Address checkstyle errors

Author: okumin

standalone-metastore/metastore-rest-catalog/src/main/java/org/apache/iceberg/rest/AccessDelegationMode.java

@@ -7,14 +7,13 @@
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package org.apache.iceberg.rest;

standalone-metastore/metastore-rest-catalog/src/main/java/org/apache/iceberg/rest/IcebergVendedCredentialProvider.java

@@ -7,14 +7,13 @@
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package org.apache.iceberg.rest;
@@ -31,7 +30,14 @@
 import org.apache.hadoop.hive.metastore.utils.MetaStoreUtils;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.metadata.HiveUtils;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.*;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.iceberg.catalog.TableIdentifier;
 import org.apache.iceberg.rest.credentials.Credential;

standalone-metastore/metastore-rest-catalog/src/test/java/org/apache/iceberg/rest/TestCredentialVendingAws.java

@@ -7,14 +7,13 @@
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package org.apache.iceberg.rest;
@@ -233,11 +232,8 @@ void testReadOnlyUser() throws IOException {
       }
 
       var destination = tableLocation + "/credential-vending-it.txt";
-      Assertions.assertThrows(AccessDeniedException.class, () -> {
-        try (var output = table.io().newOutputFile(destination).createOrOverwrite()) {
-          output.write("content".getBytes(StandardCharsets.UTF_8));
-        }
-      });
+      var output = table.io().newOutputFile(destination).createOrOverwrite();
+      Assertions.assertThrows(AccessDeniedException.class, output::close);
     }
   }
 }

standalone-metastore/metastore-rest-catalog/src/test/java/org/apache/iceberg/rest/TestIcebergVendedCredentialProvider.java

@@ -7,14 +7,13 @@
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package org.apache.iceberg.rest;
@@ -104,8 +103,12 @@ public void testVendWithWritableUser() throws HiveAccessControlException, HiveAu
 
     var inputCaptor = ArgumentCaptor.forClass(List.class);
     var outputCaptor = ArgumentCaptor.forClass(List.class);
-    Mockito.verify(authorizer, Mockito.times(2))
-        .checkPrivileges(eq(HiveOperationType.QUERY), inputCaptor.capture(), outputCaptor.capture(), any(HiveAuthzContext.class));
+    Mockito.verify(authorizer, Mockito.times(2)).checkPrivileges(
+        eq(HiveOperationType.QUERY),
+        inputCaptor.capture(),
+        outputCaptor.capture(),
+        any(HiveAuthzContext.class)
+    );
     assertPrivilegeObjects(List.of(INPUT_OBJECT), inputCaptor.getAllValues().getFirst());
     assertPrivilegeObjects(List.of(), inputCaptor.getAllValues().getLast());
     assertPrivilegeObjects(List.of(), outputCaptor.getAllValues().getFirst());
@@ -142,8 +145,12 @@ public void testVendWithReadOnlyUser() throws HiveAccessControlException, HiveAu
     var operationCaptor = ArgumentCaptor.forClass(HiveOperationType.class);
     var inputCaptor = ArgumentCaptor.forClass(List.class);
     var outputCaptor = ArgumentCaptor.forClass(List.class);
-    Mockito.verify(authorizer, Mockito.times(2))
-        .checkPrivileges(operationCaptor.capture(), inputCaptor.capture(), outputCaptor.capture(), any(HiveAuthzContext.class));
+    Mockito.verify(authorizer, Mockito.times(2)).checkPrivileges(
+        operationCaptor.capture(),
+        inputCaptor.capture(),
+        outputCaptor.capture(),
+        any(HiveAuthzContext.class)
+    );
     Assert.assertEquals(List.of(HiveOperationType.QUERY, HiveOperationType.QUERY), operationCaptor.getAllValues());
     assertPrivilegeObjects(List.of(INPUT_OBJECT), inputCaptor.getAllValues().getFirst());
     assertPrivilegeObjects(List.of(), inputCaptor.getAllValues().getLast());

standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/credential/CompositeVendedCredentialProvider.java

@@ -58,30 +58,30 @@ public List<VendedStorageCredential> vend(String username, List<StorageAccessReq
   private final List<VendedCredentialProvider> providers;
 
   private static VendedCredentialProvider create(Configuration conf, String providerId) {
-    final var providerConfigKeyPrefix = "%s.%s".formatted(PROVIDERS_KEY_PREFIX, providerId);
-    final var classKey = "%s.%s".formatted(providerConfigKeyPrefix, CLASS_KEY);
+    final var providerConfigKeyPrefix = "%s.%s.".formatted(PROVIDERS_KEY_PREFIX, providerId);
+    final var classKey = providerConfigKeyPrefix + CLASS_KEY;
     final var clazz = conf.getClass(classKey, null, VendedCredentialProvider.class);
     if (clazz == null) {
-      throw new IllegalArgumentException("No vended credential provider class configured for provider ID: " + providerId);
+      throw new IllegalArgumentException(
+          "No vended credential provider class configured for provider ID: " + providerId);
     }
 
     final VendedCredentialProvider provider;
     try {
       final var constructor = clazz.getDeclaredConstructor(String.class, Configuration.class);
-      constructor.setAccessible(true);
       provider = constructor.newInstance(providerConfigKeyPrefix, conf);
     } catch (NoSuchMethodException | InstantiationException | IllegalAccessException | InvocationTargetException e) {
       throw new IllegalArgumentException("Failed to instantiate vended credential provider: " + clazz.getName(), e);
     }
 
-    final var maxCacheSize = conf.getInt("%s.%s".formatted(providerConfigKeyPrefix, CACHE_MAX_SIZE_KEY), 0);
+    final var maxCacheSize = conf.getInt(providerConfigKeyPrefix + CACHE_MAX_SIZE_KEY, 0);
     if (maxCacheSize <= 0) {
       LOG.info("Created VendedCredentialProvider, {}, without cache", provider);
       return provider;
     }
 
     final var maxCacheDuration = Duration.ofNanos(
-        conf.getTimeDuration("%s.%s".formatted(providerConfigKeyPrefix, CACHE_MAX_DURATION_KEY),
+        conf.getTimeDuration(providerConfigKeyPrefix + CACHE_MAX_DURATION_KEY,
         DEFAULT_MAX_CACHE_DURATION.toNanos(), TimeUnit.NANOSECONDS));
     LOG.info("Created VendedCredentialProvider, {}, with caching (capacity={}, duration={}) ", provider, maxCacheSize,
         maxCacheDuration);

standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/credential/s3/S3Location.java

@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.hive.metastore.credential.s3;
 
+import org.apache.hadoop.fs.Path;
 import software.amazon.awssdk.arns.Arn;
 
 import java.net.URI;
@@ -27,7 +28,7 @@
 /**
  * An S3 location.
  */
-class S3Location {
+final class S3Location {
   private static final Set<String> SCHEMES = Set.of("s3", "s3a", "s3n");
 
   private final String partition;
@@ -56,7 +57,7 @@ static Optional<S3Location> create(String partition, URI uri) {
     if (rawPath == null) {
       return Optional.empty();
     }
-    final var path = rawPath.endsWith("/") ? rawPath : rawPath + "/";
+    final var path = rawPath.endsWith(Path.SEPARATOR) ? rawPath : rawPath + Path.SEPARATOR;
     return Optional.of(new S3Location(partition, bucket, path));
   }
 

standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/credential/s3/S3VendedCredentialProvider.java

@@ -25,6 +25,7 @@
 import org.apache.hadoop.hive.metastore.credential.VendedCredentialProvider;
 import org.apache.hadoop.hive.metastore.credential.VendedStorageCredential;
 import software.amazon.awssdk.arns.Arn;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
 import software.amazon.awssdk.policybuilder.iam.IamConditionOperator;
 import software.amazon.awssdk.policybuilder.iam.IamEffect;
 import software.amazon.awssdk.policybuilder.iam.IamPolicy;
@@ -62,7 +63,8 @@ public class S3VendedCredentialProvider implements VendedCredentialProvider {
   private final StsClient stsClient;
 
   private static StsClient createStsClient(String region) {
-    final var builder = StsClient.builder();
+    final var credentialsProvider = DefaultCredentialsProvider.builder().build();
+    final var builder = StsClient.builder().credentialsProvider(credentialsProvider);
     return region == null ? builder.build() : builder.region(Region.of(region)).build();
   }
 
@@ -75,14 +77,14 @@ private static List<String> createPrefixes(String[] prefixes) {
 
   public S3VendedCredentialProvider(String configKeyPrefix, Configuration conf) {
     this(
-        Arn.fromString(Objects.requireNonNull(conf.get("%s.%s".formatted(configKeyPrefix, ROLE_ARN_KEY)))),
-        conf.get("%s.%s".formatted(configKeyPrefix, EXTERNAL_ID_KEY)),
-        createPrefixes(conf.getStrings("%s.%s".formatted(configKeyPrefix, PREFIXES_KEY), (String) null)),
+        Arn.fromString(Objects.requireNonNull(conf.get(configKeyPrefix + ROLE_ARN_KEY))),
+        conf.get(configKeyPrefix + EXTERNAL_ID_KEY),
+        createPrefixes(conf.getStrings(configKeyPrefix + PREFIXES_KEY, (String) null)),
         (int) Math.min(
             Integer.MAX_VALUE,
-            conf.getTimeDuration("%s.%s".formatted(configKeyPrefix, CREDENTIAL_EXPIRATION_KEY), 3600, TimeUnit.SECONDS)
+            conf.getTimeDuration(configKeyPrefix + CREDENTIAL_EXPIRATION_KEY, 3600, TimeUnit.SECONDS)
         ),
-        createStsClient(conf.get("%s.%s".formatted(configKeyPrefix, REGION_KEY)))
+        createStsClient(conf.get(configKeyPrefix + REGION_KEY))
     );
   }
 
@@ -190,20 +192,22 @@ private IamPolicy buildPolicy(List<StorageAccessRequest> requests) {
     bucketLocationBuilder.values().stream().map(IamStatement.Builder::build).forEach(policyBuilder::addStatement);
     listBuilder.values().stream().map(IamStatement.Builder::build).forEach(policyBuilder::addStatement);
     if (!readResources.isEmpty()) {
-      final var builder = IamStatement.builder().effect(IamEffect.ALLOW).addAction("s3:GetObject")
-          .addAction("s3:GetObjectVersion");
-      readResources.forEach(builder::addResource);
-      policyBuilder.addStatement(builder.build());
+      policyBuilder.addStatement(builder -> {
+        builder.effect(IamEffect.ALLOW).addAction("s3:GetObject").addAction("s3:GetObjectVersion");
+        readResources.forEach(builder::addResource);
+      });
     }
     if (!createResources.isEmpty()) {
-      final var createBuilder = IamStatement.builder().effect(IamEffect.ALLOW).addAction("s3:PutObject");
-      createResources.forEach(createBuilder::addResource);
-      policyBuilder.addStatement(createBuilder.build());
+      policyBuilder.addStatement(builder -> {
+        builder.effect(IamEffect.ALLOW).addAction("s3:PutObject");
+        createResources.forEach(builder::addResource);
+      });
     }
     if (!deleteResources.isEmpty()) {
-      final var deleteBuilder = IamStatement.builder().effect(IamEffect.ALLOW).addAction("s3:DeleteObject");
-      deleteResources.forEach(deleteBuilder::addResource);
-      policyBuilder.addStatement(deleteBuilder.build());
+      policyBuilder.addStatement(builder -> {
+        builder.effect(IamEffect.ALLOW).addAction("s3:DeleteObject");
+        deleteResources.forEach(builder::addResource);
+      });
     }
     return policyBuilder.build();
   }

standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/annotation/MetastoreExternalTest.java

@@ -6,15 +6,16 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package org.apache.hadoop.hive.metastore.annotation;
 
 /**

standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/credential/s3/TestS3VendedCredentialProvider.java

@@ -76,8 +76,8 @@ public void testSupportsWithPrefix() {
         new Path("s3a://bucket-b/warehouse/table"),
         EnumSet.of(StorageOperation.READ));
     Assert.assertFalse(provider.supports(unmatched));
-    Assert.assertThrows(IllegalArgumentException.class,
-        () -> provider.vend("test-user", Collections.singletonList(unmatched)));
+    var requests = Collections.singletonList(unmatched);
+    Assert.assertThrows(IllegalArgumentException.class, () -> provider.vend("test-user", requests));
   }
 
   @Test

standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/credential/s3/TestS3VendedCredentialProviderIntegration.java

@@ -87,7 +87,10 @@ private static S3Client createSessionS3Client(Region region, VendedStorageCreden
   private static void deleteObjectIfExists(S3Client s3, String bucket, String key) {
     try {
       s3.deleteObject(DeleteObjectRequest.builder().bucket(bucket).key(key).build());
-    } catch (S3Exception ignored) {
+    } catch (S3Exception e) {
+      if (e.statusCode() != 404) {
+        throw e;
+      }
     }
   }