[feat](vault) Support keyless GCS vaults with GKE Workload Identity#65433
[feat](vault) Support keyless GCS vaults with GKE Workload Identity#65433cyriltovena wants to merge 7 commits into
Conversation
…ult Credentials
Storage vaults on GCS currently require static HMAC keys: the only
credential fields an S3-type vault accepts for provider GCP are
s3.access_key/s3.secret_key. Every other credential mode
(role_arn, s3.credentials_provider_type) is AWS-only, so clusters
running on GKE cannot use Workload Identity and must mint and
distribute long-lived HMAC key pairs.
This adds a new credentials provider type, GCP_ADC, valid only for
provider GCP vaults:
CREATE STORAGE VAULT gcs_vault PROPERTIES (
"type" = "S3",
"s3.endpoint" = "storage.googleapis.com",
"s3.region" = "us-central1",
"s3.bucket" = "my-bucket",
"s3.root.path" = "doris",
"provider" = "GCP",
"s3.credentials_provider_type" = "gcp_adc"
);
The GCS XML API accepts OAuth2 bearer tokens as an alternative to
HMAC signatures, so no new SDK dependency is needed:
- A shared GcpAdcTokenProvider (common/cpp) resolves tokens following
the Application Default Credentials order: a service account json
pointed to by GOOGLE_APPLICATION_CREDENTIALS (JWT assertion signed
with OpenSSL, exchanged at the OAuth2 token endpoint), else the
GCE/GKE metadata server (i.e. Workload Identity). Tokens are cached
and refreshed ahead of expiry. Built on the AWS SDK's own HTTP/JSON
utilities.
- BE S3ObjStorageClient and recycler S3ObjClient attach the token as
an Authorization: Bearer header per request; the S3 client is
created with anonymous credentials so SigV4 signing is skipped
(mirroring how the existing keyless credential providers reuse the
provider seam added for vaults without role ARN).
- FE validates the property combination (provider GCP only, mutually
exclusive with ak/sk and role_arn) and skips its static-credential
connectivity probe; the BE probes the vault at startup instead,
like assumed-role vaults.
- Meta-service accepts keyless GCP vaults on ADD_S3_VAULT and
ALTER_S3_VAULT (switching an existing HMAC vault to GCP_ADC clears
the stored keys, symmetric with the ak/sk <-> role_arn switches).
Presigned URLs are not supported in this mode (a bearer token cannot
be embedded in a URL) and return an empty string with a warning.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Thank you for your contribution to Apache Doris. Please clearly describe your PR:
|
|
/review |
|
run buildall |
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
run buildall |
FE UT Coverage ReportIncrement line coverage |
TPC-H: Total hot run time: 29324 ms |
|
run feut |
TPC-DS: Total hot run time: 180486 ms |
BE UT Coverage ReportIncrement line coverage Increment coverage report
|
ClickBench: Total hot run time: 25.61 s |
BE Regression && UT Coverage ReportIncrement line coverage Increment coverage report
|
FE Regression Coverage ReportIncrement line coverage |
|
run buildall |
TPC-H: Total hot run time: 29454 ms |
TPC-DS: Total hot run time: 180054 ms |
ClickBench: Total hot run time: 25.02 s |
|
run p0 |
|
run buildall |
|
run feut |
|
run p0 |
|
/review |
1 similar comment
|
/review |
|
run p0 |
|
run feut |
|
/review |
|
run buildall |
|
/review |
|
/review |
|
run feut |
|
run buildall |
Cloud UT Coverage ReportIncrement line coverage Increment coverage report
|
TPC-H: Total hot run time: 29557 ms |
BE UT Coverage ReportIncrement line coverage Increment coverage report
|
TPC-DS: Total hot run time: 179704 ms |
ClickBench: Total hot run time: 25.85 s |
FE UT Coverage ReportIncrement line coverage |
BE Regression && UT Coverage ReportIncrement line coverage Increment coverage report
|
FE Regression Coverage ReportIncrement line coverage |
What problem does this PR solve?
Issue Number: close #65432
Related PRs: #62788, #64766
Problem:
GCP storage vaults currently require long-lived HMAC access keys. GKE deployments using Workload Identity Federation have no supported way to authenticate the vault data path with the pod's short-lived Google identity.
Solution:
Add
gcp_workload_identity, a GCP-only storage-vault credentials provider. BE and recycler obtain short-lived OAuth2 tokens from the GKE/GCE metadata server and attach them to GCS XML API requests while leaving AWS SigV4 signing disabled.CREATE STORAGE VAULT gcs_vault PROPERTIES ( "type" = "S3", "s3.endpoint" = "storage.googleapis.com", "s3.region" = "us-central1", "s3.bucket" = "my-bucket", "s3.root.path" = "doris", "provider" = "GCP", "s3.credentials_provider_type" = "gcp_workload_identity" );The implementation:
CredProviderTypePB::GCP_WORKLOAD_IDENTITYfor storage-vault protobuf propagation. The legacy S3 resource/Thrift path remains unchanged.NotSupportedresult when a caller requests a presigned URL, rather than returning an empty string.Security Impact:
This removes the need to distribute long-lived HMAC keys on GKE. Workload Identity is restricted to
provider = GCPand the canonicalhttps://storage.googleapis.comendpoint at FE, meta-service, BE, and recycler boundaries. HTTP and arbitrary endpoints are rejected so OAuth bearer tokens cannot be sent to an untrusted destination. Token acquisition failure also fails closed instead of silently falling back to anonymous access.Testing:
git diff --check, clang-format validation, and protobuf syntax validation pass.Release note
Support keyless GCS storage vault authentication on GKE with Workload Identity Federation using
"s3.credentials_provider_type" = "gcp_workload_identity".Check List (For Author)
Test
Behavior changed:
Does this need documentation?
Check List (For Reviewer who merge this PR)