len548 commented on code in PR #9223: URL: https://github.com/apache/ozone/pull/9223#discussion_r2500475309
########## hadoop-hdds/docs/content/design/ozone-sts.md: ########## @@ -0,0 +1,187 @@ +--- +title: AWS STS Design for Ozone S3 +summary: STS Support in Ozone +date: 2026-10-30 +jira: HDDS-13323 +status: implementing +author: Ren Koike, Fabian Morgan +--- +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. See accompanying LICENSE file. +--> + +# AWS STS Design for Ozone S3 + +# 1. Introduction + +S3 credentials used to communicate with Ozone S3 APIs are based on a Kerberos identity. + +Historically, the Ozone community has had interest in a REST API capable of programmatically generating +temporary S3 credentials. + +Amazon AWS has the [Security Token Service (STS)](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) which +provides the ability to generate short-lived access to resources. + +The primary scope of this document is to detail the initial implementation of STS within the Ozone ecosystem. + +# 2. Why Use STS Tokens? + +Providing short-lived access to various resources in Ozone is useful in scenarios such as Data Lake +solutions that want to aggregate data across multiple cloud providers. + +# 3. How Ozone STS Works + +The initial implementation of Ozone STS supports only the [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) +API from the AWS specification. A new STS endpoint `/sts` on port `9880` will be created to service STS requests in the S3 Gateway. Review Comment: Previously I implemented STS endpoint in the web admin server where `get secret` endpoint is also served. While STS requires AWS ID and secret like other S3-compatible APIs do, the `get secret` endpoint shouldn't require them. In S3-compatible APIs, `EndpointBase` class has [`initialization`](https://github.com/apache/ozone/blob/a40d1296a2f9fd717c518bb38f61dc0d0b0bcc8c/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/EndpointBase.java#L136) method which passes AWS credentials to OM. This method is called once within servlet life cycle and I imitated it in the web admin server too for STS but it also applied to `get secret` endpoint too undesirably. I could bypass that but it was not the ideal way from the server container management's point of view and for code cleanliness. Because of that I suggested separating STS into a new port after I experimented it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
