mneethiraj commented on code in PR #9214:
URL: https://github.com/apache/ozone/pull/9214#discussion_r2476032464
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java:
##########
@@ -67,7 +86,9 @@ enum ACLType {
READ_ACL,
WRITE_ACL,
ALL,
- NONE;
+ NONE,
+ GEN_ACCESS_TOKEN; // ability to create STS tokens
Review Comment:
How about naming the enum to reflect the new method name
`generateAssumeRoleSessionPolicy()` - `GEN_ACCESS_TOKEN` => `ASSUME_ROLE`?
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/AssumeRoleRequest.java:
##########
@@ -0,0 +1,94 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.security.acl;
+
+import java.net.InetAddress;
+import java.util.AbstractMap;
+import java.util.Objects;
+import java.util.Set;
+import net.jcip.annotations.Immutable;
+import org.apache.hadoop.security.UserGroupInformation;
+
+/**
+ * Represents an S3 AssumeRole request that needs to be authorized by an
IAccessAuthorizer.
+ * The grants parameter can be null if the access must not be limited beyond
the role.
+ * Note that if the grants is parameter is the empty set, this means the
access should
+ * be the intersection of the role and the empty set, meaning no access will
be granted.
+ */
+@Immutable
+public class AssumeRoleRequest {
+ private final String host;
+ private final InetAddress ip;
+ private final UserGroupInformation clientUgi;
+ private final String targetRoleName;
+ private final Set<AbstractMap.SimpleImmutableEntry<Set<IOzoneObj>,
Set<IAccessAuthorizer.ACLType>>> grants;
Review Comment:
`AbstractMap.SimpleImmutableEntry<Set<IOzoneObj>,
Set<IAccessAuthorizer.ACLType>>` is too long to read! How about using a small
class, `OzoneGrant`, to abstract this?
```
public class AssumeRoleRequest {
private final String host;
private final InetAddress ip;
private final UserGroupInformation clientUgi;
private final String targetRoleName;
private final Set<OzoneGranat> grants;
...
public static class OzoneGrant {
private final Set<IOzoneObj> objects;
private final Set<ACLType> permissions;
...
}
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
