Generalize how credentials are represented

Author: nastra

open-api/rest-catalog-open-api.py

@@ -467,6 +467,14 @@ class AssertViewUUID(BaseModel):
     uuid: str
 
 
+class Credential(BaseModel):
+    prefix: str = Field(
+        ...,
+        description='Indicates a storage location prefix where the credential is relevant. Clients should choose the most specific prefix if several credentials of the same type are available.',
+    )
+    config: Dict[str, str]
+
+
 class PlanStatus(BaseModel):
     __root__: Literal['completed', 'submitted', 'cancelled', 'failed'] = Field(
         ..., description='Status of a server-side planning operation'
@@ -1168,12 +1176,6 @@ class ViewUpdate(BaseModel):
     ]
 
 
-class Credential(BaseModel):
-    __root__: Union[ADLSCredential, GCSCredential, S3Credential] = Field(
-        ..., discriminator='type'
-    )
-
-
 class LoadTableResult(BaseModel):
     """
     Result used when a table is successfully loaded.
@@ -1203,8 +1205,7 @@ class LoadTableResult(BaseModel):
 
     ## Storage Credentials
 
-    Credentials for ADLS / GCS / S3 are provided through the `storage-credentials` field.
-    In order to avoid leaking non-expiring credentials, all credentials are required to have an expiration.
+    Credentials for ADLS / GCS / S3 / ... are provided through the `storage-credentials` field.
     Clients should first check whether the respective credentials exist in the `storage-credentials` field before checking the `config` for credentials.
 
     """
@@ -1326,19 +1327,10 @@ class LoadViewResult(BaseModel):
 
     - `token`: Authorization bearer token to use for view requests if OAuth2 security is enabled
 
-    ## Storage Credentials
-
-    Credentials for ADLS / GCS / S3 are provided through the `storage-credentials` field.
-    In order to avoid leaking non-expiring credentials, all credentials are required to have an expiration.
-    Clients should first check whether the respective credentials exist in the `storage-credentials` field before checking the `config` for credentials.
-
     """
 
     metadata_location: str = Field(..., alias='metadata-location')
     metadata: ViewMetadata
-    storage_credentials: Optional[List[Credential]] = Field(
-        None, alias='storage-credentials'
-    )
     config: Optional[Dict[str, str]] = None
 
 
@@ -1422,50 +1414,6 @@ class Schema(StructType):
     )
 
 
-class ADLSCredential(BaseModel):
-    type: Literal['adls']
-    prefix: Optional[str] = Field(
-        None,
-        description='Indicates a storage location prefix where the credential is relevant. Clients should choose the most specific prefix if several credentials of the same type are available.',
-    )
-    sas_token: str = Field(..., alias='sas-token')
-    expires_at_ms: int = Field(
-        ...,
-        alias='expires-at-ms',
-        description='The epoch millis since 1970-01-01T00:00:00Z at which the given token expires',
-    )
-
-
-class GCSCredential(BaseModel):
-    type: Literal['gcs']
-    prefix: Optional[str] = Field(
-        None,
-        description='Indicates a storage location prefix where the credential is relevant. Clients should choose the most specific prefix if several credentials of the same type are available.',
-    )
-    token: str
-    expires_at_ms: int = Field(
-        ...,
-        alias='expires-at-ms',
-        description='The epoch millis since 1970-01-01T00:00:00Z at which the given token expires',
-    )
-
-
-class S3Credential(BaseModel):
-    type: Literal['s3']
-    prefix: Optional[str] = Field(
-        None,
-        description='Indicates a storage location prefix where the credential is relevant. Clients should choose the most specific prefix if several credentials of the same type are available.',
-    )
-    access_key_id: str = Field(..., alias='access-key-id')
-    secret_access_key: str = Field(..., alias='secret-access-key')
-    session_token: str = Field(..., alias='session-token')
-    expires_at_ms: int = Field(
-        ...,
-        alias='expires-at-ms',
-        description='The epoch millis since 1970-01-01T00:00:00Z at which the given token expires',
-    )
-
-
 class CompletedPlanningResult(ScanTasks):
     """
     Completed server-side planning result
@@ -1498,16 +1446,12 @@ class CompletedPlanningWithIDResult(CompletedPlanningResult):
 TableMetadata.update_forward_refs()
 ViewMetadata.update_forward_refs()
 AddSchemaUpdate.update_forward_refs()
-Credential.update_forward_refs()
 ScanTasks.update_forward_refs()
 FetchPlanningResult.update_forward_refs()
 PlanTableScanResult.update_forward_refs()
 CreateTableRequest.update_forward_refs()
 CreateViewRequest.update_forward_refs()
 ReportMetricsRequest.update_forward_refs()
-ADLSCredential.update_forward_refs()
-GCSCredential.update_forward_refs()
-S3Credential.update_forward_refs()
 CompletedPlanningResult.update_forward_refs()
 FetchScanTasksResult.update_forward_refs()
 CompletedPlanningWithIDResult.update_forward_refs()

open-api/rest-catalog-open-api.yaml

@@ -3103,94 +3103,21 @@ components:
         uuid:
           type: string
 
-    ADLSCredential:
-      type: object
-      allOf:
-        - $ref: '#/components/schemas/Credential'
-      required:
-        - type
-        - sas-token
-        - expires-at-ms
-      properties:
-        type:
-          type: string
-          enum: [ "adls" ]
-        prefix:
-          type: string
-          description: Indicates a storage location prefix where the credential is relevant. Clients should choose the most
-            specific prefix if several credentials of the same type are available.
-        sas-token:
-          type: string
-        expires-at-ms:
-          type: integer
-          format: int64
-          description: The epoch millis since 1970-01-01T00:00:00Z at which the given token expires
-
-
-    GCSCredential:
-      type: object
-      allOf:
-        - $ref: '#/components/schemas/Credential'
-      required:
-        - type
-        - token
-        - expires-at-ms
-      properties:
-        type:
-          type: string
-          enum: [ "gcs" ]
-        prefix:
-          type: string
-          description: Indicates a storage location prefix where the credential is relevant. Clients should choose the most
-            specific prefix if several credentials of the same type are available.
-        token:
-          type: string
-        expires-at-ms:
-          type: integer
-          format: int64
-          description: The epoch millis since 1970-01-01T00:00:00Z at which the given token expires
-
-    S3Credential:
+    Credential:
       type: object
-      allOf:
-        - $ref: '#/components/schemas/Credential'
       required:
-        - type
-        - access-key-id
-        - secret-access-key
-        - session-token
-        - expires-at-ms
+        - prefix
+        - config
       properties:
-        type:
-          type: string
-          enum: [ "s3" ]
         prefix:
           type: string
           description: Indicates a storage location prefix where the credential is relevant. Clients should choose the most
             specific prefix if several credentials of the same type are available.
-        access-key-id:
-          type: string
-        secret-access-key:
-          type: string
-        session-token:
-          type: string
-        expires-at-ms:
-          type: integer
-          format: int64
-          description: The epoch millis since 1970-01-01T00:00:00Z at which the given token expires
+        config:
+          type: object
+          additionalProperties:
+            type: string
 
-    Credential:
-      type: object
-      discriminator:
-        propertyName: type
-        mapping:
-          adls: '#/components/schemas/ADLSCredential'
-          gcs: '#/components/schemas/GCSCredential'
-          s3: '#/components/schemas/S3Credential'
-      oneOf:
-        - $ref: '#/components/schemas/ADLSCredential'
-        - $ref: '#/components/schemas/GCSCredential'
-        - $ref: '#/components/schemas/S3Credential'
 
     LoadTableResult:
       description: |
@@ -3221,8 +3148,7 @@ components:
 
         ## Storage Credentials
 
-        Credentials for ADLS / GCS / S3 are provided through the `storage-credentials` field.
-        In order to avoid leaking non-expiring credentials, all credentials are required to have an expiration.
+        Credentials for ADLS / GCS / S3 / ... are provided through the `storage-credentials` field.
         Clients should first check whether the respective credentials exist in the `storage-credentials` field before checking the `config` for credentials.
       type: object
       required:
@@ -3493,12 +3419,6 @@ components:
         ## General Configurations
 
         - `token`: Authorization bearer token to use for view requests if OAuth2 security is enabled
-
-        ## Storage Credentials
-
-        Credentials for ADLS / GCS / S3 are provided through the `storage-credentials` field.
-        In order to avoid leaking non-expiring credentials, all credentials are required to have an expiration.
-        Clients should first check whether the respective credentials exist in the `storage-credentials` field before checking the `config` for credentials.
       type: object
       required:
         - metadata-location
@@ -3508,10 +3428,6 @@ components:
           type: string
         metadata:
           $ref: '#/components/schemas/ViewMetadata'
-        storage-credentials:
-          type: array
-          items:
-            $ref: '#/components/schemas/Credential'
         config:
           type: object
           additionalProperties: