Re: [PR] HDDS-13323. Security Token Service (STS). [ozone]

Wed, 30 Jul 2025 23:09:06 -0700 


jojochuang commented on code in PR #8819:
URL: https://github.com/apache/ozone/pull/8819#discussion_r2213844653


##########
hadoop-hdds/docs/content/design/sts.md:
##########
@@ -37,20 +41,30 @@ This document covers a basic proposal that describes how 
Ozone can offer a stand
    * Limited duration  
    * Restricted to specific bucket/prefix paths  
    * Restricted to specific S3 operations  
-   * Issuing credentials either to self or another identity  
-2. Authenticate the AssumeRoleKerberos call using Kerberos  
-3. Authorize the credential issuance via Ranger  
-4. Store temporary credentials securely in Ozone Manager  
-5. Validate S3 API calls using the temporary credentials against stored 
permissions  
-6. Verify all operations against Ranger policies  
-7. Expire the credentials depending on the configured duration   
-8. Should work with Ozone native ACLs when without Ranger  
-   * Ozone native ACLs are not as rich as Ranger policies, so this will be a 
subset of the functionality
-9. Should work with external stores such as vault (currently Ozone supports 
this for S3 credentials)
-
+   * Issuing credentials either to self or another identity 
+2. The Ozone STS API can be called through the AWS SDKs.
+3. Support for service equivalent to AWS STS AssumeRole with Kerberos 
authentication.
+4. Authenticate the AssumeRoleKerberos call using Kerberos  
+5. Should work with Ozone native ACLs without Ranger
+6. Authorize the credential issuance via Ranger  
+7. Store temporary credentials securely in Ozone Manager  
+8. Validate S3 API calls using the temporary credentials against stored 
permissions  
+9. Verify all operations against Ranger policies  
+10. Expire the credentials depending on the configured duration   
+11. Should work with external stores such as vault (currently Ozone supports 
this for S3 credentials)
 ### Non functional requirements 
 
 1. Support in the order of 20k credentials
+2. Support STS actions other than AssumeRole. Those are:

Review Comment:
   these would fall under "functional requirements"



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org
For additional commands, e-mail: issues-h...@ozone.apache.org

Reply via email to