This is an automated email from the ASF dual-hosted git repository.
xyao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 60e0787 HDDS-4763. Owner field of S3AUTHINFO type delegation token
should be validated (#1871)
60e0787 is described below
commit 60e078729e18ef1be276f35659957ac553d266f7
Author: Elek, Márton <[email protected]>
AuthorDate: Tue Feb 2 19:53:09 2021 +0100
HDDS-4763. Owner field of S3AUTHINFO type delegation token should be
validated (#1871)
---
.../OzoneDelegationTokenSecretManager.java | 13 ++++++++++
.../TestOzoneDelegationTokenSecretManager.java | 28 ++++++++++++----------
2 files changed, 28 insertions(+), 13 deletions(-)
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
index 7390fcc..542d636 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
@@ -472,6 +472,19 @@ public class OzoneDelegationTokenSecretManager
private byte[] validateS3AuthInfo(OzoneTokenIdentifier identifier)
throws InvalidToken {
LOG.trace("Validating S3AuthInfo for identifier:{}", identifier);
+ if (identifier.getOwner() == null) {
+ throw new InvalidToken(
+ "Owner is missing from the S3 auth token");
+ }
+ if (!identifier.getOwner().toString().equals(identifier.getAwsAccessId()))
{
+ LOG.error(
+ "Owner and AWSAccessId is different in the S3 token. Possible "
+ + " security attack: {}",
+ identifier);
+ throw new InvalidToken(
+ "Invalid S3 identifier: owner=" + identifier.getOwner()
+ + ", awsAccessId=" + identifier.getAwsAccessId());
+ }
String awsSecret;
try {
awsSecret = s3SecretManager.getS3UserSecretString(identifier
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
index 2154974..7f17e0c 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
@@ -18,6 +18,16 @@
package org.apache.hadoop.ozone.security;
+import java.io.File;
+import java.io.IOException;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.Map;
+
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
@@ -36,6 +46,9 @@ import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.test.LambdaTestUtils;
import org.apache.hadoop.util.Time;
+
+import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_RATIS_ENABLE_KEY;
+import static
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
@@ -43,19 +56,6 @@ import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
-import java.io.File;
-import java.io.IOException;
-import java.security.KeyPair;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.Signature;
-import java.security.cert.X509Certificate;
-import java.util.HashMap;
-import java.util.Map;
-
-import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_RATIS_ENABLE_KEY;
-import static
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO;
-
/**
* Test class for {@link OzoneDelegationTokenSecretManager}.
*/
@@ -342,6 +342,7 @@ public class TestOzoneDelegationTokenSecretManager {
"20190221/us-west-1/s3/aws4_request\n" +
"c297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d");
identifier.setAwsAccessId("testuser1");
+ identifier.setOwner(new Text("testuser1"));
secretManager.retrievePassword(identifier);
}
@@ -360,6 +361,7 @@ public class TestOzoneDelegationTokenSecretManager {
"20190221/us-west-1/s3/aws4_request\n" +
"c297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d");
identifier.setAwsAccessId("testuser2");
+ identifier.setOwner(new Text("testuser2"));
// Case 1: User don't have aws secret set.
LambdaTestUtils.intercept(SecretManager.InvalidToken.class, " No S3 " +
"secret found for S3 identifier",
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
