xiaoyuyao commented on a change in pull request #1871:
URL: https://github.com/apache/ozone/pull/1871#discussion_r568126597
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
##########
@@ -472,6 +472,19 @@ public boolean verifySignature(OzoneTokenIdentifier
identifier,
private byte[] validateS3AuthInfo(OzoneTokenIdentifier identifier)
throws InvalidToken {
LOG.trace("Validating S3AuthInfo for identifier:{}", identifier);
+ if (identifier.getOwner() == null) {
+ throw new InvalidToken(
+ "Owner is missing from the S3 auth token");
+ }
+ if (!identifier.getOwner().toString().equals(identifier.getAwsAccessId()))
{
Review comment:
Thanks @elek for working on this. I have one question about the
awsaccessId from identifier or owner, they can all be modified by the attacker
as well. What we need to check is compare awsaccessId from the
identifier.stringtosign using s3 signatureparser (after verify the secret) with
the one from the owner/awsid from the identifier.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
