persist cloud config #76
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @dentiny, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request significantly enhances the system's ability to manage and persist cloud-specific security configurations for tables. It introduces a flexible, extensible structure for handling credentials from various cloud providers, starting with AWS, and centralizes the management of these secrets within the metadata store. This change improves the robustness and adaptability of how table configurations and their associated security details are stored and retrieved.
Highlights
- Refactored Cloud Security Configuration: The
AwsSecurityConfighas been moved and integrated into a newCloudSecurityConfigenum. This provides a more extensible structure for handling various cloud provider credentials, starting with AWS, and allows for easier future expansion. - Centralized Secret Management: A new
TableConfigEntrystruct is introduced to consolidate and manage different types of secrets (cloud vendor, Iceberg data access, WAL) associated with a table configuration during persistence. This streamlines the handling of sensitive information. - Database Schema Update for Secrets: The
secretstable in the SQLite metadata store has been updated. It now supports a newcloudusage type for secrets and uses a more genericproviderfield, accommodating the newCloudSecurityConfig. - API and Internal Logic Updates: Public APIs in
lib.rsandstorage.rsnow expose the newCloudSecurityConfigandAwsSecurityConfigtypes. Internal logic iniceberg_table_config.rsandconfig_utils.rshas been adapted to utilize these new structures for configuration parsing and persistence.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request refactors the cloud security configuration to make it more extensible and attempts to persist it. While the refactoring is a good step, the implementation is incomplete and introduces several critical bugs, particularly in the database persistence logic. There are compilation errors, runtime panics, and incorrect SQL queries that need to be addressed. The logic for reading the persisted configuration also appears to be missing.
| @@ -1,5 +1,5 @@ | |||
| #[cfg(feature = "catalog-glue")] | |||
| use crate::storage::iceberg::aws_security_config::AwsSecurityConfig; | |||
| use crate::{storage::iceberg::aws_security_config::AwsSecurityConfig, CloudSecurityConfig}; | |||
There was a problem hiding this comment.
This use statement is incorrect. It refers to storage::iceberg::aws_security_config::AwsSecurityConfig, but the aws_security_config module has been removed. Furthermore, AwsSecurityConfig is not directly used in this file. The import should only be for CloudSecurityConfig.
| use crate::{storage::iceberg::aws_security_config::AwsSecurityConfig, CloudSecurityConfig}; | |
| use crate::CloudSecurityConfig; |
| usage_type TEXT CHECK (usage_type IN ('iceberg', 'wal')), -- Purpose of secret: 'iceberg' or 'wal'. | ||
| storage_provider TEXT CHECK (storage_provider IN ('s3', 'gcs')), -- One of ('s3', 'gcs') | ||
| usage_type TEXT CHECK (usage_type IN ('cloud', 'iceberg_storage', 'wal_storage')), | ||
| provider TEXT CHECK (storage_provider IN ('aws', 's3', 'gcs')), |
There was a problem hiding this comment.
There is a typo in the CHECK constraint. It refers to storage_provider, but the column has been renamed to provider. This will cause a SQL error when creating the table or inserting data.
provider TEXT CHECK (provider IN ('aws', 's3', 'gcs')),| s_ice.provider AS iceberg_storage_provider, | ||
| s_ice.key_id AS iceberg_key_id, | ||
| s_ice.secret AS iceberg_secret, | ||
| s_ice.endpoint AS iceberg_endpoint, | ||
| s_ice.region AS iceberg_region, | ||
| s_ice.project AS iceberg_project, | ||
| s_wal.storage_provider AS wal_storage_provider, | ||
| s_wal.provider AS wal_storage_provider, |
There was a problem hiding this comment.
The LEFT JOIN conditions for s_ice and s_wal use usage_type = 'iceberg' and usage_type = 'wal' respectively. However, in create_secrets.sql, these usage_type values have been changed to 'iceberg_storage' and 'wal_storage'. This query will now fail to retrieve any secrets for iceberg and WAL. The usage_type values in the ON clauses must be updated to match the new schema.
| let table_config_entry = config_utils::parse_moonlink_table_config(moonlink_table_config)?; | ||
| let serialized_config = serde_json::to_string(&table_config_entry.serialized_config)?; |
There was a problem hiding this comment.
This refactoring is incomplete and has introduced several critical issues that will cause compile-time and runtime errors:
- The variables
iceberg_secretandwal_secret, used later in the function, are no longer defined after this change. - The new
cloud_vendor_secretis extracted intotable_config_entrybut is never persisted to the database. - The subsequent
INSERTstatements into thesecretstable are incorrect as they use:- Hardcoded
usage_typevalues ('iceberg','wal') that are now invalid according to the updated schema. They should be'iceberg_storage'and'wal_storage'. - The old column name
storage_providerwhich has been renamed toprovider.
- Hardcoded
The entire function needs to be fixed to correctly extract secrets from table_config_entry and persist them using the correct SQL.
| secret: aws_security_config.security_access_key.clone(), | ||
| project: None, | ||
| endpoint: None, | ||
| region: None, |
There was a problem hiding this comment.
The region from AwsSecurityConfig is not being used when creating the MoonlinkTableSecret. The region field is being set to None, but it should be populated from aws_security_config.region. This could lead to issues when interacting with AWS services that require a region.
| region: None, | |
| region: Some(aws_security_config.region.clone()), |
| region: None, | ||
| }) | ||
| } | ||
| _ => None |
There was a problem hiding this comment.
Using a wildcard _ => None makes this match statement less robust. If new variants are added to CloudSecurityConfig (e.g., for another cloud provider), they will be silently ignored and return None instead of causing a compile error for an unhandled variant. It's better to have an exhaustive match to catch this at compile time and ensure all variants are handled correctly.
| IcebergCatalogConfig::Glue { glue_catalog_config } => { | ||
| Some(glue_catalog_config.cloud_secret_config.clone()) | ||
| } | ||
| _ => None |
There was a problem hiding this comment.
Using a wildcard _ => None makes this match statement less robust. If new variants are added to IcebergCatalogConfig that contain cloud secrets, they will be silently ignored instead of causing a compile error for an unhandled variant. It's better to have an exhaustive match to ensure all cases are handled.
| let cloud_secret_config = if let Some(cloud_secret_config) = iceberg_config.metadata_accessor_config.get_cloud_secret_config() { | ||
| cloud_secret_config.extract_security_metadata_entry() | ||
| } else { | ||
| None | ||
| }; |
There was a problem hiding this comment.
This if let ... else block can be written more concisely and idiomatically using Option::and_then.
let cloud_secret_config = iceberg_config
.metadata_accessor_config
.get_cloud_secret_config()
.and_then(|config| config.extract_security_metadata_entry());
Summary
Briefly explain what this PR does.
Related Issues
Closes # or links to related issues.
Changes
Checklist