fmorg-git commented on code in PR #9306:
URL: https://github.com/apache/ozone/pull/9306#discussion_r2579361898
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/iam/IamSessionPolicyResolver.java:
##########
@@ -352,21 +369,276 @@ static Set<S3Action>
mapPolicyActionsToS3Actions(Set<String> actions) {
* <p>
* It also validates that the Resource Arn(s) are valid and supported.
*/
- private static Set<ResourceSpec>
validateAndCategorizeResources(AuthorizerType authorizerType,
+ @VisibleForTesting
+ static Set<ResourceSpec> validateAndCategorizeResources(AuthorizerType
authorizerType,
Set<String> resources) throws OMException {
- // TODO implement in future PR
- return Collections.emptySet();
+ final Set<ResourceSpec> resourceSpecs = new HashSet<>();
+ if (resources.isEmpty()) {
+ throw new OMException("No Resource(s) found in policy", INVALID_REQUEST);
+ }
+ for (String resource : resources) {
+ if ("*".equals(resource)) {
+ validateNativeAuthorizerBucketPattern(authorizerType, "*");
+ resourceSpecs.add(ResourceSpec.any());
+ continue;
+ }
+
+ if (!resource.startsWith(AWS_S3_ARN_PREFIX)) {
+ throw new OMException("Unsupported Resource Arn - " + resource,
NOT_SUPPORTED_OPERATION);
+ }
+
+ final String suffix = resource.substring(AWS_S3_ARN_PREFIX.length());
+ if (suffix.isEmpty()) {
+ throw new OMException("Invalid Resource Arn - " + resource,
INVALID_REQUEST);
+ }
+
+ ResourceSpec spec = parseResourceSpec(suffix);
+
+ // This scenario can happen in the case of arn:aws:s3:::*/* or
arn:aws:s3:::*/test.txt for
+ // examples
+ validateNativeAuthorizerBucketPattern(authorizerType, spec.bucket);
+
+ if (authorizerType == AuthorizerType.NATIVE && spec.type ==
S3ResourceType.OBJECT_PREFIX_WILDCARD) {
+ if (spec.prefix.endsWith("*")) {
+ spec = ResourceSpec.objectPrefix(spec.bucket,
spec.prefix.substring(0, spec.prefix.length() - 1));
+ } else {
+ throw new OMException(
+ "Wildcard prefix patterns are not supported for Ozone native
authorizer if wildcard is not at the end",
+ NOT_SUPPORTED_OPERATION);
+ }
+ }
+ resourceSpecs.add(spec);
+ }
+ return resourceSpecs;
}
/**
* Iterates over all resources, finds applicable actions (if any) and
constructs
* entries pairing sets of IOzoneObjs with the requisite permissions granted
(if any).
*/
- private static Set<AssumeRoleRequest.OzoneGrant>
createPathsAndPermissions(String volumeName,
- AuthorizerType authorizerType, Set<S3Action> mappedS3Actions,
Set<ResourceSpec> resourceSpecs,
- Set<String> prefixes) {
- // TODO implement in future PR
- return Collections.emptySet();
+ @VisibleForTesting
+ static Set<AssumeRoleRequest.OzoneGrant> createPathsAndPermissions(String
volumeName, AuthorizerType authorizerType,
+ Set<S3Action> mappedS3Actions, Set<ResourceSpec> resourceSpecs,
Set<String> prefixes) {
+ // Create map to collect IOzoneObj to ACLType mappings
+ final Map<IOzoneObj, Set<ACLType>> objToAclsMap = new LinkedHashMap<>();
+
+ // Process each resource spec with the given actions
+ for (ResourceSpec resourceSpec : resourceSpecs) {
+ processResourceSpecWithActions(volumeName, authorizerType,
mappedS3Actions, resourceSpec, prefixes, objToAclsMap);
+ }
+
+ // Group objects by their ACL sets to create proper entries
+ return groupObjectsByAcls(objToAclsMap);
+ }
+
+ /**
+ * Groups objects by their ACL sets.
+ */
+ private static Set<AssumeRoleRequest.OzoneGrant>
groupObjectsByAcls(Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+ final Map<Set<ACLType>, Set<IOzoneObj>> groupMap = new LinkedHashMap<>();
+
+ // Group objects by their ACL sets only (across resource types)
+ objToAclsMap.forEach((obj, acls) ->
+ groupMap.computeIfAbsent(acls, k -> new LinkedHashSet<>()).add(obj));
+
+ // Convert to result format, filtering out entries with empty ACLs
+ final Set<AssumeRoleRequest.OzoneGrant> result = new LinkedHashSet<>();
+ groupMap.forEach((key, objs) -> {
+ if (!key.isEmpty()) {
+ result.add(new AssumeRoleRequest.OzoneGrant(objs, key));
+ }
+ });
+
+ return result;
+ }
+
+ /**
+ * Processes a single ResourceSpec with given actions and adds resulting
+ * IOzoneObj to ACLType mappings to the provided map.
+ */
+ private static void processResourceSpecWithActions(String volumeName,
AuthorizerType authorizerType,
+ Set<S3Action> mappedS3Actions, ResourceSpec resourceSpec, Set<String>
prefixes,
+ Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+
+ // Process based on ResourceSpec type
+ switch (resourceSpec.type) {
+ case ANY:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.NATIVE,
+ "ResourceSpec type ANY not supported for OzoneNativeAuthorizer");
+ processResourceTypeAny(volumeName, mappedS3Actions, objToAclsMap);
+ break;
+ case BUCKET:
+ processBucketResource(volumeName, mappedS3Actions, resourceSpec,
objToAclsMap);
+ break;
+ case BUCKET_WILDCARD:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.NATIVE,
+ "ResourceSpec type BUCKET_WILDCARD not supported for
OzoneNativeAuthorizer");
+ processBucketResource(volumeName, mappedS3Actions, resourceSpec,
objToAclsMap);
+ break;
+ case OBJECT_EXACT:
+ processObjectExactResource(volumeName, mappedS3Actions, resourceSpec,
objToAclsMap);
+ break;
+ case OBJECT_PREFIX:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.RANGER,
+ "ResourceSpec type OBJECT_PREFIX not supported for
RangerOzoneAuthorizer");
+ processObjectPrefixResource(volumeName, authorizerType, mappedS3Actions,
resourceSpec, prefixes, objToAclsMap);
+ break;
+ case OBJECT_PREFIX_WILDCARD:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.NATIVE,
+ "ResourceSpec type OBJECT_PREFIX_WILDCARD not supported for
OzoneNativeAuthorizer");
+ processObjectPrefixResource(volumeName, authorizerType, mappedS3Actions,
resourceSpec, prefixes, objToAclsMap);
+ break;
+ default:
+ throw new IllegalStateException("Unexpected resourceSpec type found: " +
resourceSpec.type);
+ }
+ }
+
+ /**
+ * Handles ResourceType.ANY (*).
+ * Example: "Resource": "*"
+ */
+ private static void processResourceTypeAny(String volumeName, Set<S3Action>
mappedS3Actions,
+ Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+ for (S3Action action : mappedS3Actions) {
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
+ addAclsForObj(objToAclsMap, bucketObj(volumeName, "*"),
action.bucketPerms);
+ addAclsForObj(objToAclsMap, keyObj(volumeName, "*", "*"),
action.objectPerms);
+ }
+ }
+
+ /**
+ * Handles BUCKET and BUCKET_WILDCARD resource types.
+ * Example: "Resource": "arn:aws:s3:::my-bucket" or "Resource":
"arn:aws:s3:::my-bucket*" or
+ * "Resource": "arn:aws:s3:::*"
+ */
+ private static void processBucketResource(String volumeName, Set<S3Action>
mappedS3Actions,
+ ResourceSpec resourceSpec, Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+ for (S3Action action : mappedS3Actions) {
+ // The s3:ListAllMyBuckets action can use either "*" or
+ // "arn:aws:s3:::*" as its Resource. The former is already handled via
the
+ // ResourceSpec.ANY path. The latter is parsed as a BUCKET_WILDCARD
with a
+ // bucket name of "*". To align with AWS, make sure that in this
+ // specific case we also grant the volume-level permissions for
volume-scoped
+ // actions (currently s3:ListAllMyBuckets).
+ if (action.kind == ActionKind.BUCKET) {
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
+ addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), action.bucketPerms);
+ } else if (action == S3Action.ALL_S3) {
+ // For s3:*, ALL should only apply at the bucket level; grant READ at
volume for navigation
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), EnumSet.of(READ));
+ addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), action.bucketPerms);
+ } else if (action.kind == ActionKind.VOLUME &&
"*".equals(resourceSpec.bucket)) {
+ // this handles s3:ListAllMyBuckets with wildcard bucket resource
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
+ addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), action.bucketPerms);
+ }
+ }
+ }
+
+ /**
+ * Handles OBJECT_EXACT resource type.
+ * Example: "Resource": "arn:aws:s3:::my-bucket/file.txt"
+ */
+ private static void processObjectExactResource(String volumeName,
Set<S3Action> mappedS3Actions,
+ ResourceSpec resourceSpec, Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+ for (S3Action action : mappedS3Actions) {
+ if (action.kind == ActionKind.OBJECT) {
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
+ addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), action.bucketPerms);
+ addAclsForObj(objToAclsMap, keyObj(volumeName, resourceSpec.bucket,
resourceSpec.key), action.objectPerms);
+ } else if (action == S3Action.ALL_S3) {
+ // For s3:*, ALL should only apply at the object level; grant READ at
parent levels for navigation
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), EnumSet.of(READ));
+ addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), EnumSet.of(READ));
+ addAclsForObj(objToAclsMap, keyObj(volumeName, resourceSpec.bucket,
resourceSpec.key), action.objectPerms);
+ }
+ }
+ }
+
+ /**
+ * Handles OBJECT_PREFIX and OBJECT_PREFIX_WILDCARD resource types.
+ * Prefixes can be specified in the Resource itself as in the example below,
or via an s3:prefix Condition.
+ * Example: "Resource": "arn:aws:s3:::my-bucket/path/folder"
+ */
+ private static void processObjectPrefixResource(String volumeName,
AuthorizerType authorizerType,
+ Set<S3Action> mappedS3Actions, ResourceSpec resourceSpec, Set<String>
prefixes,
+ Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+ for (S3Action action : mappedS3Actions) {
+ // Object actions apply to prefix/key resources
+ if (action.kind == ActionKind.OBJECT) {
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
+ addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), action.bucketPerms);
+ } else if (action == S3Action.ALL_S3) {
+ // For s3:*, ALL should only apply at the object/prefix level; grant
READ at parent levels for navigation
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), EnumSet.of(READ));
+ addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), EnumSet.of(READ));
+ }
+
+ if (prefixes != null && !prefixes.isEmpty()) {
+ // Handle specific prefixes from conditions
+ for (String prefix : prefixes) {
+ createObjectResourcesFromConditionPrefix(
+ volumeName, authorizerType, resourceSpec, prefix, objToAclsMap,
action.objectPerms);
+ }
+ } else {
+ // Handle the resource prefix itself (e.g., my-bucket/*)
+ createObjectResourcesFromResourcePrefix(
+ volumeName, authorizerType, resourceSpec, objToAclsMap,
action.objectPerms);
+ }
+ }
+ }
+
+ /**
+ * Creates object resources from resource prefix (e.g., my-bucket/*).
+ */
+ private static void createObjectResourcesFromResourcePrefix(String
volumeName, AuthorizerType authorizerType,
+ ResourceSpec resourceSpec, Map<IOzoneObj, Set<ACLType>> objToAclsMap,
Set<ACLType> acls) {
+ if (authorizerType == AuthorizerType.NATIVE) {
+ final IOzoneObj prefixObj = prefixObj(volumeName, resourceSpec.bucket,
resourceSpec.prefix);
+ addAclsForObj(objToAclsMap, prefixObj, acls);
+ } else {
+ final IOzoneObj keyObj = keyObj(volumeName, resourceSpec.bucket,
resourceSpec.prefix);
+ addAclsForObj(objToAclsMap, keyObj, acls);
+ }
+ }
+
+ /**
+ * Creates object resources from condition prefixes (i.e. the s3:prefix
conditions).
+ */
+ private static void createObjectResourcesFromConditionPrefix(String
volumeName, AuthorizerType authorizerType,
+ ResourceSpec resourceSpec, String conditionPrefix, Map<IOzoneObj,
Set<ACLType>> objToAclsMap, Set<ACLType> acls) {
+ if (authorizerType == AuthorizerType.NATIVE) {
+ // For native authorizer, use PREFIX resource type with normalized
prefix.
+ // Map "x" in condition list prefix to "x". Map "x/*" in condition list
prefix to "x/".
+ final String normalizedPrefix;
+ if (conditionPrefix != null && conditionPrefix.endsWith("/*")) {
+ final String base = conditionPrefix.substring(0,
conditionPrefix.length() - 2);
Review Comment:
updated
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/iam/IamSessionPolicyResolver.java:
##########
@@ -352,21 +369,276 @@ static Set<S3Action>
mapPolicyActionsToS3Actions(Set<String> actions) {
* <p>
* It also validates that the Resource Arn(s) are valid and supported.
*/
- private static Set<ResourceSpec>
validateAndCategorizeResources(AuthorizerType authorizerType,
+ @VisibleForTesting
+ static Set<ResourceSpec> validateAndCategorizeResources(AuthorizerType
authorizerType,
Set<String> resources) throws OMException {
- // TODO implement in future PR
- return Collections.emptySet();
+ final Set<ResourceSpec> resourceSpecs = new HashSet<>();
+ if (resources.isEmpty()) {
+ throw new OMException("No Resource(s) found in policy", INVALID_REQUEST);
+ }
+ for (String resource : resources) {
+ if ("*".equals(resource)) {
+ validateNativeAuthorizerBucketPattern(authorizerType, "*");
+ resourceSpecs.add(ResourceSpec.any());
+ continue;
+ }
+
+ if (!resource.startsWith(AWS_S3_ARN_PREFIX)) {
+ throw new OMException("Unsupported Resource Arn - " + resource,
NOT_SUPPORTED_OPERATION);
+ }
+
+ final String suffix = resource.substring(AWS_S3_ARN_PREFIX.length());
+ if (suffix.isEmpty()) {
+ throw new OMException("Invalid Resource Arn - " + resource,
INVALID_REQUEST);
+ }
+
+ ResourceSpec spec = parseResourceSpec(suffix);
+
+ // This scenario can happen in the case of arn:aws:s3:::*/* or
arn:aws:s3:::*/test.txt for
+ // examples
+ validateNativeAuthorizerBucketPattern(authorizerType, spec.bucket);
+
+ if (authorizerType == AuthorizerType.NATIVE && spec.type ==
S3ResourceType.OBJECT_PREFIX_WILDCARD) {
+ if (spec.prefix.endsWith("*")) {
+ spec = ResourceSpec.objectPrefix(spec.bucket,
spec.prefix.substring(0, spec.prefix.length() - 1));
+ } else {
+ throw new OMException(
+ "Wildcard prefix patterns are not supported for Ozone native
authorizer if wildcard is not at the end",
+ NOT_SUPPORTED_OPERATION);
+ }
+ }
+ resourceSpecs.add(spec);
+ }
+ return resourceSpecs;
}
/**
* Iterates over all resources, finds applicable actions (if any) and
constructs
* entries pairing sets of IOzoneObjs with the requisite permissions granted
(if any).
*/
- private static Set<AssumeRoleRequest.OzoneGrant>
createPathsAndPermissions(String volumeName,
- AuthorizerType authorizerType, Set<S3Action> mappedS3Actions,
Set<ResourceSpec> resourceSpecs,
- Set<String> prefixes) {
- // TODO implement in future PR
- return Collections.emptySet();
+ @VisibleForTesting
+ static Set<AssumeRoleRequest.OzoneGrant> createPathsAndPermissions(String
volumeName, AuthorizerType authorizerType,
+ Set<S3Action> mappedS3Actions, Set<ResourceSpec> resourceSpecs,
Set<String> prefixes) {
+ // Create map to collect IOzoneObj to ACLType mappings
+ final Map<IOzoneObj, Set<ACLType>> objToAclsMap = new LinkedHashMap<>();
+
+ // Process each resource spec with the given actions
+ for (ResourceSpec resourceSpec : resourceSpecs) {
+ processResourceSpecWithActions(volumeName, authorizerType,
mappedS3Actions, resourceSpec, prefixes, objToAclsMap);
+ }
+
+ // Group objects by their ACL sets to create proper entries
+ return groupObjectsByAcls(objToAclsMap);
+ }
+
+ /**
+ * Groups objects by their ACL sets.
+ */
+ private static Set<AssumeRoleRequest.OzoneGrant>
groupObjectsByAcls(Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+ final Map<Set<ACLType>, Set<IOzoneObj>> groupMap = new LinkedHashMap<>();
+
+ // Group objects by their ACL sets only (across resource types)
+ objToAclsMap.forEach((obj, acls) ->
+ groupMap.computeIfAbsent(acls, k -> new LinkedHashSet<>()).add(obj));
+
+ // Convert to result format, filtering out entries with empty ACLs
+ final Set<AssumeRoleRequest.OzoneGrant> result = new LinkedHashSet<>();
+ groupMap.forEach((key, objs) -> {
+ if (!key.isEmpty()) {
+ result.add(new AssumeRoleRequest.OzoneGrant(objs, key));
+ }
+ });
+
+ return result;
+ }
+
+ /**
+ * Processes a single ResourceSpec with given actions and adds resulting
+ * IOzoneObj to ACLType mappings to the provided map.
+ */
+ private static void processResourceSpecWithActions(String volumeName,
AuthorizerType authorizerType,
+ Set<S3Action> mappedS3Actions, ResourceSpec resourceSpec, Set<String>
prefixes,
+ Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+
+ // Process based on ResourceSpec type
+ switch (resourceSpec.type) {
+ case ANY:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.NATIVE,
+ "ResourceSpec type ANY not supported for OzoneNativeAuthorizer");
+ processResourceTypeAny(volumeName, mappedS3Actions, objToAclsMap);
+ break;
+ case BUCKET:
+ processBucketResource(volumeName, mappedS3Actions, resourceSpec,
objToAclsMap);
+ break;
+ case BUCKET_WILDCARD:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.NATIVE,
+ "ResourceSpec type BUCKET_WILDCARD not supported for
OzoneNativeAuthorizer");
+ processBucketResource(volumeName, mappedS3Actions, resourceSpec,
objToAclsMap);
+ break;
+ case OBJECT_EXACT:
+ processObjectExactResource(volumeName, mappedS3Actions, resourceSpec,
objToAclsMap);
+ break;
+ case OBJECT_PREFIX:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.RANGER,
+ "ResourceSpec type OBJECT_PREFIX not supported for
RangerOzoneAuthorizer");
+ processObjectPrefixResource(volumeName, authorizerType, mappedS3Actions,
resourceSpec, prefixes, objToAclsMap);
+ break;
+ case OBJECT_PREFIX_WILDCARD:
+ Preconditions.checkArgument(
+ authorizerType != AuthorizerType.NATIVE,
+ "ResourceSpec type OBJECT_PREFIX_WILDCARD not supported for
OzoneNativeAuthorizer");
+ processObjectPrefixResource(volumeName, authorizerType, mappedS3Actions,
resourceSpec, prefixes, objToAclsMap);
+ break;
+ default:
+ throw new IllegalStateException("Unexpected resourceSpec type found: " +
resourceSpec.type);
+ }
+ }
+
+ /**
+ * Handles ResourceType.ANY (*).
+ * Example: "Resource": "*"
+ */
+ private static void processResourceTypeAny(String volumeName, Set<S3Action>
mappedS3Actions,
+ Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+ for (S3Action action : mappedS3Actions) {
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
+ addAclsForObj(objToAclsMap, bucketObj(volumeName, "*"),
action.bucketPerms);
+ addAclsForObj(objToAclsMap, keyObj(volumeName, "*", "*"),
action.objectPerms);
+ }
+ }
+
+ /**
+ * Handles BUCKET and BUCKET_WILDCARD resource types.
+ * Example: "Resource": "arn:aws:s3:::my-bucket" or "Resource":
"arn:aws:s3:::my-bucket*" or
+ * "Resource": "arn:aws:s3:::*"
+ */
+ private static void processBucketResource(String volumeName, Set<S3Action>
mappedS3Actions,
+ ResourceSpec resourceSpec, Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+ for (S3Action action : mappedS3Actions) {
+ // The s3:ListAllMyBuckets action can use either "*" or
+ // "arn:aws:s3:::*" as its Resource. The former is already handled via
the
+ // ResourceSpec.ANY path. The latter is parsed as a BUCKET_WILDCARD
with a
+ // bucket name of "*". To align with AWS, make sure that in this
+ // specific case we also grant the volume-level permissions for
volume-scoped
+ // actions (currently s3:ListAllMyBuckets).
+ if (action.kind == ActionKind.BUCKET) {
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
+ addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), action.bucketPerms);
+ } else if (action == S3Action.ALL_S3) {
+ // For s3:*, ALL should only apply at the bucket level; grant READ at
volume for navigation
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), EnumSet.of(READ));
Review Comment:
updated
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
