4RestSignerClient
• Move relevant tests to iceberg-core

[singhpk234]

SHOULD or MUST ?

[adutra]

It's complicated 😄

The signer client impl uses org.apache.iceberg.rest.RESTUtil#resolveEndpoint to perform the concatenation of signer.uri and signer.endpoint.

So, signer.endpoint could also be an absolute URL, in which case, signer.uri would be ignored.

I will try to come up with a better wording.

[adutra]

Rephrased, lmk what you think!

[singhpk234]

I believe this is S3Headers eq section in the s3 signer spec ? can we say like ObjectStoreProviderHeader ?

[adutra]

I went for a more generic name because there is nothing specific to remote signing here. This component could perfectly be used for something else in the spec.

[adutra]

FYI I chose to keep this property specific to S3. I think that even if the signer endpoint is now generic, enablement should be performed for each specific object storage.

[steveloughran]

you can actually do google GCS cloud access via its s3 gateway; same signing algorithm, just a few different settings to change listing version, endpoint, &c

https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/third_party_stores.md#google-cloud-storage-through-the-s3a-connector

[nastra]

I don't think we can just change the value here as that would break backwards compatibility

[nastra]

this wasn't needed before but is needed now, which indicates that this is a breaking change for users?

[adutra]

For now it's not required, but it will become required in a future release (1.12 or later).

There is a check + warning here:

https://github.com/adutra/iceberg/blob/f3fc09595bc47d4f0ba7a879d3c7eaf3d70c1e38/aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java#L219-L224

I proactively updated the tests so that they don't break when we make this property required.

[nastra]

I don't think we would want to remove this spec yet. We should probably first deprecate it

[nastra]

these all should probably just be package-private and not public

[nastra]

not sure whether we need to make this one and the one below public

[singhpk234]

minor : should we use rest constants instead of raw string for "POST" ?

[adutra]

Sorry I went back to raw strings because org.apache.iceberg.rest.HttpMethod is missing constants for PUT, OPTIONS, etc. which was causing integration tests to fail.

[nastra]

we previously had this defined in a CACHEABLE_METHODS set, so would be good to keep this for easier readability

[nastra]

nit: why not just {@link CatalogProperties#URI} here?

[nastra]

I think we should still leave this in until we actually remove the openapi spec file

[nastra]

I actually liked that you switched the impl here to using functionality from the new RemoteSignRequestParser for stuff, not sure why you decided to change that

[adutra]

OK 😅 I thought it was a bit too invasive. Let me go back to the previous version.

[nastra]

this class I would probably just deprecate and not switch to using RESTSerializers.registerAll(MAPPER).

[nastra]

overall LGTM, but left a few minor comments that would be good to address

[adutra]

Heads up: I had to rebase because of a conflict with fec9800.

[singhpk234]

should we define an ENUM for this, as s3a / s3e .... can create confusion for the catalog, we can say all are s3 ? similar for GCS / Azure check the resolving file IO i believe we do something similar there

[adutra]

An enum means we need a spec change for every new provider – unless we go ahead an create enums for all major cloud providers?

[singhpk234]

unless we go ahead an create enums for all major cloud providers?

thats what we had in mind, like let say s3 / azure / gcp and we can add more in case to case basis, open string still leave room for interpretation in catalog is what i think, but i can be convinced other wise :)

[adutra]

OK I'm fine with that! I just introduced the enum, the constants are s3, gcs and adls (these names match the naming convention used by ResolvingFileIO).

[singhpk234]

Spec changes looks good to me.
Added a suggestion for the provider being ENUM

[steveloughran]

@adutra I'm doing some stuff with the signer (#15417 with draft pr and tests in #15428 15428). The s3 signer needs to track which headers are being signed, so when it is safe/unsafe to use the cached signature. new Range? good everwhere. if-modified-since? only with #15428 in. new aws-encryption option: nothing.

Either it parses the signature string coming back from the s3 servlet or it gets back a header explicitly listing those headers signed. That seems cleaner, but might need to be part of this spec

• if x-iceberg-cached-headers comes back with a list of headers, include these in the cache alongside the signature
• when checking to see if a request can be signed, first check verb and uri, then compare the signed headers, and only reuse if the headers values are identical.

Given this PR is explicitly a promotion of the current signing, it'll have to be a followup. It's just at the moment the signing is very brittle

[nastra]

should we maybe omit the default? I also don't see defaulting to s3 anywhere in the java impl

[adutra]

@nastra let's move the conversation to #15450.

[adutra]

FYI in yesterday's catalog sync it was decided to split this PR in two: one PR for spec changes (#15450) and another for code changes (TDB).

Apologies to the many reviewers for the inconvenience. Please review #15450 if you can 🙏

[adutra]

The code changes PR is also up for review: #15451.