ChenSammi commented on code in PR #9223: URL: https://github.com/apache/ozone/pull/9223#discussion_r2513056450
########## hadoop-hdds/docs/content/design/ozone-sts.md: ########## @@ -100,29 +107,34 @@ A sample IAM policy that allows read access to all objects in the `example-bucke ``` -## 3.3 SessionToken Format +## 3.4 SessionToken Format As mentioned above, one of the return values from the AssumeRole call will be the sessionToken. To support not storing temporary credentials server-side in Ozone, the sessionToken will comprise various components needed to validate subsequent S3 calls that use the token. The sessionToken will have the following information encoded: -- The originalAccessKeyId - this is the Kerberos identity of the user that created the sessionToken via the AssumeRole call. +- originalAccessKeyId - this is the Kerberos identity of the user that created the sessionToken via the AssumeRole call. When the temporary credentials are used to make S3 API calls, this Kerberos identity (in conjunction with the role permissions and -optional session policy) will be used to authorize the call. -- The roleArn - the role used in the original AssumeRole call -- The encrypted secretAccessKey - this will be used to validate the AWS signature when the temporary credentials are used +optional session policy) will be used to authorize the call. This identity is included in the sessionToken because +S3 API calls (such as PutObject) require a Kerberos identity, but the temporary credentials don't have a +Kerberos identity associated to them, therefore the Kerberos identity of the user that created the token will be used in +these cases. +- roleArn - the role used in the original AssumeRole call +- encrypted secretAccessKey - this will be used to validate the AWS signature when the temporary credentials are used to make S3 API calls -- (Optional) sessionPolicy - when using the RangerOzoneAuthorizer, if Ranger successfully authorizes the AssumeRole call, -it will return a String representing the resources (i.e. buckets, keys, etc.) and permissions (i.e. ACLType) that the token -has been granted access to. This sessionPolicy will be included in the sessionToken sent back to the client so it can be sent to Ranger to -authorize subsequent S3 API calls that use the sessionToken. +- sessionPolicy - when using the RangerOzoneAuthorizer, if Ranger successfully authorizes the AssumeRole call, +it will return a String representing the role the token was authorized for. Furthermore, if an AWS IAM Session Policy +was included with the AssumeRole request, the String return value will also include resources (i.e. buckets, keys, etc.) +and permissions (i.e. ACLType) corresponding to the AWS IAM Session Policy. These resources and permissions, if present, +would further limit the scope of the permissions and resources granted by the role in Ranger, such that the temporary +credential will have the permissions comprising the intersection of the role permissions and the sessionPolicy permissions. - HMAC-SHA256 signature - used to ensure the sessionToken was created by Ozone and was not altered since it was created. -- The expiration time of the token (via `ShortLivedTokenIdentifier#getExpiry()`) -- The UUID of the secret key used to sign the sessionToken and encrypt the secretAccessKey (via `ShortLivedTokenIdentifier#getSecretKeyId()`) +- expiration time of the token (via `ShortLivedTokenIdentifier#getExpiry()`) +- UUID of the OzoneManager private key used to sign the sessionToken and encrypt the secretAccessKey (via `ShortLivedTokenIdentifier#getSecretKeyId()`) Review Comment: Previous "secret key" is accurate. It's not OzoneManager private key. It's a symmentic key generated by SCM. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
