Require explicit user-consent to enable HadoopFileIO #1532
Conversation
snazy
requested review from
adutra,
ashvina,
dennishuo,
dimas-b,
eric-maynard,
jackye1995,
jbonofre,
vvcephei and
collado-mike
as code owners
snazy
requested review from
RussellSpitzer,
takidau,
MonkeyCanCode,
flyrain,
ebyhr and
HonahX
as code owners
| "polaris.features.defaults.\"INITIALIZE_DEFAULT_CATALOG_FILEIO_FOR_TEST\"", | ||
| "true", | ||
| "polaris.features.defaults.\"SUPPORTED_CATALOG_STORAGE_TYPES\"", | ||
| "[\"FILE\"]"); | ||
| "[\"FILE\",\"S3\"]", | ||
| "polaris.readiness.ignore-security-issues", |
There was a problem hiding this comment.
WDYT about putting this into a global quarkus test config profile?
There was a problem hiding this comment.
Yea - but I guess all Quarkus profiles should either be special per-test or unified/composable or moved to a central place.
There was a problem hiding this comment.
composition works by default... one can have application.properties and profile classes at the same time and their properties are merged, right?
There was a problem hiding this comment.
Yea - but let's defer to a separate PR to clean all those up.
|
This is not a bug. |
polaris-core/src/main/java/org/apache/polaris/core/config/FeatureConfiguration.java
Outdated
Show resolved
Hide resolved
| .defaultValue(false) | ||
| .buildFeatureConfiguration(); | ||
|
|
||
| public static final FeatureConfiguration<Boolean> |
There was a problem hiding this comment.
I don't see how this isn't completely redundant with SUPPORTED_CATALOG_STORAGE_TYPES
There was a problem hiding this comment.
It's there to make the fact mentioned in the description explicit.
There was a problem hiding this comment.
If you put FILE in SUPPORTED_CATALOG_STORAGE_TYPES that seems quite explicit no?
There was a problem hiding this comment.
@eric-maynard You are correct in that this flag is redundant. However, I believe the intent here is to make the consequences 100% explicit.
I can see how some newcomers may overlook the SUPPORTED_CATALOG_STORAGE_TYPES=[..., "FILE"] during a configuration review and not realize the consequences it could have. Whereas an environment variable that contains "insecure" and "security risks" will definitely raise eyebrows.
Think about deleting a Github repository where you have to go to the Danger Zone, click "Delete, confirm, then confirm a second time, then type the repository name and confirm a third time". Here, given the consequences, I think it is worth having a double-confirmation of the FILE storage type.
There was a problem hiding this comment.
I have a hard time believing we can't incrementalize this change the evaluate the necessity of the individual components of it. We're going from this being in the default config for multiple releases to requiring multiple flags to enable it.
There was a problem hiding this comment.
AFAICT, because HadoopFileIO is considered insecure, we want to make it hard for users to do the wrong thing. Hence the addition of multiple flags. With the current way, it is trivial to accidentally overlook the activation of HadoopFileIO.
There could be other proposals for this implementation. But then they will be evaluated against this one goal: make it hard for users to do the wrong thing.
There was a problem hiding this comment.
I think you are (and maybe this PR is) conflating two things -- FILE storage type and HadoopFileIO. They are not always the same.
SUPPORTED_CATALOG_STORAGE_TYPES is probably sufficient to disallow the FILE storage type. FILE shouldn't be in the default, but I think it's too great a leap to go from having it in the default to requiring multiple flags to enable it.
For disallowing HadoopFileIO, we need a different approach than what's done in this PR.
There was a problem hiding this comment.
Concrete suggestions for improvements are always welcome.
There was a problem hiding this comment.
However, this PR addresses some issue that should really be mitigated quickly.
| @@ -55,26 +62,53 @@ public class ProductionReadinessChecks { | |||
| */ | |||
| private static final String WARNING_SIGN_UTF_8 = "\u0000\u26A0\uFE0F"; | |||
|
|
|||
| private static final String SEVERE_SIGN_UTF_8 = "\u0000\uD83D\uDED1"; | |||
There was a problem hiding this comment.
These changes seem pretty unnecessary
There was a problem hiding this comment.
I do think that there are nuances in what's a warning and what's severe.
There was a problem hiding this comment.
That may be so, but I don't think this change is necessary to Require explict user-consent to enable HadoopFileIO
There was a problem hiding this comment.
@eric-maynard I am not sure what the ask is here. Would you rather have the UTF-8 icon and/or the log message implemented in a separate PR? Or do you mean that the PR title should be a bit more general?
There was a problem hiding this comment.
Sure, I think a separate PR for these changes could be a good idea. If this PR really is a bugfix, let's not couple unnecessary changes with it.
There was a problem hiding this comment.
Let's be mindful on the overhead that too fine-grained PR would cause though...
The changes in this PR are cohesive to one another. And it is quite small. So it makes sense to submit the changes in a single PR. Splitting a PR into many tiny PRs would prevent reviewers from understanding the big picture and would not have any functional merit.
There was a problem hiding this comment.
As I think the changes are "related", I think it's fair to do the changes in one PR (even if it's just "display/rendering" messages).
There was a problem hiding this comment.
It's definitely fair, it's only a question of necessity. If there really is an urgent 1.0-blocking bugfix to be made, must we include these changes here? Are these logging changes really 1.0-blocking?
| && !configStore | ||
| .getConfiguration(ctx, SUPPORTED_CATALOG_STORAGE_TYPES) | ||
| .contains(storageType.name())) { |
There was a problem hiding this comment.
Storage types and File IO implementations are not necessarily the same thing; you could have any number of FileIO implementations that can talk to S3
There was a problem hiding this comment.
Yes? That's what fromFileIoImplementation() figures out, no?
There was a problem hiding this comment.
For the hard-coded FileIO implementations (assuming the implementation you have in mind is actually the one on the classpath), yes. For other implementations, no.
There was a problem hiding this comment.
@eric-maynard could you provide an example of what you mean?
There was a problem hiding this comment.
There's one in the repo here. It uses Azure, but it's not represented in StorageTypeFileIO. How is that meant to behave?
| && !configStore.getConfiguration( | ||
| ctx, ALLOW_INSECURE_STORAGE_TYPES_ACCEPTING_SECURITY_RISKS)) { | ||
| throw new ValidationException( | ||
| "File IO implementation '%s' (storage type '%s') is considered insecure and must not be used", |
There was a problem hiding this comment.
What makes a custom File IO insecure?
There was a problem hiding this comment.
Nothing. That's why there's nothing in our current documentation or code that promises that it is secure.
It is. And it is very severe. |
|
How exactly is this a bug? |
Thanks for bring this up. It's a good point to clarify whether the HadoopFileIO is suitable for production. However, there is no guarantee any of above strings ensure a secure FileIO. They can be easily injected by any customized build or even completely different implementations with the same name. I believe it is ultimately Polaris admin's responsibility to make sure their Polaris deployment as secure as possible. We(Polaris developer/community) can provide suggestions to them for sure. With that, I'm +1 on well documented behavior on HadoopFileIO, but I don't think these checking and new configurations are necessary. |
@flyrain you should really know why it's not |
| S3("org.apache.iceberg.aws.s3.S3FileIO", true), | ||
|
|
||
| GCS("org.apache.iceberg.gcp.gcs.GCSFileIO", true), | ||
|
|
||
| AZURE("org.apache.iceberg.azure.adlsv2.ADLSFileIO", true), | ||
|
|
||
| FILE("org.apache.iceberg.hadoop.HadoopFileIO", false), |
There was a problem hiding this comment.
We can't actually guarantee that the implementation found at this location by the classloader is the one you have in mind
There was a problem hiding this comment.
That is true, but again, I'd suggest improving the "precision" of checks later, after merging this PR.
There was a problem hiding this comment.
Feature configs are forever -- if we won't ever be able to make the check precise, we shouldn't ever add a config that implies a precise check. I don't see how the check can be made precise, so I am opposed to adding the config now.
There was a problem hiding this comment.
Also, HadoopFileIO is used for more than just FILE -- it's the fallback defined here. In the past we've seen it used for AZURE paths.
| static StorageTypeFileIO fromFileIoImplementation(String fileIoImplementation) { | ||
| var type = FILE_TO_TO_STORAGE_TYPE.get(fileIoImplementation); | ||
| if (type == null) { | ||
| throw new IllegalArgumentException("Unknown FileIO implementation: " + fileIoImplementation); |
There was a problem hiding this comment.
Is this expected to throw for a custom fileIO?
There was a problem hiding this comment.
Good point. I guess this goes beyond the original intent behind this PR 🤔
@snazy : WDYT about deferring the enforcement of the compile-time list of FileIO implementations?
It was present before this PR, in |
|
|
Good points. @dennishuo : is it removable now? IIRC it had some usecase before, but I'm not sure whether it is still needed 🤔 |
+1, it was left out of the original As for removing it, I don't really have an opinion. It's certainly not a change that seems necessary to fix any kind of bug. |
| * risks. | ||
| */ | ||
| @WithDefault("false") | ||
| boolean ignoreSevereIssues(); |
There was a problem hiding this comment.
Besides what's already been pointed out about the validity of the FileIO check done here, this is not a good config name. What is a "severe issue"? Does it mean that we don't ignore mild issues? Are there super-severe issues?
There was a problem hiding this comment.
@eric-maynard "Severe" is a standard term to denote the most important information. See java.util.logging.Level for an example of how it is used in the context of logs.
There was a problem hiding this comment.
Having a log level of SEVERE and a config called "ignore severe issues" are completely different things. Is the implication that this config would disable failure in all cases where we use the SEVERE logging level?
Even if that is the case, my questions stand. Does this config not apply to less-severe issues? What guidelines will qualify an issue as severe (necessitating a SEVERE log)? Have we gone back and audited all "issues" to verify none should be considered SEVERE? What even is an "issue"?
There was a problem hiding this comment.
@eric-maynard I don't know how to answer your questions. They seem related to a much bigger scope than the scope of this PR. Especially the audit part. We could extend the logic that in subsequent PRs, so that more cases are covered, if it is what you have in mind.
I guess my question to you is : how can we move this PR forward?
There was a problem hiding this comment.
I am not sure it lays out a path, that's the thing. What value would be created out of splitting this PR into smaller PRs?
It could also possibly be a topic for a ML discussion if there are PR guidelines that are not explicitly written in CONTRIBUTING.md. Maybe I am missing something...?
There was a problem hiding this comment.
We should aim for small independent code changes whenever possible. Just because two things work well together doesn't mean they should be in the same Pull request. As a generic guide, 1 "feature" per PR, small is better than bigger, independent changes should stay independent. IMHO, if the title can't cover the scope of the changes then the PR should be broken up. I think we have several independent things here as noted in the PR description. Ideally for me even refactors go in separate pull-requests. We've been a bit lax on this recently as we have adopted code from other projects but I don't think we should get in the habit.
The general benefits of this approach are for downstream integrators which can cherry-pick changes easier, and reviewers will have an easier time since net small changes are much easier to understand and usually easier to come to agreement on. (Bisecting also becomes much easier). If PR's can only be understood of a larger context, then grouping them in a project is usually the right thing to do or explaining the context in a design doc.
I think this pr itself does a great job of mapping out the independent changes in a bulleted list. IMHO, each of those points could probably approached independently since I think we already have consensus on at least some of the Items.
There was a problem hiding this comment.
It's not about PR guidelines -- there are a bunch of issues with the code changes proposed in this PR that I've highlighted in various comments. Even the questions asked in this thread are not resolved. I still don't know what a "severe issue" is.
Breaking up the change could allow us to move forward with some of the less controversial aspects of the change, but if you're opposed to that I'm also happy to continue hashing out these issues here.
There was a problem hiding this comment.
If I generally agree with the last comments, specifically in this PR, I consider the changes "related": several/rendering messages is related to clearly inform the users about allowing insecure file types.
So, it's fair to "group" related changes in one PR in this case.
Another option would have been to just focus on "warning messages" (not rendered) when allowing insecure file types. As I'm sure that 90% of the users won't use insecure file types (and use the default configuration), a warning (not seen 90% of the time) would be sufficient.
snazy
force-pushed
the
explicit-hadoop-fio
branch
2 times, most recently
from
e610053 to
23f49d2
Compare
|
See #1566 for a simple implementation removing FILE from the storage types supported by default. See this branch for an example of a simple way to prohibit the default file IO factory from letting the service use a HadoopFileIO. |
| errors.add( | ||
| Error.ofSevere( | ||
| format( | ||
| "The storage type '%s' is considered insecure and to expose the service to severe security ricks!", |
There was a problem hiding this comment.
| "The storage type '%s' is considered insecure and to expose the service to severe security ricks!", | |
| "The storage type '%s' is considered insecure and exposes the service to severe security risks!", |
| errors.add( | ||
| Error.ofSevere( | ||
| format( | ||
| "The storage type '%s' is considered insecure and to expose the service to severe security ricks!", |
There was a problem hiding this comment.
| "The storage type '%s' is considered insecure and to expose the service to severe security ricks!", | |
| "The storage type '%s' is considered insecure and exposes the service to severe security risks!", |
jbonofre
changed the title
| .defaultValue(false) | ||
| .buildFeatureConfiguration(); | ||
|
|
||
| public static final FeatureConfiguration<Boolean> ALLOW_INSECURE_STORAGE_TYPES = |
There was a problem hiding this comment.
As this is a user facing property, we need to be consistent (hard to change later).
I think this property is good enough as it's generic to any storage type (not only FILE).
| @@ -109,7 +109,7 @@ polaris.realm-context.header-name=Polaris-Realm | |||
| polaris.realm-context.require-header=false | |||
|
|
|||
| polaris.features.defaults."ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING"=false | |||
| polaris.features.defaults."SUPPORTED_CATALOG_STORAGE_TYPES"=["S3","GCS","AZURE","FILE"] | |||
| polaris.features.defaults."SUPPORTED_CATALOG_STORAGE_TYPES"=["S3","GCS","AZURE"] | |||
There was a problem hiding this comment.
Nit: For clarify, I wonder if we should not add polaris.features.defaults."ALLOW_INSECURE_STORAGE_TYPES"=false here.
| @@ -55,26 +62,53 @@ public class ProductionReadinessChecks { | |||
| */ | |||
| private static final String WARNING_SIGN_UTF_8 = "\u0000\u26A0\uFE0F"; | |||
|
|
|||
| private static final String SEVERE_SIGN_UTF_8 = "\u0000\uD83D\uDED1"; | |||
There was a problem hiding this comment.
As I think the changes are "related", I think it's fair to do the changes in one PR (even if it's just "display/rendering" messages).
| * risks. | ||
| */ | ||
| @WithDefault("false") | ||
| boolean ignoreSevereIssues(); |
There was a problem hiding this comment.
If I generally agree with the last comments, specifically in this PR, I consider the changes "related": several/rendering messages is related to clearly inform the users about allowing insecure file types.
So, it's fair to "group" related changes in one PR in this case.
Another option would have been to just focus on "warning messages" (not rendered) when allowing insecure file types. As I'm sure that 90% of the users won't use insecure file types (and use the default configuration), a warning (not seen 90% of the time) would be sufficient.
|
As I said in the email thread, I don't think |
Using `HadoopFileIO` in Polaris can enable "hidden features" that users are likely not aware of. This change requires users to manually update the configuration to be able to use `HadoopFileIO` in way that highlights the consequences of enabling it. This PR updates Polaris in multiple ways: * The default of `SUPPORTED_CATALOG_STORAGE_TYPES` is changed to not include the `FILE` storage type. * Respect the `ALLOW_SPECIFYING_FILE_IO_IMPL` configuration on namespaces, tables and views to prevent setting an `io-impl` value for anything but one of the configured, supported storage-types. * Unify validation code in a new class `IcebergPropertiesValidation`. * Using `FILE` or `HadoopFileIO` now _also_ requires the explicit configuration `ALLOW_INSECURE_STORAGE_TYPES_ACCEPTING_SECURITY_RISKS=true`. * Added production readiness checks that trigger when `ALLOW_INSECURE_STORAGE_TYPES_ACCEPTING_SECURITY_RISKS` is `true` or `SUPPORTED_CATALOG_STORAGE_TYPES` contains `FILE` (defaults and per-realm). * The two new readiness checks are considered _severe_. Severe readiness-errors prevent the server from starting up - unless the user explicitly configured `polaris.readiness.ignore-security-issues=true`. Log messages and configuration options explicitly use "clear" phrases highlighting the consequences. With these changes it is intentionally extremely difficult to start Polaris with HadoopFileIO. People who work around all these safety nets must have realized that what they are doing. A lot of the test code relies on `FILE`/`HadoopFileIO`, those tests got all the configurations to let those tests continue to work as they are, bypassing the added security safeguards.
snazy
force-pushed
the
explicit-hadoop-fio
branch
from
23f49d2 to
6403276
Compare
Using
HadoopFileIOin Polaris can enable "hidden features" that users are likely not aware of. This change requires users to manually update the configuration to be able to useHadoopFileIOin way that highlights the consequences of enabling it.This PR updates Polaris in multiple ways:
SUPPORTED_CATALOG_STORAGE_TYPESis changed to not include theFILEstorage type.ALLOW_SPECIFYING_FILE_IO_IMPLconfiguration on namespaces, tables and views to prevent setting anio-implvalue for anything but one of the configured, supported storage-types.IcebergPropertiesValidation.FILEorHadoopFileIOnow also requires the explicit configurationALLOW_INSECURE_STORAGE_TYPES_ACCEPTING_SECURITY_RISKS=true.ALLOW_INSECURE_STORAGE_TYPES_ACCEPTING_SECURITY_RISKSistrueorSUPPORTED_CATALOG_STORAGE_TYPEScontainsFILE(defaults and per-realm).polaris.readiness.ignore-security-issues=true.Log messages and configuration options explicitly use "clear" phrases highlighting the consequences.
With these changes it is intentionally extremely difficult to start Polaris with HadoopFileIO. People who work around all these safety nets must have realized that what they are doing.
A lot of the test code relies on
FILE/HadoopFileIO, those tests got all the configurations to let those tests continue to work as they are, bypassing the added security safeguards.