feat: Handle MRAP URI

[vivek807]

Fixes #19608.

Description

Adds support for AWS S3 Multi-Region Access Points (MRAPs) and S3 Access Point ARNs as the bucket value in Druid's S3 extension. Previously, any ARN passed as a bucket name was rejected at startup due to a strict DNS-naming validation check in CloudObjectLocation.

Relaxed bucket validation in CloudObjectLocation

The existing check enforces that a bucket name URL-encodes to itself, which is a proxy for DNS compliance. ARNs contain colons and fail that check unconditionally. The validation now accepts a bucket that either passes the existing DNS check or matches a valid S3 Access Point ARN pattern (regional and MRAP, across aws, aws-cn, and aws-us-gov partitions).

Added S3Utils.isS3Arn() and S3Utils.normalizeBucketName()

Some tooling produces Access Point ARNs with a slash separator (accesspoint/alias) rather than the colon-delimited form (accesspoint:alias) that the AWS SDK expects. normalizeBucketName() canonicalizes the slash form to the colon form. It is a no-op for plain bucket names. S3DataSegmentPusherConfig.setBucket() and S3LoadSpec constructor both call this at the point of construction so the rest of the code never sees the unnormalized form.

Release note

Druid's S3 extension now accepts AWS S3 Access Point ARNs and Multi-Region Access Point (MRAP) ARNs as the druid.storage.bucket value. This enables operators to route deep storage traffic through a single global MRAP endpoint for multi-region active-active deployments and regional failover scenarios. Plain bucket names are unaffected.

---

Key changed/added classes in this PR

• CloudObjectLocation — relaxed bucket validation to permit S3 Access Point ARNs
• S3Utils — added isS3Arn() and normalizeBucketName()
• S3DataSegmentPusherConfig — normalize bucket name on set
• S3LoadSpec — normalize bucket name on constructor

---

This PR has:

This PR has:

• been self-reviewed.
• using the concurrency checklist (no concurrency changes)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml (no new dependencies)
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[FrankChen021]

Severity	Findings
P0	0
P1	0
P2	1
P3	0
Total	1

Reviewed 6 of 6 changed files.

---

This is an automated review by Codex GPT-5.5

[FrankChen021]

[P2] Normalize slash-form ARN buckets before accepting them

This now accepts both accesspoint: and accesspoint/ ARN buckets, but stores the slash form unchanged. AWS documents access point/MRAP ARNs with the slash separator, and direct JSON objects or catalog bucket+path inputs can now construct CloudObjectLocation with that value. Later toUri() writes the raw bucket into s3://%s/%s; with arn:...:accesspoint/bucket.mrap, the access-point name becomes part of the URI path, so code that re-reads the URI via getAuthority() sees only arn:...:accesspoint as the bucket. The deep-storage config/loadSpec paths normalize this, but direct CloudObjectLocation construction does not. Please normalize slash-form S3 ARN buckets here, or reject slash-form ARNs from this class and require the internal colon form.