[
https://issues.apache.org/jira/browse/HDDS-13848?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fabian Morgan updated HDDS-13848:
---------------------------------
Description:
Create new method on IAccessAuthorizer to authorize AssumeRole request in
Ranger. The method will be `String
generateAssumeRoleSessionPolicy(AssumeRoleRequest req)`. The method will
ensure the user is authorized to perform the action (considering IAM policy
grants as well, if any) and if authorized, will return a String that represents
Ranger JSON permissions that must be included in the STS token.
This ticket will also create a new GEN_ACCESS_TOKEN ACLType. It will also add
a new field sessionPolicy to the RequestContext. When STS tokens are being
validated by Ranger, the String returned from the initial
generateAssumeRoleSessionPolicy() method call must be extracted from the token
and supplied to Ranger via RequestContext.sessionPolicy.
was:
Create new method on IAccessAuthorizer to authorize AssumeRole request in
Ranger. The method will be String
generateAssumeRoleSessionPolicy(AssumeRoleRequest req). The method will ensure
the user is authorized to perform the action (considering IAM policy grants as
well, if any) and if authorized, will return a String that represents Ranger
JSON permissions that must be included in the STS token.
This ticket will also create a new GEN_ACCESS_TOKEN ACLType. It will also add
a new field sessionPolicy to the RequestContext. When STS tokens are being
validated by Ranger, the String returned from the initial
generateAssumeRoleSessionPolicy() method call must be extracted from the token
and supplied to Ranger via RequestContext.sessionPolicy.
> [STS] Create new method on IAccessAuthorizer to authorize AssumeRole request
> in Ranger
> --------------------------------------------------------------------------------------
>
> Key: HDDS-13848
> URL: https://issues.apache.org/jira/browse/HDDS-13848
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Fabian Morgan
> Assignee: Fabian Morgan
> Priority: Major
>
> Create new method on IAccessAuthorizer to authorize AssumeRole request in
> Ranger. The method will be `String
> generateAssumeRoleSessionPolicy(AssumeRoleRequest req)`. The method will
> ensure the user is authorized to perform the action (considering IAM policy
> grants as well, if any) and if authorized, will return a String that
> represents Ranger JSON permissions that must be included in the STS token.
> This ticket will also create a new GEN_ACCESS_TOKEN ACLType. It will also
> add a new field sessionPolicy to the RequestContext. When STS tokens are
> being validated by Ranger, the String returned from the initial
> generateAssumeRoleSessionPolicy() method call must be extracted from the
> token and supplied to Ranger via RequestContext.sessionPolicy.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
