Re: [PR] HDDS-13926. [STS] Part 3 - Create utility to convert IAM policy to groupings of OzoneObj and Acls [ozone]

Tue, 02 Dec 2025 20:43:31 -0800 


ChenSammi commented on code in PR #9306:
URL: https://github.com/apache/ozone/pull/9306#discussion_r2583600860


##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/iam/IamSessionPolicyResolver.java:
##########
@@ -352,21 +369,267 @@ static Set<S3Action> 
mapPolicyActionsToS3Actions(Set<String> actions) {
    * <p>
    * It also validates that the Resource Arn(s) are valid and supported.
    */
-  private static Set<ResourceSpec> 
validateAndCategorizeResources(AuthorizerType authorizerType,
+  @VisibleForTesting
+  static Set<ResourceSpec> validateAndCategorizeResources(AuthorizerType 
authorizerType,
       Set<String> resources) throws OMException {
-    // TODO implement in future PR
-    return Collections.emptySet();
+    final Set<ResourceSpec> resourceSpecs = new HashSet<>();
+    if (resources.isEmpty()) {
+      throw new OMException("No Resource(s) found in policy", INVALID_REQUEST);
+    }
+    for (String resource : resources) {
+      if ("*".equals(resource)) {
+        validateNativeAuthorizerBucketPattern(authorizerType, "*");
+        resourceSpecs.add(ResourceSpec.any());
+        continue;
+      }
+
+      if (!resource.startsWith(AWS_S3_ARN_PREFIX)) {
+        throw new OMException("Unsupported Resource Arn - " + resource, 
NOT_SUPPORTED_OPERATION);
+      }
+
+      final String suffix = resource.substring(AWS_S3_ARN_PREFIX.length());
+      if (suffix.isEmpty()) {
+        throw new OMException("Invalid Resource Arn - " + resource, 
INVALID_REQUEST);
+      }
+
+      ResourceSpec spec = parseResourceSpec(suffix);
+
+      // This scenario can happen in the case of arn:aws:s3:::*/* or 
arn:aws:s3:::*/test.txt for
+      // examples
+      validateNativeAuthorizerBucketPattern(authorizerType, spec.bucket);
+
+      if (authorizerType == AuthorizerType.NATIVE && spec.type == 
S3ResourceType.OBJECT_PREFIX_WILDCARD) {
+        final String specPrefixExceptLastChar = spec.prefix.substring(0, 
spec.prefix.length() - 1);
+        if (spec.prefix.endsWith("*") && 
!specPrefixExceptLastChar.contains("*")) {
+          spec = ResourceSpec.objectPrefix(spec.bucket, 
specPrefixExceptLastChar);
+        } else {
+          throw new OMException(
+              "Wildcard prefix patterns are not supported for Ozone native 
authorizer if wildcard is not at the end",
+              NOT_SUPPORTED_OPERATION);
+        }
+      }
+      resourceSpecs.add(spec);
+    }
+    return resourceSpecs;
   }
 
   /**
    * Iterates over all resources, finds applicable actions (if any) and 
constructs
    * entries pairing sets of IOzoneObjs with the requisite permissions granted 
(if any).
    */
-  private static Set<AssumeRoleRequest.OzoneGrant> 
createPathsAndPermissions(String volumeName,
-      AuthorizerType authorizerType, Set<S3Action> mappedS3Actions, 
Set<ResourceSpec> resourceSpecs,
-      Set<String> prefixes) {
-    // TODO implement in future PR
-    return Collections.emptySet();
+  @VisibleForTesting
+  static Set<AssumeRoleRequest.OzoneGrant> createPathsAndPermissions(String 
volumeName, AuthorizerType authorizerType,
+      Set<S3Action> mappedS3Actions, Set<ResourceSpec> resourceSpecs, 
Set<String> prefixes) {
+    // Create map to collect IOzoneObj to ACLType mappings
+    final Map<IOzoneObj, Set<ACLType>> objToAclsMap = new LinkedHashMap<>();
+
+    // Process each resource spec with the given actions
+    for (ResourceSpec resourceSpec : resourceSpecs) {
+      processResourceSpecWithActions(volumeName, authorizerType, 
mappedS3Actions, resourceSpec, prefixes, objToAclsMap);
+    }
+
+    // Group objects by their ACL sets to create proper entries
+    return groupObjectsByAcls(objToAclsMap);
+  }
+
+  /**
+   * Groups objects by their ACL sets.
+   */
+  private static Set<AssumeRoleRequest.OzoneGrant> 
groupObjectsByAcls(Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+    final Map<Set<ACLType>, Set<IOzoneObj>> groupMap = new LinkedHashMap<>();
+
+    // Group objects by their ACL sets only (across resource types)
+    objToAclsMap.forEach((obj, acls) ->
+        groupMap.computeIfAbsent(acls, k -> new LinkedHashSet<>()).add(obj));
+
+    // Convert to result format, filtering out entries with empty ACLs
+    final Set<AssumeRoleRequest.OzoneGrant> result = new LinkedHashSet<>();
+    groupMap.forEach((key, objs) -> {
+      if (!key.isEmpty()) {
+        result.add(new AssumeRoleRequest.OzoneGrant(objs, key));
+      }
+    });
+
+    return result;
+  }
+
+  /**
+   * Processes a single ResourceSpec with given actions and adds resulting
+   * IOzoneObj to ACLType mappings to the provided map.
+   */
+  private static void processResourceSpecWithActions(String volumeName, 
AuthorizerType authorizerType,
+      Set<S3Action> mappedS3Actions, ResourceSpec resourceSpec, Set<String> 
prefixes,
+      Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+
+    // Process based on ResourceSpec type
+    switch (resourceSpec.type) {
+    case ANY:
+      Preconditions.checkArgument(
+          authorizerType != AuthorizerType.NATIVE,
+          "ResourceSpec type ANY not supported for OzoneNativeAuthorizer");
+      processResourceTypeAny(volumeName, mappedS3Actions, objToAclsMap);
+      break;
+    case BUCKET:
+      processBucketResource(volumeName, mappedS3Actions, resourceSpec, 
prefixes, authorizerType, objToAclsMap);
+      break;
+    case BUCKET_WILDCARD:
+      Preconditions.checkArgument(
+          authorizerType != AuthorizerType.NATIVE,
+          "ResourceSpec type BUCKET_WILDCARD not supported for 
OzoneNativeAuthorizer");
+      processBucketResource(volumeName, mappedS3Actions, resourceSpec, 
prefixes, authorizerType, objToAclsMap);
+      break;
+    case OBJECT_EXACT:
+      processObjectExactResource(volumeName, mappedS3Actions, resourceSpec, 
objToAclsMap);
+      break;
+    case OBJECT_PREFIX:
+      Preconditions.checkArgument(
+          authorizerType != AuthorizerType.RANGER,
+          "ResourceSpec type OBJECT_PREFIX not supported for 
RangerOzoneAuthorizer");
+      processObjectPrefixResource(volumeName, authorizerType, mappedS3Actions, 
resourceSpec, objToAclsMap);
+      break;
+    case OBJECT_PREFIX_WILDCARD:
+      Preconditions.checkArgument(
+          authorizerType != AuthorizerType.NATIVE,
+          "ResourceSpec type OBJECT_PREFIX_WILDCARD not supported for 
OzoneNativeAuthorizer");
+      processObjectPrefixResource(volumeName, authorizerType, mappedS3Actions, 
resourceSpec, objToAclsMap);
+      break;
+    default:
+      throw new IllegalStateException("Unexpected resourceSpec type found: " + 
resourceSpec.type);
+    }
+  }
+
+  /**
+   * Handles ResourceType.ANY (*).
+   * Example: "Resource": "*"
+   */
+  private static void processResourceTypeAny(String volumeName, Set<S3Action> 
mappedS3Actions,
+      Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+    for (S3Action action : mappedS3Actions) {
+      addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
+      addAclsForObj(objToAclsMap, bucketObj(volumeName, "*"), 
action.bucketPerms);
+      addAclsForObj(objToAclsMap, keyObj(volumeName, "*", "*"), 
action.objectPerms);
+    }
+  }
+
+  /**
+   * Handles BUCKET and BUCKET_WILDCARD resource types.
+   * Example: "Resource": "arn:aws:s3:::my-bucket" or "Resource": 
"arn:aws:s3:::my-bucket*" or
+   *          "Resource": "arn:aws:s3:::*"
+   */
+  private static void processBucketResource(String volumeName, Set<S3Action> 
mappedS3Actions,
+      ResourceSpec resourceSpec, Set<String> prefixes, AuthorizerType 
authorizerType,
+      Map<IOzoneObj, Set<ACLType>> objToAclsMap) {
+    for (S3Action action : mappedS3Actions) {
+      // The s3:ListAllMyBuckets action can use either "*" or
+      // "arn:aws:s3:::*" as its Resource.  The former is already handled via 
the
+      // ResourceSpec.ANY path.  The latter is parsed as a BUCKET_WILDCARD 
with a
+      // bucket name of "*".  To align with AWS, make sure that in this
+      // specific case we also grant the volume-level permissions for 
volume-scoped
+      // actions (currently s3:ListAllMyBuckets).
+      if (action.kind == ActionKind.BUCKET || action == S3Action.ALL_S3 ||
+          action.kind == ActionKind.VOLUME && "*".equals(resourceSpec.bucket)) 
{ // this handles s3:ListAllMyBuckets
+        addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
+        addAclsForObj(objToAclsMap, bucketObj(volumeName, 
resourceSpec.bucket), action.bucketPerms);
+      }
+
+      // If condition prefixes are present, these would constrain the object 
permissions if the action is s3:ListBucket
+      if (prefixes != null && !prefixes.isEmpty() && action == 
S3Action.LIST_BUCKET) {
+        for (String prefix : prefixes) {
+          createObjectResourcesFromConditionPrefix(
+              volumeName, authorizerType, resourceSpec, prefix, objToAclsMap, 
singleton(READ));

Review Comment:
   Why not use action.objectPerms here, instead of hard coded READ? 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to