This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 56ce59166d HDDS-11040. Disable REST endpoint for S3 secret
manipulation by username (#6839)
56ce59166d is described below
commit 56ce59166d2a7354b1b459dc325dba5e2e65c6fb
Author: Ivan Zlenko <[email protected]>
AuthorDate: Wed Jul 10 15:06:45 2024 +0400
HDDS-11040. Disable REST endpoint for S3 secret manipulation by username
(#6839)
---
hadoop-ozone/dist/src/main/smoketest/s3/secretgenerate.robot | 4 +++-
hadoop-ozone/dist/src/main/smoketest/s3/secretrevoke.robot | 4 +++-
.../apache/hadoop/ozone/s3secret/S3SecretManagementEndpoint.java | 7 +++++--
.../java/org/apache/hadoop/ozone/s3secret/TestSecretGenerate.java | 2 ++
.../java/org/apache/hadoop/ozone/s3secret/TestSecretRevoke.java | 2 ++
5 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/hadoop-ozone/dist/src/main/smoketest/s3/secretgenerate.robot
b/hadoop-ozone/dist/src/main/smoketest/s3/secretgenerate.robot
index 70dcfa1abe..e9b5dd5df7 100644
--- a/hadoop-ozone/dist/src/main/smoketest/s3/secretgenerate.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/s3/secretgenerate.robot
@@ -45,13 +45,15 @@ S3 Gateway Secret Already Exists
Should contain ${result} HTTP/1.1 400
S3_SECRET_ALREADY_EXISTS ignore_case=True
S3 Gateway Generate Secret By Username
+ [Tags] robot:skip # TODO: Enable after HDDS-11041 is done.
Pass Execution If '${SECURITY_ENABLED}' == 'false' Skipping this
check as security is not enabled
${result} = Execute curl -X PUT
--negotiate -u : -v ${ENDPOINT_URL}/secret/testuser
Should contain ${result} HTTP/1.1 200
OK ignore_case=True
Should Match Regexp ${result}
<awsAccessKey>.*</awsAccessKey><awsSecret>.*</awsSecret>
S3 Gateway Generate Secret By Username For Other User
+ [Tags] robot:skip # TODO: Enable after HDDS-11041 is done.
Pass Execution If '${SECURITY_ENABLED}' == 'false' Skipping this
check as security is not enabled
${result} = Execute curl -X PUT
--negotiate -u : -v ${ENDPOINT_URL}/secret/testuser2
Should contain ${result} HTTP/1.1 200
OK ignore_case=True
- Should Match Regexp ${result}
<awsAccessKey>.*</awsAccessKey><awsSecret>.*</awsSecret>
\ No newline at end of file
+ Should Match Regexp ${result}
<awsAccessKey>.*</awsAccessKey><awsSecret>.*</awsSecret>
diff --git a/hadoop-ozone/dist/src/main/smoketest/s3/secretrevoke.robot
b/hadoop-ozone/dist/src/main/smoketest/s3/secretrevoke.robot
index 0f15f23067..59725c0416 100644
--- a/hadoop-ozone/dist/src/main/smoketest/s3/secretrevoke.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/s3/secretrevoke.robot
@@ -38,13 +38,15 @@ S3 Gateway Revoke Secret
Should contain ${result} HTTP/1.1 200 OK
ignore_case=True
S3 Gateway Revoke Secret By Username
+ [Tags] robot:skip # TODO: Enable after HDDS-11041 is done.
Pass Execution If '${SECURITY_ENABLED}' == 'false' Skipping this
check as security is not enabled
Execute ozone s3 getsecret
-u testuser ${OM_HA_PARAM}
${result} = Execute curl -X DELETE
--negotiate -u : -v ${ENDPOINT_URL}/secret/testuser
Should contain ${result} HTTP/1.1 200 OK
ignore_case=True
S3 Gateway Revoke Secret By Username For Other User
+ [Tags] robot:skip # TODO: Enable after HDDS-11041 is done.
Pass Execution If '${SECURITY_ENABLED}' == 'false' Skipping this
check as security is not enabled
Execute ozone s3 getsecret
-u testuser2 ${OM_HA_PARAM}
${result} = Execute curl -X DELETE
--negotiate -u : -v ${ENDPOINT_URL}/secret/testuser2
- Should contain ${result} HTTP/1.1 200 OK
ignore_case=True
\ No newline at end of file
+ Should contain ${result} HTTP/1.1 200 OK
ignore_case=True
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretManagementEndpoint.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretManagementEndpoint.java
index 9c9ccd227d..4ea17d2a2f 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretManagementEndpoint.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretManagementEndpoint.java
@@ -33,6 +33,7 @@ import javax.ws.rs.core.Response;
import java.io.IOException;
import static javax.ws.rs.core.Response.Status.BAD_REQUEST;
+import static javax.ws.rs.core.Response.Status.METHOD_NOT_ALLOWED;
import static javax.ws.rs.core.Response.Status.NOT_FOUND;
/**
@@ -53,7 +54,8 @@ public class S3SecretManagementEndpoint extends
S3SecretEndpointBase {
@Path("/{username}")
public Response generate(@PathParam("username") String username)
throws IOException {
- return generateInternal(username);
+ // TODO: It is a temporary solution. To be removed after HDDS-11041 is
done.
+ return Response.status(METHOD_NOT_ALLOWED).build();
}
private Response generateInternal(@Nullable String username) throws
IOException {
@@ -93,7 +95,8 @@ public class S3SecretManagementEndpoint extends
S3SecretEndpointBase {
@Path("/{username}")
public Response revoke(@PathParam("username") String username)
throws IOException {
- return revokeInternal(username);
+ // TODO: It is a temporary solution. To be removed after HDDS-11041 is
done.
+ return Response.status(METHOD_NOT_ALLOWED).build();
}
private Response revokeInternal(@Nullable String username)
diff --git
a/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3secret/TestSecretGenerate.java
b/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3secret/TestSecretGenerate.java
index 681452130a..d1f81faddd 100644
---
a/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3secret/TestSecretGenerate.java
+++
b/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3secret/TestSecretGenerate.java
@@ -33,6 +33,7 @@ import org.apache.hadoop.ozone.client.OzoneClientStub;
import org.apache.hadoop.ozone.client.protocol.ClientProtocol;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
+import org.apache.ozone.test.tag.Unhealthy;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
@@ -111,6 +112,7 @@ class TestSecretGenerate {
}
@Test
+ @Unhealthy("HDDS-11041")
void testSecretGenerateWithUsername() throws IOException {
hasNoSecretYet();
diff --git
a/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3secret/TestSecretRevoke.java
b/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3secret/TestSecretRevoke.java
index b26df0e899..85e6bd4c10 100644
---
a/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3secret/TestSecretRevoke.java
+++
b/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3secret/TestSecretRevoke.java
@@ -30,6 +30,7 @@ import org.apache.hadoop.ozone.client.ObjectStoreStub;
import org.apache.hadoop.ozone.client.OzoneClient;
import org.apache.hadoop.ozone.client.OzoneClientStub;
import org.apache.hadoop.ozone.om.exceptions.OMException;
+import org.apache.ozone.test.tag.Unhealthy;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
@@ -97,6 +98,7 @@ public class TestSecretRevoke {
}
@Test
+ @Unhealthy("HDDS-11041")
void testSecretRevokeWithUsername() throws IOException {
endpoint.revoke(OTHER_USER_NAME);
verify(objectStore, times(1))
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
