Re: [PR] HDDS-13345. STS port and endpoint skeleton [ozone]

via GitHub Tue, 16 Dec 2025 01:18:53 -0800


Tejaskriya commented on code in PR #9343:
URL: https://github.com/apache/ozone/pull/9343#discussion_r2622326712



##########
hadoop-hdds/common/src/main/resources/ozone-default.xml:
##########
@@ -2022,6 +2022,50 @@
       will be used for http authentication.
     </description>
   </property>
+
+  <property>
+    <name>ozone.s3g.sts.http.enabled</name>
+    <value>false</value>
+    <tag>OZONE, S3GATEWAY</tag>
+    <description>
+      The boolean which enables the Ozone S3Gateway STS endpoint.
+    </description>
+  </property>
+  <property>
+    <name>ozone.s3g.sts.http-bind-host</name>
+    <value>0.0.0.0</value>
+    <tag>OZONE, S3GATEWAY</tag>
+    <description>
+      The bind host for the S3 Gateway STS HTTP server.
+      If not set, the value of ozone.s3g.http-bind-host is used.
+    </description>
+  </property>
+  <property>
+    <name>ozone.s3g.sts.http-address</name>
+    <value>0.0.0.0:9880</value>
+    <tag>OZONE, S3GATEWAY</tag>
+    <description>
+      The HTTP address for the S3 Gateway STS endpoint.
+    </description>
+  </property>
+  <property>
+    <name>ozone.s3g.sts.https-bind-host</name>
+    <value>0.0.0.0</value>
+    <tag>OZONE, S3GATEWAY</tag>
+    <description>
+      The bind host for the S3 Gateway STS HTTPS server.
+      If not set, the value of ozone.s3g.https-bind-host is used.

Review Comment:
   Similarly:
   ```suggestion
         If this optional address is set, it overrides only the hostname 
portion of
         ozone.s3g.sts.https-address.
         If not set, the value of ozone.s3g.https-bind-host is used.
   ```



##########
hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3sts/S3STSEndpoint.java:
##########
@@ -0,0 +1,298 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.s3sts;
+
+import java.io.IOException;
+import java.time.Instant;
+import java.time.format.DateTimeFormatter;
+import java.util.Base64;
+import java.util.Random;
+import java.util.UUID;
+import javax.ws.rs.FormParam;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import org.apache.hadoop.ozone.s3.exception.OS3Exception;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * AWS STS (Security Token Service) compatible endpoint for Ozone S3 Gateway.
+ * <p>
+ * This endpoint provides temporary security credentials compatible with
+ * AWS STS API, exposed on the port 9880 or 9881.
+ * <p>
+ * Currently supports only AssumeRole operation. Other STS operations will
+ * return appropriate error responses.
+ *
+ * @see <a href="https://docs.aws.amazon.com/STS/latest/APIReference/";>AWS STS 
API Reference</a>
+ */
+@Path("/")
+@S3STSEnabled
+public class S3STSEndpoint extends S3STSEndpointBase {
+
+  private static final Logger LOG = 
LoggerFactory.getLogger(S3STSEndpoint.class);
+
+  // STS API constants
+  private static final String STS_ACTION_PARAM = "Action";
+  private static final String ASSUME_ROLE_ACTION = "AssumeRole";
+  private static final String ROLE_ARN_PARAM = "RoleArn";
+  private static final String ROLE_DURATION_SECONDS_PARAM = "DurationSeconds";
+  private static final String GET_SESSION_TOKEN_ACTION = "GetSessionToken";
+  private static final String ASSUME_ROLE_WITH_SAML_ACTION = 
"AssumeRoleWithSAML";
+  private static final String ASSUME_ROLE_WITH_WEB_IDENTITY_ACTION = 
"AssumeRoleWithWebIdentity";
+  private static final String GET_CALLER_IDENTITY_ACTION = "GetCallerIdentity";
+  private static final String DECODE_AUTHORIZATION_MESSAGE_ACTION = 
"DecodeAuthorizationMessage";
+  private static final String GET_ACCESS_KEY_INFO_ACTION = "GetAccessKeyInfo";
+
+  // Default token duration (in seconds) - AWS default is 3600 (1 hour)
+  private static final int DEFAULT_DURATION_SECONDS = 3600;
+  private static final int MAX_DURATION_SECONDS = 43200; // 12 hours
+  private static final int MIN_DURATION_SECONDS = 900;   // 15 minutes

Review Comment:
   Can we consider making these into configurations instead? Or universal 
constants (like in OzoneConst). The default can be configurable. The min and 
max can be fixed to AWS specifics if we want to strictly adhere to their 
design. (IMO having all of them as configs would be better)
   
   cc: @fm-cdera @fmorg-git (not sure which account you are using) 
   I think in one of your PRs, I had seen similar constants getting created. To 
avoid having multiple constants mentioned like this can we find a better place 
to specify this?



##########
hadoop-hdds/common/src/main/resources/ozone-default.xml:
##########
@@ -2022,6 +2022,50 @@
       will be used for http authentication.
     </description>
   </property>
+
+  <property>
+    <name>ozone.s3g.sts.http.enabled</name>
+    <value>false</value>
+    <tag>OZONE, S3GATEWAY</tag>
+    <description>
+      The boolean which enables the Ozone S3Gateway STS endpoint.
+    </description>
+  </property>
+  <property>
+    <name>ozone.s3g.sts.http-bind-host</name>
+    <value>0.0.0.0</value>
+    <tag>OZONE, S3GATEWAY</tag>
+    <description>
+      The bind host for the S3 Gateway STS HTTP server.
+      If not set, the value of ozone.s3g.http-bind-host is used.

Review Comment:
   We could also mention the override aspect (other similar configs have this 
uniform description):
   ```suggestion
         If this optional address is set, it overrides only the hostname 
portion of
         ozone.s3g.sts.http-address.
         If not set, the value of ozone.s3g.http-bind-host is used.
   ```



##########
hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3sts/S3STSEnabledEndpointRequestFilter.java:
##########
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.s3sts;
+
+import static 
org.apache.hadoop.ozone.s3sts.S3STSConfigKeys.OZONE_S3G_STS_HTTP_ENABLED_KEY;
+
+import java.io.IOException;
+import javax.inject.Inject;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.Provider;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+
+/**
+ * Filter that disables all endpoints annotated with {@link S3STSEnabled}.
+ * Condition is based on the value of the configuration key
+ * ozone.s3g.s3sts.http.enabled.
+ */
+@S3STSEnabled
+@Provider
+public class S3STSEnabledEndpointRequestFilter implements 
ContainerRequestFilter {
+  @Inject
+  private OzoneConfiguration ozoneConfiguration;
+
+  @Override
+  public void filter(ContainerRequestContext requestContext) throws 
IOException {
+    boolean isSTSEnabled = ozoneConfiguration.getBoolean(
+        OZONE_S3G_STS_HTTP_ENABLED_KEY, false);
+    if (!isSTSEnabled) {
+      String errorMessage = "S3 STS endpoint is disabled.";
+      String errorCode = "NotImplemented";
+      String xmlError = "<ErrorResponse 
xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\";>" +
+          "<Error>" +
+          "<Type>Sender</Type>" +
+          "<Code>" + errorCode + "</Code>" +
+          "<Message>" + errorMessage + "</Message>" +

Review Comment:
   Any specific reason for creating the strings for errorCode and message 
instead of using `Response.Status.NOT_IMPLEMENTED` itself?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] HDDS-13345. STS port and endpoint skeleton [ozone]

Reply via email to