Added expectedBucketOwner

[vaibhavm99]

Add S3 Bucket Owner Verification Support

This PR adds optional S3 bucket owner verification to neptune-export, enhancing security by allowing clients to verify that S3 buckets are owned by expected AWS accounts.

Changes

New Parameter: expectedBucketOwner

• Added as an optional parameter across all S3 operations (GET, PUT, LIST)
• Can be provided via environment variable EXPECTED_BUCKET_OWNER or JSON field expectedBucketOwner
• When not provided, automatically defaults to the account ID from the credential provider
• Applies to all S3 interactions: exports, config files, completion files, and Neptune ML training configs

Security Benefits

This feature helps prevent unauthorized access to S3 buckets by verifying bucket ownership before performing operations, adding an extra layer of security for cross-account scenarios.

[Cole-Greer]

I'm a bit concerned that this could lead to confusion as we are essentially adding 2 independent and unrelated expectedBucketOwner parameters. From what I can tell, the only purpose of this one is to protect the one GetObject request in JSONResource.getFromS3(), while the parameter in NeptuneExportLambda guards all PutObject requests from the program. If a user wanted to configure both of these values in a export service request, their request would look something like this:

neptune-export.sh nesvc --json '
    "command" : "export-pg",
    "params" : {
        "endpoint": <neptune endpoint>,
        "configFile": <config file s3 URI>,
        "expectedBucketOwner": <config file bucket account id>
    },
    "outputS3Path": <target s3 URI>,
    "expectedBucketOwner": <target bucket account id>

I'm not convinced that such a guard is necessary for retrieving the config file from S3, especially considering users are also permitted to provide any public https URI as a location for this file as well. Unfortunately due to the structure of Neptune export and the export service, it's quite difficult to combine these into a single parameter. If you believe this guard is necessary, I'd ask that we rename it to something such as --config-file-expected-bucket-owner to distinguish it from the more general expectedBucketOwner parameter.

[Cole-Greer]

StringUtils.isBlank(expectedBucketOwner) ? this.s3CredentialsProvider.resolveCredentials().accountId().get() : expectedBucketOwner is repeated quite a bit through out this PR, could we move this account resolution logic to the source in NeptuneExportLambda such that it only needs to be done once?

[Cole-Greer]

Suggested change

	Expected bucket owner account ID for S3 bucket verification. When provided,
	verifies the bucket is owned by the specified AWS account.
	Expected bucket owner account ID for S3 bucket verification. When provided,
	verifies the bucket is owned by the specified AWS account. Defaults to the
	AWS account id associated with the S3 credentials.

[Cole-Greer]

Suggested change

	| `EXPECTED_BUCKET_OWNER` | `expectedBucketOwner` | Expected bucket owner account ID for S3 bucket verification. When provided, verifies the bucket is owned by the specified AWS account | Optional |
	| `EXPECTED_BUCKET_OWNER` | `expectedBucketOwner` | Expected bucket owner account ID for S3 bucket verification. When provided, verifies the bucket is owned by the specified AWS account. Defaults to the AWS account id associated with the S3 credentials. | Optional |