feat(iam-setup): additional support for iam

Author: david-leifker

datahub-upgrade/src/main/java/com/linkedin/datahub/upgrade/sqlsetup/CreateUsersStep.java

@@ -80,10 +80,11 @@ SqlSetupResult createUsers(SqlSetupArgs args) throws SQLException {
 
   void createIamUser(SqlSetupArgs args, SqlSetupResult result) throws SQLException {
     log.info("Creating IAM-authenticated user: {}", args.getCreateUserUsername());
+    // Note: The IAM role parameter is null - MySQL uses 'RDS' constant, PostgreSQL uses rds_iam
+    // role
 
     try (Connection connection = server.dataSource().getConnection()) {
-      String createUserSql =
-          dbOps.createIamUserSql(args.getCreateUserUsername(), args.getCreateUserIamRole());
+      String createUserSql = dbOps.createIamUserSql(args.getCreateUserUsername(), null);
       try (PreparedStatement stmt = connection.prepareStatement(createUserSql)) {
         stmt.executeUpdate();
       }
@@ -94,6 +95,13 @@ void createIamUser(SqlSetupArgs args, SqlSetupResult result) throws SQLException
         grantStmt.executeUpdate();
       }
 
+      // Flush privileges for MySQL to ensure grants take effect immediately
+      if (setupArgs.getDbType() == DatabaseType.MYSQL) {
+        try (PreparedStatement flushStmt = connection.prepareStatement("FLUSH PRIVILEGES")) {
+          flushStmt.executeUpdate();
+        }
+      }
+
       result.setUsersCreated(1);
       log.info("IAM user '{}' created successfully", args.getCreateUserUsername());
     }
@@ -116,6 +124,13 @@ void createTraditionalUser(SqlSetupArgs args, SqlSetupResult result) throws SQLE
         grantStmt.executeUpdate();
       }
 
+      // Flush privileges for MySQL to ensure grants take effect immediately
+      if (setupArgs.getDbType() == DatabaseType.MYSQL) {
+        try (PreparedStatement flushStmt = connection.prepareStatement("FLUSH PRIVILEGES")) {
+          flushStmt.executeUpdate();
+        }
+      }
+
       result.setUsersCreated(1);
       log.info("Traditional user '{}' created successfully", args.getCreateUserUsername());
     }

datahub-upgrade/src/main/java/com/linkedin/datahub/upgrade/sqlsetup/MySqlDatabaseOperations.java

@@ -35,22 +35,24 @@ public class MySqlDatabaseOperations implements DatabaseOperations {
 
   @Override
   public String createIamUserSql(String username, String iamRole) {
-    // MySQL - IAM authentication with configurable role
+    // The iamRole parameter is not used for MySQL (unlike PostgreSQL)
+    // The actual IAM permissions are managed by AWS IAM policies, not stored in MySQL
     String escapedUser = escapeMysqlStringLiteral(username);
-    String escapedRole = escapeMysqlStringLiteral(iamRole);
-    return "CREATE USER "
+    return "CREATE USER IF NOT EXISTS "
         + escapedUser
-        + "@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS "
-        + escapedRole
-        + ";";
+        + "@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';";
   }
 
   @Override
   public String createTraditionalUserSql(String username, String password) {
     // MySQL - traditional authentication
     String escapedUser = escapeMysqlStringLiteral(username);
     String escapedPassword = escapeMysqlStringLiteral(password);
-    return "CREATE USER " + escapedUser + "@'%' IDENTIFIED BY " + escapedPassword + ";";
+    return "CREATE USER IF NOT EXISTS "
+        + escapedUser
+        + "@'%' IDENTIFIED BY "
+        + escapedPassword
+        + ";";
   }
 
   @Override

datahub-upgrade/src/main/java/com/linkedin/datahub/upgrade/sqlsetup/PostgresDatabaseOperations.java

@@ -36,16 +36,41 @@ public class PostgresDatabaseOperations implements DatabaseOperations {
 
   @Override
   public String createIamUserSql(String username, String iamRole) {
-    // PostgreSQL - IAM authentication (requires additional setup)
+    // PostgreSQL RDS - IAM authentication uses the rds_iam role
+    // The iamRole parameter is not used for PostgreSQL (IAM permissions are managed by AWS IAM)
+    // The actual IAM permissions are managed by AWS IAM policies, not stored in PostgreSQL
     String escapedUser = escapePostgresIdentifier(username);
-    return "CREATE USER " + escapedUser + " WITH LOGIN;";
+    return String.format(
+        """
+        DO
+        $$
+        BEGIN
+            IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = %s) THEN
+                CREATE USER %s WITH LOGIN;
+            END IF;
+        END
+        $$;
+        GRANT rds_iam TO %s;
+        """,
+        escapedUser, escapedUser, escapedUser);
   }
 
   @Override
   public String createTraditionalUserSql(String username, String password) {
     String escapedUser = escapePostgresIdentifier(username);
     String escapedPassword = escapePostgresStringLiteral(password);
-    return "CREATE USER " + escapedUser + " WITH PASSWORD " + escapedPassword + ";";
+    return String.format(
+        """
+        DO
+        $$
+        BEGIN
+            IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = %s) THEN
+                CREATE USER %s WITH PASSWORD %s;
+            END IF;
+        END
+        $$;
+        """,
+        escapedUser, escapedUser, escapedPassword);
   }
 
   @Override
@@ -61,6 +86,7 @@ public String createCdcUserSql(String cdcUser, String cdcPassword) {
     // Properly escape identifiers and string literals to prevent SQL injection
     String escapedUser = escapePostgresIdentifier(cdcUser);
     String escapedPassword = escapePostgresStringLiteral(cdcPassword);
+    String escapedUserLiteral = escapePostgresStringLiteral(cdcUser);
 
     return String.format(
         """
@@ -74,7 +100,7 @@ IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = %s) THEN
         $$;
         ALTER USER %s WITH REPLICATION;
         """,
-        escapedPassword, escapedUser, escapedPassword, escapedUser);
+        escapedUserLiteral, escapedUser, escapedPassword, escapedUser);
   }
 
   @Override

datahub-upgrade/src/main/java/com/linkedin/datahub/upgrade/sqlsetup/SqlSetupArgs.java

@@ -17,9 +17,8 @@ public class SqlSetupArgs {
   String cdcUser;
   String cdcPassword;
   String createUserUsername;
-  String createUserPassword;
+  String createUserPassword; // If null, IAM authentication is used
   String host;
   int port;
   String databaseName;
-  String createUserIamRole; // IAM role for new user creation (required if IAM auth enabled)
 }

datahub-upgrade/src/main/java/com/linkedin/datahub/upgrade/sqlsetup/config/SqlSetupConfig.java

@@ -60,8 +60,6 @@ public SqlSetupArgs createSetupArgs() {
     boolean createTables = EnvironmentUtils.getBoolean("CREATE_TABLES", true);
     boolean createDatabase = EnvironmentUtils.getBoolean("CREATE_DB", true);
     boolean createUser = EnvironmentUtils.getBoolean("CREATE_USER", false);
-    String createUserIamRole = EnvironmentUtils.getString("IAM_ROLE");
-    boolean iamAuthEnabled = createUserIamRole != null && !createUserIamRole.trim().isEmpty();
     boolean cdcEnabled = EnvironmentUtils.getBoolean("CDC_MCL_PROCESSING_ENABLED", false);
     String cdcUser = EnvironmentUtils.getString("CDC_USER", "datahub_cdc");
     String cdcPassword = EnvironmentUtils.getString("CDC_PASSWORD", "datahub_cdc");
@@ -78,17 +76,22 @@ public SqlSetupArgs createSetupArgs() {
     int port = jdbcInfo.port;
 
     // Set user creation credentials based on CREATE_USER setting
+    // If CREATE_USER_PASSWORD is not provided, assume IAM authentication
     String createUserUsername;
     String createUserPassword;
+    boolean iamAuthEnabled = false;
     if (createUser) {
-      if (iamAuthEnabled) {
-        // IAM authentication: only set username, no password
-        createUserUsername = EnvironmentUtils.getString("CREATE_USER_USERNAME");
+      createUserUsername = EnvironmentUtils.getString("CREATE_USER_USERNAME");
+      createUserPassword = EnvironmentUtils.getString("CREATE_USER_PASSWORD");
+
+      // If password is not provided, use IAM authentication
+      if (createUserPassword == null || createUserPassword.trim().isEmpty()) {
+        iamAuthEnabled = true;
         createUserPassword = null; // No password for IAM auth
+        log.info("User creation with IAM authentication detected (no password provided)");
       } else {
-        // Traditional authentication: set both username and password
-        createUserUsername = EnvironmentUtils.getString("CREATE_USER_USERNAME");
-        createUserPassword = EnvironmentUtils.getString("CREATE_USER_PASSWORD");
+        iamAuthEnabled = false;
+        log.info("User creation with traditional password authentication");
       }
     } else {
       // When CREATE_USER is disabled, these fields are not used
@@ -110,8 +113,7 @@ public SqlSetupArgs createSetupArgs() {
             createUserPassword,
             host,
             port,
-            databaseName,
-            createUserIamRole);
+            databaseName);
 
     // Validate authentication configuration
     validateAuthenticationConfig(args);
@@ -173,12 +175,10 @@ void validateAuthenticationConfig(SqlSetupArgs args) {
     }
 
     if (args.isIamAuthEnabled()) {
-      // IAM authentication enabled - validate IAM role is provided
-      if (args.getCreateUserIamRole() == null || args.getCreateUserIamRole().trim().isEmpty()) {
-        throw new IllegalStateException(
-            "IAM user creation is enabled but IAM_ROLE is not specified. "
-                + "Either set IAM_ROLE environment variable or disable IAM authentication.");
-      }
+      // For both MySQL and PostgreSQL RDS IAM authentication:
+      // - MySQL: Uses constant 'RDS' in CREATE USER statement
+      // - PostgreSQL: Uses rds_iam role grant
+      // The actual IAM permissions are managed by AWS IAM policies, not stored in the database
 
       // Validate username is provided for IAM
       if (args.getCreateUserUsername() == null || args.getCreateUserUsername().trim().isEmpty()) {
@@ -188,8 +188,8 @@ void validateAuthenticationConfig(SqlSetupArgs args) {
       }
 
       log.info(
-          "IAM user creation validated: role='{}', username='{}'",
-          args.getCreateUserIamRole(),
+          "IAM user creation validated for {}: username='{}' (IAM permissions managed by AWS IAM policies)",
+          args.getDbType().getValue(),
           args.getCreateUserUsername());
     } else {
       // Traditional authentication - validate username and password are provided

datahub-upgrade/src/main/java/com/linkedin/datahub/upgrade/system/elasticsearch/BuildIndices.java

@@ -8,6 +8,7 @@
 import com.linkedin.datahub.upgrade.system.elasticsearch.steps.BuildIndicesPreStep;
 import com.linkedin.datahub.upgrade.system.elasticsearch.steps.BuildIndicesStep;
 import com.linkedin.datahub.upgrade.system.elasticsearch.steps.CreateUsageEventIndicesStep;
+import com.linkedin.datahub.upgrade.system.elasticsearch.steps.CreateUserStep;
 import com.linkedin.gms.factory.config.ConfigurationProvider;
 import com.linkedin.gms.factory.search.BaseElasticSearchComponentsFactory;
 import com.linkedin.metadata.entity.AspectDao;
@@ -70,6 +71,8 @@ private List<UpgradeStep> buildSteps(
     }
 
     final List<UpgradeStep> steps = new ArrayList<>();
+    // Setup Elasticsearch users and roles (if enabled)
+    steps.add(new CreateUserStep(baseElasticSearchComponents, configurationProvider));
     // Setup usage event indices and policies
     steps.add(new CreateUsageEventIndicesStep(baseElasticSearchComponents, configurationProvider));
     // Disable ES write mode/change refresh rate and clone indices

datahub-upgrade/src/main/java/com/linkedin/datahub/upgrade/system/elasticsearch/steps/CreateUserStep.java

@@ -0,0 +1,137 @@
+package com.linkedin.datahub.upgrade.system.elasticsearch.steps;
+
+import com.linkedin.datahub.upgrade.UpgradeContext;
+import com.linkedin.datahub.upgrade.UpgradeStep;
+import com.linkedin.datahub.upgrade.UpgradeStepResult;
+import com.linkedin.datahub.upgrade.impl.DefaultUpgradeStepResult;
+import com.linkedin.datahub.upgrade.system.elasticsearch.util.IndexRoleUtils;
+import com.linkedin.datahub.upgrade.system.elasticsearch.util.IndexUtils;
+import com.linkedin.gms.factory.config.ConfigurationProvider;
+import com.linkedin.gms.factory.search.BaseElasticSearchComponentsFactory;
+import com.linkedin.metadata.utils.EnvironmentUtils;
+import com.linkedin.upgrade.DataHubUpgradeState;
+import io.datahubproject.metadata.context.OperationContext;
+import java.util.function.Function;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+@RequiredArgsConstructor
+@Slf4j
+public class CreateUserStep implements UpgradeStep {
+  private final BaseElasticSearchComponentsFactory.BaseElasticSearchComponents esComponents;
+  private final ConfigurationProvider configurationProvider;
+
+  @Override
+  public String id() {
+    return "CreateElasticsearchUserStep";
+  }
+
+  @Override
+  public int retryCount() {
+    return 3;
+  }
+
+  @Override
+  public boolean skip(UpgradeContext context) {
+    boolean createUser = EnvironmentUtils.getBoolean("CREATE_USER_ES", false);
+    if (!createUser) {
+      log.info("Elasticsearch user creation is disabled, skipping user setup");
+    }
+    return !createUser;
+  }
+
+  @Override
+  public Function<UpgradeContext, UpgradeStepResult> executable() {
+    return (context) -> {
+      try {
+        final String indexPrefix =
+            configurationProvider.getElasticSearch().getIndex().getFinalPrefix();
+
+        // Check for CREATE_USER_ES_USERNAME and CREATE_USER_ES_PASSWORD environment variables first
+        String username = EnvironmentUtils.getString("CREATE_USER_ES_USERNAME");
+        String password = EnvironmentUtils.getString("CREATE_USER_ES_PASSWORD");
+        String iamRoleArn = EnvironmentUtils.getString("CREATE_USER_ES_IAM_ROLE_ARN");
+
+        // Determine the authentication mode
+        boolean usingIam = iamRoleArn != null && !iamRoleArn.isEmpty();
+        boolean usingUserPassword =
+            username != null && !username.isEmpty() && password != null && !password.isEmpty();
+
+        // Validate that at least one authentication method is configured
+        if (!usingIam && !usingUserPassword) {
+          log.warn(
+              "Either CREATE_USER_ES_IAM_ROLE_ARN or CREATE_USER_ES_USERNAME/CREATE_USER_ES_PASSWORD must be configured");
+          return new DefaultUpgradeStepResult(id(), DataHubUpgradeState.FAILED);
+        }
+
+        String roleName = indexPrefix + "access";
+
+        if (esComponents.getSearchClient().getEngineType().isOpenSearch()) {
+          setupOpenSearchUser(
+              indexPrefix,
+              roleName,
+              username,
+              password,
+              iamRoleArn,
+              usingIam,
+              usingUserPassword,
+              context.opContext());
+        } else {
+          // Elasticsearch Cloud doesn't support IAM authentication
+          if (usingIam) {
+            log.warn("IAM authentication is only supported for AWS OpenSearch Service");
+            return new DefaultUpgradeStepResult(id(), DataHubUpgradeState.FAILED);
+          }
+          setupElasticsearchCloudUser(indexPrefix, roleName, username, password);
+        }
+
+        return new DefaultUpgradeStepResult(id(), DataHubUpgradeState.SUCCEEDED);
+      } catch (Exception e) {
+        log.error("CreateElasticsearchUserStep failed.", e);
+        return new DefaultUpgradeStepResult(id(), DataHubUpgradeState.FAILED);
+      }
+    };
+  }
+
+  private void setupElasticsearchCloudUser(
+      String prefix, String roleName, String username, String password) throws Exception {
+    log.info("Creating Elasticsearch Cloud user and role");
+    IndexRoleUtils.createElasticsearchCloudUser(esComponents, roleName, username, password, prefix);
+  }
+
+  private void setupOpenSearchUser(
+      String prefix,
+      String roleName,
+      String username,
+      String password,
+      String iamRoleArn,
+      boolean usingIam,
+      boolean usingUserPassword,
+      OperationContext operationContext)
+      throws Exception {
+    // Check if this is AWS OpenSearch Service
+    boolean isAwsOpenSearch = IndexUtils.isAwsOpenSearchService(esComponents);
+
+    if (isAwsOpenSearch) {
+      log.info("Detected AWS OpenSearch Service. Creating AWS-specific role.");
+
+      // Create the role first (required for both modes)
+      IndexRoleUtils.createAwsOpenSearchRole(esComponents, roleName, prefix);
+
+      if (usingIam) {
+        // IAM authentication: create role mapping to IAM role
+        log.info("IAM mode: Creating role mapping for IAM role: {}", iamRoleArn);
+        IndexRoleUtils.createAwsOpenSearchRoleMapping(esComponents, roleName, iamRoleArn);
+      }
+
+      if (usingUserPassword) {
+        // Internal user authentication: create internal user
+        log.info("Internal user mode: Creating internal user: {}", username);
+        IndexRoleUtils.createAwsOpenSearchUser(
+            esComponents, username, password, roleName, null, operationContext);
+      }
+    } else {
+      log.warn("Detected self-hosted OpenSearch. Creating user and role not supported.");
+    }
+  }
+}