jojochuang commented on code in PR #8819: URL: https://github.com/apache/ozone/pull/8819#discussion_r2212411855
########## hadoop-hdds/docs/content/design/sts.md: ########## @@ -0,0 +1,231 @@ +--- +title: Security Token Service (STS) for Ozone +summary: Allows clients to generate temporary S3 credentials using a REST API. +date: 2025-07-16 +jira: HDDS-13323 +status: implementing +author: Ren Koike +--- +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. See accompanying LICENSE file. +--> +# Introduction + +S3 credentials used to communicate with Ozone S3 APIs are based on the kerberos credential used to run the ozone CLI to generate the S3 credential. There is a configuration to specify a S3 Administrator (or default to OM administrators) who can generate S3 credentials for other kerberos principals. + +Historically the Ozone community has had an interest in having a REST API to be able to programmatically be able to generate S3 credentials. + +With Amazon AWS, there is a central service which has the ability to generate [Security Tokens that span resources across services](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html). + +This document covers a basic proposal that describes how Ozone can offer a stand alone STS service that can be used by users to use REST APIs to retrieve. This can be later extended to integrate with a centralized STS service. + +## Requirements + +### Functional requirements + +1. Allow privileged users to generate temporary S3 credentials with: + * Limited duration + * Restricted to specific bucket/prefix paths + * Restricted to specific S3 operations + * Issuing credentials either to self or another identity +2. Authenticate the AssumeRoleKerberos call using Kerberos +3. Authorize the credential issuance via Ranger +4. Store temporary credentials securely in Ozone Manager +5. Validate S3 API calls using the temporary credentials against stored permissions +6. Verify all operations against Ranger policies +7. Expire the credentials depending on the configured duration +8. Should work with Ozone native ACLs when without Ranger + * Ozone native ACLs are not as rich as Ranger policies, so this will be a subset of the functionality +9. Should work with external stores such as vault (currently Ozone supports this for S3 credentials) + +### Non functional requirements + +1. Support in the order of 20k credentials + +## API Spec + +Ozone will serve Rest endpoints over the webui ports currently in place. + +Clients will need to authenticate with Kerberose before calling the AssumeRoleKerberos endpoint. The AssumeRoleKerberos endpoint will allow a client to Assume a Role specified in Ranger if the user principal used is part of the Role list of users. Each invocation will include a list of bucket:prefix:action list. This list has to be a subset of what the Role in Ranger has access to. + +Ozone will call Ranger to authorize the AssumeRoleKerberos request. Once authorized, Ozone will generate S3 credentials and store the S3 credentials, role and resources requested. Review Comment: will this require a new Ranger API? I'm curious because the existing Ranger or Ozone native ACL authorization model do not look suitable for this purpose. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org For additional commands, e-mail: issues-h...@ozone.apache.org
