Initial SigV4 Auth Support for Catalog Federation

[XJDKC]

Context

Prior Catalog Federation work:

• API Spec: Add ConnectionConfigInfo to ExternalCatalog #1026
• Initial MVP implementation of Catalog Federation to remote Iceberg REST Catalogs #1305

SigV4 Auth

Details about AWS SigV4 protocol can be found here: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html

Description

This PR adds the SigV4 Auth Support so that Polaris can federate to Glue IRC / S3Tables / catalog server hosted behind the AWS API Gateway.

Details

User-provided properties:

• roleArn: the AWS IAM role urn, polaris will assume the role to get a tmp aws session credential
• externalId: An optional external id used to establish a trust relationship with AWS in the trust policy
• signingRegion: Region to be used by the SigV4 protocol for signing requests
• signingName: The service name to be used by the SigV4 protocol for signing requests, the default signing name is "execute-api" is if not provided
  • AWS Glue: glue
  • AWS S3Tables: s3tables
  • AWS API Gateway: execute-api

Service-provided properties:

• userArn: The aws user arn used to assume the aws role, this represents the polaris service itself, overall steps:
  • Step 1: Polaris will use an user aws credential to assume the IAM role, this aws credential is configured for polaris, usually polaris will read it from environment variable
  • Step 2: After assuming the role, polaris will get the tmp aws credential, polaris will put these credentials into the prop map, this prop map will be used to initialize the REST Catalog Client, properties can be found in AwsProperties:
    • rest.signing-region
    • rest.signing-name
  • Step 3: RESTSigV4Signer will sign the requests based on SigV4 protocol