ChenSammi commented on code in PR #9306:
URL: https://github.com/apache/ozone/pull/9306#discussion_r2567774088
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/iam/IamSessionPolicyResolver.java:
##########
@@ -352,21 +369,276 @@ static Set<S3Action>
mapPolicyActionsToS3Actions(Set<String> actions) {
* <p>
* It also validates that the Resource Arn(s) are valid and supported.
*/
- private static Set<ResourceSpec>
validateAndCategorizeResources(AuthorizerType authorizerType,
+ @VisibleForTesting
+ static Set<ResourceSpec> validateAndCategorizeResources(AuthorizerType
authorizerType,
Set<String> resources) throws OMException {
- // TODO implement in future PR
- return Collections.emptySet();
+ final Set<ResourceSpec> resourceSpecs = new HashSet<>();
+ if (resources.isEmpty()) {
+ throw new OMException("No Resource(s) found in policy", INVALID_REQUEST);
+ }
+ for (String resource : resources) {
+ if ("*".equals(resource)) {
+ validateNativeAuthorizerBucketPattern(authorizerType, "*");
+ resourceSpecs.add(ResourceSpec.any());
+ continue;
+ }
+
+ if (!resource.startsWith(AWS_S3_ARN_PREFIX)) {
+ throw new OMException("Unsupported Resource Arn - " + resource,
NOT_SUPPORTED_OPERATION);
+ }
+
+ final String suffix = resource.substring(AWS_S3_ARN_PREFIX.length());
+ if (suffix.isEmpty()) {
+ throw new OMException("Invalid Resource Arn - " + resource,
INVALID_REQUEST);
+ }
+
+ ResourceSpec spec = parseResourceSpec(suffix);
+
+ // This scenario can happen in the case of arn:aws:s3:::*/* or
arn:aws:s3:::*/test.txt for
+ // examples
+ validateNativeAuthorizerBucketPattern(authorizerType, spec.bucket);
+
+ if (authorizerType == AuthorizerType.NATIVE && spec.type ==
S3ResourceType.OBJECT_PREFIX_WILDCARD) {
+ if (spec.prefix.endsWith("*")) {
+ spec = ResourceSpec.objectPrefix(spec.bucket,
spec.prefix.substring(0, spec.prefix.length() - 1));
+ } else {
+ throw new OMException(
+ "Wildcard prefix patterns are not supported for Ozone native
authorizer if wildcard is not at the end",
+ NOT_SUPPORTED_OPERATION);
+ }
+ }
+ resourceSpecs.add(spec);
+ }
+ return resourceSpecs;
}
/**
* Iterates over all resources, finds applicable actions (if any) and
constructs
* entries pairing sets of IOzoneObjs with the requisite permissions granted
(if any).
*/
- private static Set<AssumeRoleRequest.OzoneGrant>
createPathsAndPermissions(String volumeName,
- AuthorizerType authorizerType, Set<S3Action> mappedS3Actions,
Set<ResourceSpec> resourceSpecs,
- Set<String> prefixes) {
- // TODO implement in future PR
- return Collections.emptySet();
+ @VisibleForTesting
+ static Set<AssumeRoleRequest.OzoneGrant> createPathsAndPermissions(String
volumeName, AuthorizerType authorizerType,
+ Set<S3Action> mappedS3Actions, Set<ResourceSpec> resourceSpecs,
Set<String> prefixes) {
+ // Create map to collect IOzoneObj to ACLType mappings
+ final Map<IOzoneObj, Set<ACLType>> objToAclsMap = new LinkedHashMap<>();
+
+ // Process each resource spec with the given actions
+ for (ResourceSpec resourceSpec : resourceSpecs) {
+ processResourceSpecWithActions(volumeName, authorizerType,
mappedS3Actions, resourceSpec, prefixes, objToAclsMap);
+ }
+
+ // Group objects by their ACL sets to create proper entries
+ return groupObjectsByAcls(objToAclsMap);
+ }
+
+ /**
+ * Groups objects by their ACL sets.
+ */
+ private static Set<AssumeRoleRequest.OzoneGrant>
groupObjectsByAcls(Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+ final Map<Set<ACLType>, Set<IOzoneObj>> groupMap = new LinkedHashMap<>();
+
+ // Group objects by their ACL sets only (across resource types)
+ objToAclsMap.forEach((obj, acls) ->
+ groupMap.computeIfAbsent(acls, k -> new LinkedHashSet<>()).add(obj));
+
+ // Convert to result format, filtering out entries with empty ACLs
+ final Set<AssumeRoleRequest.OzoneGrant> result = new LinkedHashSet<>();
+ groupMap.forEach((key, objs) -> {
+ if (!key.isEmpty()) {
+ result.add(new AssumeRoleRequest.OzoneGrant(objs, key));
+ }
+ });
+
+ return result;
+ }
+
+ /**
+ * Processes a single ResourceSpec with given actions and adds resulting
+ * IOzoneObj to ACLType mappings to the provided map.
+ */
+ private static void processResourceSpecWithActions(String volumeName,
AuthorizerType authorizerType,
+ Set<S3Action> mappedS3Actions, ResourceSpec resourceSpec, Set<String>
prefixes,
+ Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+
+ // Process based on ResourceSpec type
+ switch (resourceSpec.type) {
+ case ANY:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.NATIVE,
+ "ResourceSpec type ANY not supported for OzoneNativeAuthorizer");
+ processResourceTypeAny(volumeName, mappedS3Actions, objToAclsMap);
+ break;
+ case BUCKET:
+ processBucketResource(volumeName, mappedS3Actions, resourceSpec,
objToAclsMap);
+ break;
+ case BUCKET_WILDCARD:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.NATIVE,
+ "ResourceSpec type BUCKET_WILDCARD not supported for
OzoneNativeAuthorizer");
+ processBucketResource(volumeName, mappedS3Actions, resourceSpec,
objToAclsMap);
+ break;
+ case OBJECT_EXACT:
+ processObjectExactResource(volumeName, mappedS3Actions, resourceSpec,
objToAclsMap);
+ break;
+ case OBJECT_PREFIX:
Review Comment:
According to this example in
https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#condition-key-bucket-ops-2,
condition of prefix match also applies when resource is bucket.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
