feat: Handle MRAP URI

[vivek807]

Fixes #19608.

Description

Adds support for AWS S3 Multi-Region Access Points (MRAPs) and S3 Access Point ARNs as the bucket value in Druid's S3 extension. Previously, any ARN passed as a bucket name was rejected at startup due to a strict DNS-naming validation check in CloudObjectLocation.

Relaxed bucket validation in CloudObjectLocation

The existing check enforces that a bucket name URL-encodes to itself, which is a proxy for DNS compliance. ARNs contain colons and fail that check unconditionally. The validation now accepts a bucket that either passes the existing DNS check or matches a valid S3 Access Point ARN pattern (regional and MRAP, across aws, aws-cn, and aws-us-gov partitions).

Added S3Utils.isS3Arn() and S3Utils.normalizeBucketName()

Some tooling produces Access Point ARNs with a slash separator (accesspoint/alias) rather than the colon-delimited form (accesspoint:alias) that the AWS SDK expects. normalizeBucketName() canonicalizes the slash form to the colon form. It is a no-op for plain bucket names. S3DataSegmentPusherConfig.setBucket() and S3LoadSpec constructor both call this at the point of construction so the rest of the code never sees the unnormalized form.

Release note

Druid's S3 extension now accepts AWS S3 Access Point ARNs and Multi-Region Access Point (MRAP) ARNs as the druid.storage.bucket value. This enables operators to route deep storage traffic through a single global MRAP endpoint for multi-region active-active deployments and regional failover scenarios. Plain bucket names are unaffected.

---

Key changed/added classes in this PR

• CloudObjectLocation — relaxed bucket validation to permit S3 Access Point ARNs
• S3Utils — added isS3Arn() and normalizeBucketName()
• S3DataSegmentPusherConfig — normalize bucket name on set
• S3LoadSpec — normalize bucket name on constructor

---

This PR has:

This PR has:

• been self-reviewed.
• using the concurrency checklist (no concurrency changes)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml (no new dependencies)
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[FrankChen021]

Severity	Findings
P0	0
P1	0
P2	1
P3	0
Total	1

Reviewed 6 of 6 changed files.

---

This is an automated review by Codex GPT-5.5

[FrankChen021]

Severity	Findings
P0	0
P1	0
P2	1
P3	0
Total	1

Reviewed 6 of 6 changed files.

---

This is an automated review by Codex GPT-5.5

[FrankChen021]

[P2] Handle slash-form MRAP ARNs before URI splitting

This normalization only works when the full ARN is already passed as the bucket string. For a URI like s3://arn:aws:s3::123456789123:accesspoint/bucket.mrap/path, java.net.URI splits the value into authority arn:aws:s3::123456789123:accesspoint and path /bucket.mrap/path, so the bucket passed here does not match S3_ARN and the slash-form MRAP URI remains rejected or parsed with the access point name as part of the key. Please normalize this form before the URI constructor splits bucket/path, or add validation/tests that explicitly reject it.