This is an automated email from the ASF dual-hosted git repository.
sammichen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new d3086418e14 HDDS-13857. [STS] Update verbiage for revocation (#9699)
d3086418e14 is described below
commit d3086418e147b22ad1be7827bb37c2501b86181e
Author: fmorg-git <[email protected]>
AuthorDate: Tue Feb 3 05:23:07 2026 -0800
HDDS-13857. [STS] Update verbiage for revocation (#9699)
---
hadoop-hdds/docs/content/design/ozone-sts.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hadoop-hdds/docs/content/design/ozone-sts.md
b/hadoop-hdds/docs/content/design/ozone-sts.md
index 93d86fcd9ba..fc335dc4de8 100644
--- a/hadoop-hdds/docs/content/design/ozone-sts.md
+++ b/hadoop-hdds/docs/content/design/ozone-sts.md
@@ -150,6 +150,10 @@ will be created to run every 3 hours to delete revoked
tokens that have been in
input parameter for the command-line utility will be the sessionToken - this
value is returned in plain text as a result
of the AssumeRole call (mentioned above). In this way, specific STS tokens
can be revoked as opposed to all tokens. Furthermore,
AWS doesn't have a standard API to revoke tokens therefore we are creating our
own system.
+
+Additionally, if the Kerberos identity of the user that created the STS token
is revoked via the `ozone s3 revokesecret`
+command, then all the existing and unexpired STS tokens that user created will
be revoked.
+
Note: STS token revocation checks are strictly enforced and will fail-closed
if there are internal errors such as not
being able to communicate with the revocation database table, etc.
Note: The creator of the STS token or an S3/tenant admin are the only ones
allowed to revoke a token.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
