Skip to content

Relax ARN validation logic #3071

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 26, 2025
Merged

Relax ARN validation logic #3071

merged 1 commit into from
Nov 26, 2025
+3 −47

Conversation

@dimas-b
Copy link
Contributor

@dimas-b dimas-b commented Nov 17, 2025
edited
Loading

Following up on #3005, which allowed a wide range of ARN values in the validation RegEx, remove an additional explicit check for aws-cn being present in the ARN as a sub-string.

Update existing unit tests to process aws-cn ARNs as common aws ARNs.

Note: the old validation code does not look correct because it used to check for aws-cn anywhere in the ARN string, not just in its "partition" component.

Checklist

  • 🛡️ Don't disclose security issues! (contact security@apache.org)
  • 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
  • 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
  • 💡 Added comments for complex logic
  • 🧾 Updated CHANGELOG.md (if needed)
  • 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

@dimas-b
Relax ARN validation logic
faac5ac 
Following up on apache#3005, which allowed a wide range of ARN values in the validation RegEx, remove an additional explicit check for `aws-cn` being present in the ARN as a sub-string.

Update existing unit tests to process `aws-cn` ARNs as common `aws` ARNs.

Note: the old validation code does not look correct because it used to check for `aws-cn` anywhere in the ARN string, not just in its "partition" component.
@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Nov 17, 2025
@dimas-b
Copy link
Contributor Author

dimas-b commented Nov 17, 2025

Related dev ML discussion: https://lists.apache.org/thread/dxybjf4w4or1vmpb25zq6m5gso96rr4j

adnanhemani
adnanhemani reviewed Nov 17, 2025
View reviewed changes
...c/test/java/org/apache/polaris/service/storage/aws/AwsCredentialsStorageIntegrationTest.java
break;
case "aws-cn":
roleARN = "arn:aws-cn:iam::012345678901:role/jdoe";
region = "Beijing";
Copy link
Contributor

@adnanhemani adnanhemani Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Beijing" is not a valid AWS region name. I know this is not explicitly part of the PR - but relates heavily to the scope and should be changed before we open this.

Copy link
Contributor Author

@dimas-b dimas-b Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why should it be changed precisely?

Copy link
Contributor Author

@dimas-b dimas-b Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a unit test, it does not talk to AWS

Copy link
Member

@snazy snazy Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test never asserted on the region name.
I think it's out of scope to let Polaris validate AWS specific region names.

Copy link
Contributor Author

@dimas-b dimas-b Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adnanhemani : are you ok with merging this PR "as is"?

Copy link
Contributor Author

@dimas-b dimas-b Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With two approvals so far, I'm assuming lazy consensus and will be merging on Nov 26 unless there are fresh comments.

Copy link
Contributor

@adnanhemani adnanhemani Nov 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, missed this comment (please feel free to ping on Slack if I forget again in the future!). I'm fine with merging as-is, I just find it odd to write happy-path tests (even if they are unit tests) with placeholder values that are clearly wrong - but I know you did not write this particular test.

Copy link
Contributor Author

@dimas-b dimas-b Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thx! merging

@github-project-automation github-project-automation bot moved this from PRs In Progress to Ready to merge in Basic Kanban Board Nov 20, 2025
@dimas-b dimas-b merged commit d18aa7b into apache:main Nov 26, 2025
15 checks passed
@github-project-automation github-project-automation bot moved this from Ready to merge to Done in Basic Kanban Board Nov 26, 2025
@dimas-b dimas-b deleted the relax-arn-validation branch November 26, 2025 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snazy snazy snazy approved these changes

@MonkeyCanCode MonkeyCanCode MonkeyCanCode approved these changes

@flyrain flyrain Awaiting requested review from flyrain

@dennishuo dennishuo Awaiting requested review from dennishuo

@collado-mike collado-mike Awaiting requested review from collado-mike

+2 more reviewers

@adnanhemani adnanhemani adnanhemani approved these changes

@cccs-cat001 cccs-cat001 cccs-cat001 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dimas-b @snazy @adnanhemani @MonkeyCanCode @cccs-cat001