xiaoyuyao commented on a change in pull request #1871:
URL: https://github.com/apache/ozone/pull/1871#discussion_r568849894
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
##########
@@ -472,6 +472,19 @@ public boolean verifySignature(OzoneTokenIdentifier
identifier,
private byte[] validateS3AuthInfo(OzoneTokenIdentifier identifier)
throws InvalidToken {
LOG.trace("Validating S3AuthInfo for identifier:{}", identifier);
+ if (identifier.getOwner() == null) {
+ throw new InvalidToken(
+ "Owner is missing from the S3 auth token");
+ }
+ if (!identifier.getOwner().toString().equals(identifier.getAwsAccessId()))
{
Review comment:
Make sense to me. I further check the hadoop rpc code and the UGI of
token user is taken from the owner field of the identifier. Because S3 token
identifier is not protected with a token signature like Hadoop delegation
token, the proposed check of owner against awsaccessid is the right fix.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
