This is an automated email from the ASF dual-hosted git repository.
ritesh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 20863d3148 HDDS-7139. INVALID_TOKEN is handled as internal error in
S3G (#3698)
20863d3148 is described below
commit 20863d314881f7b0cf218a3967d841714f598d3b
Author: Doroszlai, Attila <[email protected]>
AuthorDate: Fri Aug 19 19:29:21 2022 +0200
HDDS-7139. INVALID_TOKEN is handled as internal error in S3G (#3698)
---
.../dist/src/main/smoketest/s3/objectputget.robot | 6 ++++++
.../apache/hadoop/ozone/s3/endpoint/BucketEndpoint.java | 12 ++++++------
.../apache/hadoop/ozone/s3/endpoint/EndpointBase.java | 7 +++++++
.../apache/hadoop/ozone/s3/endpoint/ObjectEndpoint.java | 16 ++++++++--------
4 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/hadoop-ozone/dist/src/main/smoketest/s3/objectputget.robot
b/hadoop-ozone/dist/src/main/smoketest/s3/objectputget.robot
index 575e53826d..46608e7357 100644
--- a/hadoop-ozone/dist/src/main/smoketest/s3/objectputget.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/s3/objectputget.robot
@@ -45,6 +45,12 @@ Get object from s3
${result} = Execute AWSS3ApiCli get-object --bucket
${BUCKET} --key ${PREFIX}/putobject/key=value/f1 /tmp/testfile.result
Compare files /tmp/testfile /tmp/testfile.result
+#This test depends on the previous test case. Can't be executed alone
+Get object with wrong signature
+ Pass Execution If '${SECURITY_ENABLED}' == 'false' Skip in
unsecure cluster
+ ${result} = Execute and Ignore Error curl -i -H
'Authorization: AWS scm/[email protected]:asdfqwerty'
${ENDPOINT_URL}/${BUCKET}/${PREFIX}/putobject/key=value/f1
+ Should contain ${result}
403 Forbidden
+
Get Partial object from s3 with both start and endoffset
${result} = Execute AWSS3ApiCli get-object --bucket
${BUCKET} --key ${PREFIX}/putobject/key=value/f1 --range bytes=0-4
/tmp/testfile1.result
Should contain ${result}
ContentRange
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/BucketEndpoint.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/BucketEndpoint.java
index 0ece60bb40..18272c2f10 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/BucketEndpoint.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/BucketEndpoint.java
@@ -146,7 +146,7 @@ public class BucketEndpoint extends EndpointBase {
AUDIT.logReadFailure(
buildAuditMessageForFailure(s3GAction, getAuditParameters(), ex));
getMetrics().incGetBucketFailure();
- if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED, bucketName, ex);
} else {
throw ex;
@@ -300,7 +300,7 @@ public class BucketEndpoint extends EndpointBase {
buildAuditMessageForFailure(s3GAction, getAuditParameters(),
exception));
getMetrics().incListMultipartUploadsFailure();
- if (exception.getResult() == ResultCodes.PERMISSION_DENIED) {
+ if (isAccessDenied(exception)) {
throw newError(S3ErrorTable.ACCESS_DENIED, prefix, exception);
}
throw exception;
@@ -355,7 +355,7 @@ public class BucketEndpoint extends EndpointBase {
throw newError(S3ErrorTable.BUCKET_NOT_EMPTY, bucketName, ex);
} else if (ex.getResult() == ResultCodes.BUCKET_NOT_FOUND) {
throw newError(S3ErrorTable.NO_SUCH_BUCKET, bucketName, ex);
- } else if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED, bucketName, ex);
} else {
throw ex;
@@ -400,7 +400,7 @@ public class BucketEndpoint extends EndpointBase {
result.addDeleted(new DeletedObject(keyToDelete.getKey()));
}
} catch (OMException ex) {
- if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ if (isAccessDenied(ex)) {
result.addError(
new Error(keyToDelete.getKey(), "PermissionDenied",
ex.getMessage()));
@@ -463,7 +463,7 @@ public class BucketEndpoint extends EndpointBase {
auditReadFailure(S3GAction.GET_ACL, ex);
if (ex.getResult() == ResultCodes.BUCKET_NOT_FOUND) {
throw newError(S3ErrorTable.NO_SUCH_BUCKET, bucketName, ex);
- } else if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED, bucketName, ex);
} else {
throw newError(S3ErrorTable.INTERNAL_ERROR, bucketName, ex);
@@ -565,7 +565,7 @@ public class BucketEndpoint extends EndpointBase {
auditWriteFailure(S3GAction.PUT_ACL, exception);
if (exception.getResult() == ResultCodes.BUCKET_NOT_FOUND) {
throw newError(S3ErrorTable.NO_SUCH_BUCKET, bucketName, exception);
- } else if (exception.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(exception)) {
throw newError(S3ErrorTable.ACCESS_DENIED, bucketName, exception);
}
throw exception;
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/EndpointBase.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/EndpointBase.java
index ee3958ae1c..cc76f267b1 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/EndpointBase.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/EndpointBase.java
@@ -305,4 +305,11 @@ public abstract class EndpointBase implements Auditor {
AUDIT.logReadFailure(
buildAuditMessageForFailure(action, getAuditParameters(), ex));
}
+
+ protected boolean isAccessDenied(OMException ex) {
+ ResultCodes result = ex.getResult();
+ return result == ResultCodes.PERMISSION_DENIED
+ || result == ResultCodes.INVALID_TOKEN;
+ }
+
}
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/ObjectEndpoint.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/ObjectEndpoint.java
index 940df2f858..307378c9f3 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/ObjectEndpoint.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/ObjectEndpoint.java
@@ -238,7 +238,7 @@ public class ObjectEndpoint extends EndpointBase {
" considered as Unix Paths. Path has Violated FS Semantics " +
"which caused put operation to fail.");
throw os3Exception;
- } else if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED, keyPath, ex);
} else if (ex.getResult() == ResultCodes.BUCKET_NOT_FOUND) {
throw newError(S3ErrorTable.NO_SUCH_BUCKET, bucketName, ex);
@@ -393,7 +393,7 @@ public class ObjectEndpoint extends EndpointBase {
}
if (ex.getResult() == ResultCodes.KEY_NOT_FOUND) {
throw newError(S3ErrorTable.NO_SUCH_KEY, keyPath, ex);
- } else if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED, keyPath, ex);
} else if (ex.getResult() == ResultCodes.BUCKET_NOT_FOUND) {
throw newError(S3ErrorTable.NO_SUCH_BUCKET, bucketName, ex);
@@ -452,7 +452,7 @@ public class ObjectEndpoint extends EndpointBase {
if (ex.getResult() == ResultCodes.KEY_NOT_FOUND) {
// Just return 404 with no content
return Response.status(Status.NOT_FOUND).build();
- } else if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED, keyPath, ex);
} else if (ex.getResult() == ResultCodes.BUCKET_NOT_FOUND) {
throw newError(S3ErrorTable.NO_SUCH_BUCKET, bucketName, ex);
@@ -550,7 +550,7 @@ public class ObjectEndpoint extends EndpointBase {
// to true will throw DIRECTORY_NOT_EMPTY error for a non-empty dir.
// NOT_FOUND is not a problem, AWS doesn't throw exception for missing
// keys. Just return 204
- } else if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED, keyPath, ex);
} else {
throw ex;
@@ -613,7 +613,7 @@ public class ObjectEndpoint extends EndpointBase {
} catch (OMException ex) {
auditWriteFailure(s3GAction, ex);
getMetrics().incInitMultiPartUploadFailure();
- if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED, key, ex);
}
throw ex;
@@ -803,7 +803,7 @@ public class ObjectEndpoint extends EndpointBase {
getMetrics().incCreateMultipartKeyFailure();
if (ex.getResult() == ResultCodes.NO_SUCH_MULTIPART_UPLOAD_ERROR) {
throw newError(NO_SUCH_UPLOAD, uploadID, ex);
- } else if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED, bucket + "/" + key, ex);
}
throw ex;
@@ -860,7 +860,7 @@ public class ObjectEndpoint extends EndpointBase {
getMetrics().incListPartsFailure();
if (ex.getResult() == ResultCodes.NO_SUCH_MULTIPART_UPLOAD_ERROR) {
throw newError(NO_SUCH_UPLOAD, uploadID, ex);
- } else if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED,
bucket + "/" + key + "/" + uploadID, ex);
}
@@ -952,7 +952,7 @@ public class ObjectEndpoint extends EndpointBase {
throw newError(S3ErrorTable.NO_SUCH_KEY, sourceKey, ex);
} else if (ex.getResult() == ResultCodes.BUCKET_NOT_FOUND) {
throw newError(S3ErrorTable.NO_SUCH_BUCKET, sourceBucket, ex);
- } else if (ex.getResult() == ResultCodes.PERMISSION_DENIED) {
+ } else if (isAccessDenied(ex)) {
throw newError(S3ErrorTable.ACCESS_DENIED,
destBucket + "/" + destkey, ex);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
