fmorg-git commented on code in PR #9343: URL: https://github.com/apache/ozone/pull/9343#discussion_r2624533680
########## hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3sts/S3STSEndpoint.java: ########## @@ -0,0 +1,298 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.s3sts; + +import java.io.IOException; +import java.time.Instant; +import java.time.format.DateTimeFormatter; +import java.util.Base64; +import java.util.Random; +import java.util.UUID; +import javax.ws.rs.FormParam; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import org.apache.hadoop.ozone.s3.exception.OS3Exception; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * AWS STS (Security Token Service) compatible endpoint for Ozone S3 Gateway. + * <p> + * This endpoint provides temporary security credentials compatible with + * AWS STS API, exposed on the port 9880 or 9881. + * <p> + * Currently supports only AssumeRole operation. Other STS operations will + * return appropriate error responses. + * + * @see <a href="https://docs.aws.amazon.com/STS/latest/APIReference/";>AWS STS API Reference</a> + */ +@Path("/") +@S3STSEnabled +public class S3STSEndpoint extends S3STSEndpointBase { + + private static final Logger LOG = LoggerFactory.getLogger(S3STSEndpoint.class); + + // STS API constants + private static final String STS_ACTION_PARAM = "Action"; + private static final String ASSUME_ROLE_ACTION = "AssumeRole"; + private static final String ROLE_ARN_PARAM = "RoleArn"; + private static final String ROLE_DURATION_SECONDS_PARAM = "DurationSeconds"; + private static final String GET_SESSION_TOKEN_ACTION = "GetSessionToken"; + private static final String ASSUME_ROLE_WITH_SAML_ACTION = "AssumeRoleWithSAML"; + private static final String ASSUME_ROLE_WITH_WEB_IDENTITY_ACTION = "AssumeRoleWithWebIdentity"; + private static final String GET_CALLER_IDENTITY_ACTION = "GetCallerIdentity"; + private static final String DECODE_AUTHORIZATION_MESSAGE_ACTION = "DecodeAuthorizationMessage"; + private static final String GET_ACCESS_KEY_INFO_ACTION = "GetAccessKeyInfo"; + + // Default token duration (in seconds) - AWS default is 3600 (1 hour) + private static final int DEFAULT_DURATION_SECONDS = 3600; + private static final int MAX_DURATION_SECONDS = 43200; // 12 hours + private static final int MIN_DURATION_SECONDS = 900; // 15 minutes Review Comment: I originally thought the backend would only be doing the validations, so I have constants in `S3AssumeRoleRequest`. Since the endpoint will be doing some validations as well (per earlier discussion above), perhaps those constants in `S3AssumeRoleRequest` can be made `public` instead of `private` and be reused in the endpoint. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
