len548 commented on code in PR #8819: URL: https://github.com/apache/ozone/pull/8819#discussion_r2213821189
########## hadoop-hdds/docs/content/design/sts.md: ########## @@ -0,0 +1,231 @@ +--- +title: Security Token Service (STS) for Ozone +summary: Allows clients to generate temporary S3 credentials using a REST API. +date: 2025-07-16 +jira: HDDS-13323 +status: implementing +author: Ren Koike +--- +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. See accompanying LICENSE file. +--> +# Introduction + +S3 credentials used to communicate with Ozone S3 APIs are based on the kerberos credential used to run the ozone CLI to generate the S3 credential. There is a configuration to specify a S3 Administrator (or default to OM administrators) who can generate S3 credentials for other kerberos principals. + +Historically the Ozone community has had an interest in having a REST API to be able to programmatically be able to generate S3 credentials. + +With Amazon AWS, there is a central service which has the ability to generate [Security Tokens that span resources across services](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html). + +This document covers a basic proposal that describes how Ozone can offer a stand alone STS service that can be used by users to use REST APIs to retrieve. This can be later extended to integrate with a centralized STS service. + +## Requirements + +### Functional requirements + +1. Allow privileged users to generate temporary S3 credentials with: + * Limited duration + * Restricted to specific bucket/prefix paths + * Restricted to specific S3 operations + * Issuing credentials either to self or another identity +2. Authenticate the AssumeRoleKerberos call using Kerberos +3. Authorize the credential issuance via Ranger +4. Store temporary credentials securely in Ozone Manager +5. Validate S3 API calls using the temporary credentials against stored permissions +6. Verify all operations against Ranger policies +7. Expire the credentials depending on the configured duration +8. Should work with Ozone native ACLs when without Ranger + * Ozone native ACLs are not as rich as Ranger policies, so this will be a subset of the functionality +9. Should work with external stores such as vault (currently Ozone supports this for S3 credentials) + +### Non functional requirements + +1. Support in the order of 20k credentials Review Comment: I suppose it is about creation. But let me confirm about that after @kerneltime is back available as we haven't discussed that further. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org For additional commands, e-mail: issues-h...@ozone.apache.org
