Fix IAM auth and add test

antonio2368 · antonio2368 · commit a44cf477dc5b · 2026-02-05T15:32:03.000+01:00
diff --git a/src/Databases/DataLake/GlueCatalog.cpp b/src/Databases/DataLake/GlueCatalog.cpp
@@ -92,7 +92,6 @@ GlueCatalog::GlueCatalog(
     : ICatalog("")
     , DB::WithContext(context_)
     , log(getLogger("GlueCatalog(" + settings_.region + ")"))
-    , credentials(settings_.aws_access_key_id, settings_.aws_secret_access_key)
     , region(settings_.region)
     , settings(settings_)
     , table_engine_definition(table_engine_definition_)
@@ -132,38 +131,41 @@ GlueCatalog::GlueCatalog(
         /* opt_disk_name = */ {},
         /* request_throttler = */ {});
 
+
     Aws::Glue::GlueClientConfiguration client_configuration;
     client_configuration.maxConnections = static_cast<unsigned>(global_settings[DB::Setting::s3_max_connections]);
     client_configuration.connectTimeoutMs = static_cast<unsigned>(global_settings[DB::Setting::s3_connect_timeout_ms]);
     client_configuration.requestTimeoutMs = static_cast<unsigned>(global_settings[DB::Setting::s3_request_timeout_ms]);
     client_configuration.region = region;
     auto endpoint_provider = std::make_shared<Aws::Glue::GlueEndpointProvider>();
 
+    Aws::Auth::AWSCredentials credentials(settings_.aws_access_key_id, settings_.aws_secret_access_key);
     /// Only for testing when we are mocking glue
     if (!endpoint.empty())
     {
         client_configuration.endpointOverride = endpoint;
         endpoint_provider->OverrideEndpoint(endpoint);
-        Aws::Auth::AWSCredentials fake_credentials_for_fake_catalog;
+
         if (credentials.IsEmpty())
         {
             /// You can specify any key for fake moto glue, it's just important
             /// for it not to be empty.
-            fake_credentials_for_fake_catalog.SetAWSAccessKeyId("testing");
-            fake_credentials_for_fake_catalog.SetAWSSecretKey("testing");
+            credentials.SetAWSAccessKeyId("testing");
+            credentials.SetAWSSecretKey("testing");
         }
-        else
-            fake_credentials_for_fake_catalog = credentials;
 
-        glue_client = std::make_unique<Aws::Glue::GlueClient>(fake_credentials_for_fake_catalog, endpoint_provider, client_configuration);
+        Poco::URI uri(endpoint);
+        if (uri.getScheme() == "http")
+            poco_config.scheme = Aws::Http::Scheme::HTTP;
     }
     else
     {
         LOG_TRACE(log, "Creating AWS glue client with credentials empty {}, region '{}', endpoint '{}'", credentials.IsEmpty(), region, endpoint);
-        auto credentials_provider = DB::S3::getCredentialsProvider(poco_config, credentials, creds_config);
-        glue_client = std::make_unique<Aws::Glue::GlueClient>(credentials_provider, endpoint_provider, client_configuration);
     }
 
+    credentials_provider = DB::S3::getCredentialsProvider(poco_config, credentials, creds_config);
+    glue_client = std::make_unique<Aws::Glue::GlueClient>(credentials_provider, endpoint_provider, client_configuration);
+
 }
 
 GlueCatalog::~GlueCatalog() = default;
@@ -287,7 +289,6 @@ bool GlueCatalog::tryGetTableMetadata(
     request.SetDatabaseName(database_name);
     request.SetName(table_name);
 
-
     auto outcome = glue_client->GetTable(request);
     if (outcome.IsSuccess())
     {
@@ -414,8 +415,9 @@ void GlueCatalog::setCredentials(TableMetadata & metadata) const
 
     if (storage_type == StorageType::S3)
     {
-        auto creds = std::make_shared<S3Credentials>(credentials.GetAWSAccessKeyId(), credentials.GetAWSSecretKey(), credentials.GetSessionToken());
-        metadata.setStorageCredentials(creds);
+        auto credentials = credentials_provider->GetAWSCredentials();
+        auto s3_creds = std::make_shared<S3Credentials>(credentials.GetAWSAccessKeyId(), credentials.GetAWSSecretKey(), credentials.GetSessionToken());
+        metadata.setStorageCredentials(s3_creds);
     }
     else
     {
@@ -494,9 +496,14 @@ GlueCatalog::ObjectStorageWithPath GlueCatalog::createObjectStorageForEarlyTable
     if (args.size() == 1)
     {
         if (table_metadata.hasStorageCredentials())
+        {
             table_metadata.getStorageCredentials()->addCredentialsToEngineArgs(args);
-        else if (!credentials.IsExpiredOrEmpty())
+        }
+        else
+        {
+            auto credentials = credentials_provider->GetAWSCredentials();
             DataLake::S3Credentials(credentials.GetAWSAccessKeyId(), credentials.GetAWSSecretKey(), credentials.GetSessionToken()).addCredentialsToEngineArgs(args);
+        }
     }
 
     auto storage_settings = std::make_shared<DB::DataLakeStorageSettings>();
diff --git a/src/Databases/DataLake/GlueCatalog.h b/src/Databases/DataLake/GlueCatalog.h
@@ -18,6 +18,11 @@ namespace Aws::Glue
     class GlueClient;
 }
 
+namespace Aws::Auth
+{
+    class AWSCredentialsProvider;
+}
+
 namespace DataLake
 {
 
@@ -69,7 +74,7 @@ class GlueCatalog final : public ICatalog, private DB::WithContext
 
     std::unique_ptr<Aws::Glue::GlueClient> glue_client;
     const LoggerPtr log;
-    Aws::Auth::AWSCredentials credentials;
+    std::shared_ptr<Aws::Auth::AWSCredentialsProvider> credentials_provider;
     std::string region;
     CatalogSettings settings;
     DB::ASTPtr table_engine_definition;
diff --git a/tests/integration/compose/docker_compose_glue_catalog.yml b/tests/integration/compose/docker_compose_glue_catalog.yml
@@ -47,6 +47,5 @@ services:
       until (/usr/bin/mc config host add minio http://minio:9000 minio ClickHouse_Minio_P@ssw0rd) do echo '...waiting...' && sleep 1; done;
       /usr/bin/mc rm -r --force minio/warehouse-glue;
       /usr/bin/mc mb minio/warehouse-glue --ignore-existing;
-      /usr/bin/mc policy set public minio/warehouse-glue;
       tail -f /dev/null
       "
diff --git a/tests/integration/test_database_glue/s3_mocks/mock_sts.py b/tests/integration/test_database_glue/s3_mocks/mock_sts.py
@@ -0,0 +1,42 @@
+import sys
+from datetime import datetime, timedelta, timezone
+
+from bottle import request, response, route, run
+
+if len(sys.argv) >= 3:
+    expected_role = sys.argv[2]
+else:
+    expected_role = 'miniorole'
+
+@route("/")
+def ping():
+    response.content_type = "text/plain"
+    response.set_header("Content-Length", 2)
+    return "OK"
+
+
+@route("/", method="POST")
+def sts():
+    access_key = "minio"
+    secret_access_key = "wrong_key"
+
+    if f"RoleSessionName={expected_role}" in str(request.url):
+        secret_access_key = "ClickHouse_Minio_P@ssw0rd"
+
+    expiration = datetime.now(timezone.utc) + timedelta(hours=1)
+    expiration_str = expiration.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+    response.content_type = "text/xml"
+    return f"""
+        <AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+            <AssumeRoleResult>
+                <Credentials>
+                    <AccessKeyId>{access_key}</AccessKeyId>
+                    <SecretAccessKey>{secret_access_key}</SecretAccessKey>
+                    <Expiration>{expiration_str}</Expiration>
+                </Credentials>
+            </AssumeRoleResult>
+        </AssumeRoleResponse>
+    """
+
+run(host="0.0.0.0", port=int(sys.argv[1]))
diff --git a/tests/integration/test_database_glue/test.py b/tests/integration/test_database_glue/test.py
@@ -29,9 +29,20 @@
 )
 
 from helpers.cluster import ClickHouseCluster, ClickHouseInstance, is_arm
+from helpers.mock_servers import start_mock_servers
 
 import boto3
 
+
+def run_s3_mocks(started_cluster, args=[]):
+    script_dir = os.path.join(os.path.dirname(__file__), "s3_mocks")
+    start_mock_servers(
+        started_cluster,
+        script_dir,
+        [("mock_sts.py", "sts.us-east-1.amazonaws.com", "80", args)],
+    )
+
+
 CATALOG_NAME = "test"
 
 BASE_URL = "http://glue:3000"
@@ -182,7 +193,7 @@ def generate_arrow_data(num_rows=5):
     return table
 
 def create_clickhouse_glue_database(
-    started_cluster, node, name, additional_settings={}
+    started_cluster, node, name, additional_settings={}, with_credentials=True
 ):
     settings = {
         "catalog_type": "glue",
@@ -193,12 +204,14 @@ def create_clickhouse_glue_database(
 
     settings.update(additional_settings)
 
+    credential_args = f",'{minio_access_key}', '{minio_secret_key}'" if with_credentials else ""
+
     node.query(
         f"""
 DROP DATABASE IF EXISTS {name};
 SET allow_database_glue_catalog=true;
 SET write_full_path_in_iceberg_metadata=true;
-CREATE DATABASE {name} ENGINE = DataLakeCatalog('{BASE_URL}', '{minio_access_key}', '{minio_secret_key}')
+CREATE DATABASE {name} ENGINE = DataLakeCatalog('{BASE_URL}'{credential_args})
 SETTINGS {",".join((k+"="+repr(v) for k, v in settings.items()))}
     """
     )
@@ -251,8 +264,20 @@ def started_cluster():
             with_glue_catalog=True,
         )
 
+        sts = cluster.add_instance(
+            name="sts.us-east-1.amazonaws.com",
+            hostname="sts.us-east-1.amazonaws.com",
+            image="clickhouse/python-bottle",
+            tag="latest",
+            stay_alive=True,
+        )
+        sts.stop_clickhouse(kill=True)
+
         logging.info("Starting cluster...")
         cluster.start()
+        logging.info("Cluster started")
+
+        run_s3_mocks(cluster)
 
         yield cluster
 
@@ -715,3 +740,75 @@ def test_table_without_metadata_location(started_cluster):
     assert "Iceberg" in create_table_result, f"Expected Iceberg engine in: {create_table_result}"
 
     node.query(f"DROP DATABASE IF EXISTS {db_name} SYNC")
+
+
+def test_sts_smoke(started_cluster):
+    """Test that STS authentication works with Glue catalog using role_arn and role_session_name"""
+    node = started_cluster.instances["node1"]
+
+    test_ref = f"test_sts_smoke_{uuid.uuid4()}"
+    table_name = f"{test_ref}_table"
+    root_namespace = f"{test_ref}_namespace"
+
+    catalog = load_catalog_impl(started_cluster)
+    catalog.create_namespace(root_namespace)
+
+    schema = Schema(
+        NestedField(field_id=1, name="id", field_type=StringType(), required=False),
+        NestedField(field_id=2, name="value", field_type=DoubleType(), required=False),
+    )
+    table = create_table(catalog, root_namespace, table_name, schema, PartitionSpec(), DEFAULT_SORT_ORDER, dir=table_name)
+
+    data = [
+        {"id": "row1", "value": 10.0},
+        {"id": "row2", "value": 20.0},
+        {"id": "row3", "value": 30.0},
+    ]
+    df = pa.Table.from_pylist(data)
+    table.append(df)
+
+    # Test with wrong role_session_name - should fail
+    db_name_fail = f"db_fail_{test_ref.replace('-', '_')}"
+    create_clickhouse_glue_database(
+        started_cluster,
+        node,
+        db_name_fail,
+        additional_settings={
+            "aws_role_arn": "arn::role",
+            "aws_role_session_name": "wrongsession",
+        },
+        with_credentials=False,
+    )
+
+    # Query should fail with wrong session name
+    try:
+        result = node.query(
+            f"SELECT sum(value) FROM {db_name_fail}.`{root_namespace}.{table_name}` "
+            f"SETTINGS s3_max_single_read_retries = 1, s3_retry_attempts = 1, s3_request_timeout_ms = 1000"
+        )
+        assert False, f"Expected query to fail with wrong session name but got result: {result}"
+    except Exception as e:
+        error_str = str(e)
+        assert "403" in error_str or "Failed to get object info" in error_str or "HTTP response code: 403" in error_str, \
+            f"Expected 403 error but got: {error_str}"
+
+    # Test with correct role_session_name - should succeed
+    db_name_success = f"db_success_{test_ref.replace('-', '_')}"
+    create_clickhouse_glue_database(
+        started_cluster,
+        node,
+        db_name_success,
+        additional_settings={
+            "aws_role_arn": "arn::role",
+            "aws_role_session_name": "miniorole",
+        },
+        with_credentials=False,
+    )
+
+    # Query should succeed with correct session name
+    result = node.query(f"SELECT sum(value) FROM {db_name_success}.`{root_namespace}.{table_name}`")
+    assert result.strip() == "60", f"Expected sum to be 60 but got: {result}"
+
+    # Cleanup
+    node.query(f"DROP DATABASE IF EXISTS {db_name_fail} SYNC")
+    node.query(f"DROP DATABASE IF EXISTS {db_name_success} SYNC")

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,5 @@ services:`
`47`	`47`	`until (/usr/bin/mc config host add minio http://minio:9000 minio ClickHouse_Minio_P@ssw0rd) do echo '...waiting...' && sleep 1; done;`
`48`	`48`	`/usr/bin/mc rm -r --force minio/warehouse-glue;`
`49`	`49`	`/usr/bin/mc mb minio/warehouse-glue --ignore-existing;`
`50`		`- /usr/bin/mc policy set public minio/warehouse-glue;`
`51`	`50`	`tail -f /dev/null`
`52`	`51`	`"`