mneethiraj commented on code in PR #9214:
URL: https://github.com/apache/ozone/pull/9214#discussion_r2479294257
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java:
##########
@@ -48,6 +48,25 @@ public interface IAccessAuthorizer {
boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
throws OMException;
+ /**
+ * Attempts to authorize an STS AssumeRole request. If authorized, returns a
String
+ * representation of the authorized session policy. This return value must
be supplied on the subsequent
+ * {@link IAccessAuthorizer#checkAccess(IOzoneObj, RequestContext)} call,
using the
+ * {@link RequestContext.Builder#setSessionPolicy(String)} parameter, and
the authorizer will
+ * use the Role permissions and the session policy permissions to determine
if
+ * the attempted action should be allowed for the given STS token.
+ * <p>
+ * The user making this call must have the {@link ACLType#ASSUME_ROLE}
permission.
+ *
+ * @param assumeRoleRequest the AssumeRole request containing role and
optional limited scope policy grants
+ * @return a String representing the permissions granted
according to the authorizer.
+ * @throws OMException if the caller is not authorized, either for
the role and/or policy or for the
+ * {@link ACLType#ASSUME_ROLE} permission
+ */
+ default String generateAssumeRoleSessionPolicy(AssumeRoleRequest
assumeRoleRequest) throws OMException {
+ return null;
Review Comment:
If OMException is to be thrown when caller is not authorized, shouldn't the
default implementation throw this exception?
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/AssumeRoleRequest.java:
##########
@@ -0,0 +1,132 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.security.acl;
+
+import java.net.InetAddress;
+import java.util.Objects;
+import java.util.Set;
+import net.jcip.annotations.Immutable;
+import org.apache.hadoop.security.UserGroupInformation;
+
+/**
+ * Represents an S3 AssumeRole request that needs to be authorized by an
IAccessAuthorizer.
+ * The grants parameter can be null if the access must not be limited beyond
the role.
+ * Note that if the grants parameter is the empty set, this means the access
should
+ * be the intersection of the role and the empty set, meaning no access will
be granted.
+ */
+@Immutable
+public class AssumeRoleRequest {
+ private final String host;
+ private final InetAddress ip;
+ private final UserGroupInformation clientUgi;
+ private final String targetRoleName;
+ private final Set<OzoneGrant> grants;
+
+ public AssumeRoleRequest(
+ String host,
+ InetAddress ip,
+ UserGroupInformation clientUgi,
+ String targetRoleName,
+ Set<OzoneGrant> grants
+ ) {
+
+ this.host = host;
+ this.ip = ip;
+ this.clientUgi = clientUgi;
+ this.targetRoleName = targetRoleName;
+ this.grants = grants;
+ }
+
+ public String getHost() {
+ return host;
+ }
+
+ public InetAddress getIp() {
+ return ip;
+ }
+
+ public UserGroupInformation getClientUgi() {
+ return clientUgi;
+ }
+
+ public String getTargetRoleName() {
+ return targetRoleName;
+ }
+
+ public Set<OzoneGrant> getGrants() {
+ return grants;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (o == null || getClass() != o.getClass()) {
Review Comment:
nit: consider inserting the following before line 77:
```
if (this == o) {
return true;
}
```
Similar change in OzoneGrant.equals() as well.
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneObj.java:
##########
@@ -146,4 +147,23 @@ public Map<String, String> toAuditMap() {
return auditMap;
}
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof OzoneObj)) {
Review Comment:
If there can be multiple implementations of `OzoneObj`, it will be safer to
replace 155-157 with the following:
```
if (o == null || getClass() != o.getClass()) {
return false;
}
```
Also, it will be efficient for implementations of `OzoneObj` abstract class
to provide their own equals() and hashCode() methods, which will avoid
potenally expensive `getPath()` calls.
```
public abstract class OzoneObj {
...
@Override
public boolean equals(Object o) {
if (this == o) {
return true;
} else if (o == null || getClass() != o.getClass()) {
return false;
}
OzoneObj that = (OzoneObj) o;
return resType == that.resType && storeType == that.storeType;
}
@Override
public int hashCode() {
return Objects.hash(resType, storeType);
}
}
```
```
public final class OzoneObjInfo extends OzoneObj {
...
@Override
public boolean equals(Object o) {
if (this == o) {
return true;
} else if (!super.equals(o)) {
return false;
}
OzoneObjInfo that = (OzoneObjInfo) o;
return Objects.equals(volumeName, that.volumeName) &&
Objects.equals(bucketName, that.bucketName) &&
Objects.equals(name, that.name) &&
Objects.equals(ozonePrefixPath, that.ozonePrefixPath);
}
@Override
public int hashCode() {
return Objects.hash(super.hashCode(), volumeName, bucketName, name,
ozonePrefixPath);
}
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
