AlexMercedCoder
diff --git a/‎docker-compose.emulators.yml‎
Lines changed: 93 additions & 0 deletions b/‎docker-compose.emulators.yml‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎docs/CREDENTIAL_VENDING_DOCS_UPDATE.md‎
Lines changed: 211 additions & 0 deletions b/‎docs/CREDENTIAL_VENDING_DOCS_UPDATE.md‎
Lines changed: 211 additions & 0 deletions
@@ -0,0 +1,93 @@
+version: '3.8'
+
+services:
+  # MinIO - S3-compatible storage with STS support
+  minio:
+    image: minio/minio:latest
+    container_name: pangolin-minio
+    ports:
+      - "9000:9000"  # API
+      - "9001:9001"  # Console
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: minioadmin
+    command: server /data --console-address ":9001"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      interval: 5s
+      timeout: 3s
+      retries: 3
+    volumes:
+      - minio-data:/data
+
+  # Azurite - Azure Storage Emulator
+  azurite:
+    image: mcr.microsoft.com/azure-storage/azurite:latest
+    container_name: pangolin-azurite
+    ports:
+      - "10000:10000"  # Blob service
+      - "10001:10001"  # Queue service
+      - "10002:10002"  # Table service
+    command: azurite-blob --blobHost 0.0.0.0 --blobPort 10000 --loose
+    healthcheck:
+      test: ["CMD", "nc", "-z", "localhost", "10000"]
+      interval: 5s
+      timeout: 3s
+      retries: 3
+    volumes:
+      - azurite-data:/data
+
+  # fake-gcs-server - GCS Emulator
+  fake-gcs:
+    image: fsouza/fake-gcs-server:latest
+    container_name: pangolin-fake-gcs
+    ports:
+      - "4443:4443"
+    command: -scheme http -port 4443 -external-url http://localhost:4443
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:4443/storage/v1/b"]
+      interval: 5s
+      timeout: 3s
+      retries: 3
+
+  # oidc-server-mock - OAuth2/OIDC Mock for Azure AD testing
+  oidc-mock:
+    image: ghcr.io/soluto/oidc-server-mock:latest
+    container_name: pangolin-oidc-mock
+    ports:
+      - "8081:80"  # Changed from 8080 to avoid conflict
+    environment:
+      ASPNETCORE_ENVIRONMENT: Development
+      SERVER_OPTIONS_INLINE: |
+        {
+          "AccessTokenJwtType": "JWT",
+          "Discovery": {
+            "ShowKeySet": true
+          }
+        }
+      USERS_CONFIGURATION_INLINE: |
+        [
+          {
+            "SubjectId": "test-user",
+            "Username": "testuser",
+            "Password": "testpassword"
+          }
+        ]
+      CLIENTS_CONFIGURATION_INLINE: |
+        [
+          {
+            "ClientId": "pangolin-client",
+            "ClientSecrets": ["secret"],
+            "AllowedGrantTypes": ["client_credentials"],
+            "AllowedScopes": ["https://storage.azure.com/.default", "openid", "profile"]
+          }
+        ]
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:80/.well-known/openid-configuration"]
+      interval: 5s
+      timeout: 3s
+      retries: 3
+
+volumes:
+  minio-data:
+  azurite-data:
@@ -0,0 +1,211 @@
+# Documentation Update Summary - Credential Vending
+
+## Files Requiring Updates
+
+### 1. `/docs/features/security_vending.md` ⚠️ HIGH PRIORITY
+**Current State:** Only documents S3/AWS credential vending  
+**Required Updates:**
+- Add section for Azure ADLS Gen2 credential vending
+  - OAuth2 mode (adls.token)
+  - Account key mode (adls.account-name, adls.account-key)
+- Add section for GCP credential vending
+  - OAuth2 mode (gcp-oauth-token)
+  - Service account mode (gcp-project-id)
+- Update PyIceberg integration examples with multi-cloud
+- Add warehouse configuration examples for Azure and GCP
+
+**Suggested New Sections:**
+```markdown
+## Azure ADLS Gen2 Credential Vending
+
+### OAuth2 Mode
+```python
+# Warehouse configuration
+{
+  "type": "azure",
+  "account_name": "mystorageaccount",
+  "container": "data",
+  "tenant_id": "...",
+  "client_id": "...",
+  "client_secret": "..."
+}
+```
+
+### Account Key Mode
+```python
+# Warehouse configuration
+{
+  "type": "azure",
+  "account_name": "mystorageaccount",
+  "container": "data",
+  "account_key": "..."
+}
+```
+
+## GCP Credential Vending
+...
+```
+
+---
+
+### 2. `/docs/architecture/signer-trait.md` ⚠️ MEDIUM PRIORITY
+**Current State:** Documents old Signer trait, outdated structure  
+**Required Updates:**
+- Replace with new `CredentialSigner` trait documentation
+- Update `VendedCredentials` structure
+- Document PyIceberg-compatible property names:
+  - S3: `s3.access-key-id`, `s3.secret-access-key`, `s3.session-token`
+  - Azure: `adls.token`, `adls.account-name`, `adls.account-key`
+  - GCP: `gcp-oauth-token`, `gcp-project-id`
+- Update implementation examples for all three cloud providers
+
+**New Trait Definition:**
+```rust
+#[async_trait]
+pub trait CredentialSigner: Send + Sync {
+    async fn generate_credentials(
+        &self,
+        resource_path: &str,
+        permissions: &[String],
+        duration: Duration,
+    ) -> Result<VendedCredentials>;
+    
+    fn storage_type(&self) -> &str;
+}
+
+pub struct VendedCredentials {
+    pub prefix: String,
+    pub config: HashMap<String, String>,  // PyIceberg-compatible properties
+    pub expires_at: Option<DateTime<Utc>>,
+}
+```
+
+---
+
+### 3. `/docs/pyiceberg/multi_cloud.md` ⚠️ HIGH PRIORITY
+**Current State:** Mentions vending but uses incorrect property names  
+**Required Updates:**
+- Update Azure properties section:
+  - ✅ `adls.token` (for OAuth2 vended credentials)
+  - ✅ `adls.account-name` (account name)
+  - ✅ `adls.account-key` (for account key mode)
+  - ❌ Remove outdated `adls.connection-string` (not used in vending)
+- Update GCP properties section:
+  - ✅ `gcp-oauth-token` (for vended OAuth2 tokens)
+  - ✅ `gcp-project-id` (project ID)
+  - ❌ Remove `gcs.oauth2.token` (use `gcp-oauth-token`)
+- Add complete credential vending examples
+
+**Updated Azure Example:**
+```python
+catalog = load_catalog(
+    "azure_catalog",
+    **{
+        "type": "rest",
+        "uri": "http://localhost:8080/v1/azure_catalog",
+        "token": "YOUR_JWT_TOKEN",
+        # Pangolin vends credentials automatically!
+        # Properties vended: adls.token, adls.account-name
+    }
+)
+```
+
+---
+
+### 4. `/docs/features/warehouse_management.md` ⚠️ LOW PRIORITY
+**Current State:** May only show S3 warehouse examples  
+**Required Updates:**
+- Add Azure warehouse creation example
+- Add GCP warehouse creation example
+- Document `use_sts` behavior for each cloud provider
+
+---
+
+### 5. `/docs/pyiceberg/auth_vended_creds.md` ⚠️ MEDIUM PRIORITY
+**Current State:** Unknown (need to review)  
+**Likely Updates:**
+- Add multi-cloud vended credentials examples
+- Update property names to PyIceberg-compatible format
+
+---
+
+## Property Name Reference (PyIceberg Compatible)
+
+### S3 / AWS
+| Property | Description | Example |
+|----------|-------------|---------|
+| `s3.access-key-id` | AWS access key | `AKIAIOSFODNN7EXAMPLE` |
+| `s3.secret-access-key` | AWS secret key | `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` |
+| `s3.session-token` | STS session token | `FwoGZXIvYXdzEBYaD...` |
+| `s3.endpoint` | S3 endpoint URL | `http://localhost:9000` |
+| `s3.region` | AWS region | `us-east-1` |
+
+### Azure ADLS Gen2
+| Property | Description | Example |
+|----------|-------------|---------|
+| `adls.token` | OAuth2 access token | `eyJ0eXAiOiJKV1QiLCJhbGc...` |
+| `adls.account-name` | Storage account name | `mystorageaccount` |
+| `adls.account-key` | Storage account key | `Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==` |
+| `adls.container` | Container name | `data` |
+
+### GCP Cloud Storage
+| Property | Description | Example |
+|----------|-------------|---------|
+| `gcp-oauth-token` | OAuth2 access token | `ya29.a0AfH6SMBx...` |
+| `gcp-project-id` | GCP project ID | `my-project-12345` |
+
+---
+
+## Testing Status
+
+### ✅ Tested and Working
+- **S3 Static Credentials:** Tested with MinIO ✅
+- **S3 STS Foundation:** MinIO IAM configured ✅
+- **Azure Account Key:** Tested with Azurite ✅
+- **GCP Service Account:** Tested with fake-gcs-server ✅
+
+### ⚠️ Code Ready, Needs Real Testing
+- **Azure OAuth2:** Code complete, needs real Azure AD testing
+- **S3 STS AssumeRole:** Needs AWS STS feature flag enabled
+
+---
+
+## Implementation Details
+
+**Files Modified:**
+- `pangolin_api/src/credential_signers/azure_signer.rs` - PyIceberg properties
+- `pangolin_api/src/credential_signers/gcp_signer.rs` - PyIceberg properties
+- `pangolin_api/src/credential_signers/s3_signer.rs` - PyIceberg properties
+- `pangolin_api/src/credential_vending.rs` - Factory and helpers
+- `pangolin_api/src/signing_handlers.rs` - Refactored (-170 lines)
+
+**Tests:** 28/28 passing
+- 4 unit tests
+- 15 integration tests
+- 5 end-to-end tests
+- 4 live emulator tests
+
+---
+
+## Recommended Documentation Update Priority
+
+1. **HIGH:** `security_vending.md` - Add Azure/GCP sections
+2. **HIGH:** `multi_cloud.md` - Fix property names
+3. **MEDIUM:** `signer-trait.md` - Update trait documentation
+4. **MEDIUM:** `auth_vended_creds.md` - Add multi-cloud examples
+5. **LOW:** `warehouse_management.md` - Add Azure/GCP warehouse examples
+
+---
+
+## Quick Reference for Documentation Writers
+
+**When documenting Azure credential vending:**
+- Use `adls.token` (not `azure-oauth-token`)
+- Use `adls.account-name` (not `azure-account-name`)
+- Use `adls.account-key` (not `azure-account-key`)
+
+**When documenting GCP credential vending:**
+- Use `gcp-oauth-token` (not `gcs.oauth2.token`)
+- Use `gcp-project-id` (not `gcs.project-id`)
+
+**All property names must match PyIceberg expectations for compatibility.**