Re: [PR] HDDS-14011. [STS] Ranger interactions for STS tokens (assumeRole and S3 api calls) [ozone]

Thu, 18 Dec 2025 06:57:16 -0800 


sodonnel commented on code in PR #9484:
URL: https://github.com/apache/ozone/pull/9484#discussion_r2631423815


##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java:
##########
@@ -613,6 +617,34 @@ public boolean checkAcls(OzoneObj obj, RequestContext 
context,
     }
   }
 
+  /**
+   * Attaches session policy to RequestContext if an STSTokenIdentifier is 
found in the Ozone Manager thread local
+   * (meaning this is an STS request), and the STSTokenIdentifier has a 
session policy.  Otherwise, returns the
+   * RequestContext as it was before.
+   * @param context the original RequestContext
+   * @return RequestContext as before or with sessionPolicy embedded
+   */
+  private RequestContext 
maybeAttachSessionPolicyFromThreadLocal(RequestContext context) {
+    final STSTokenIdentifier stsTokenIdentifier = 
OzoneManager.getStsTokenIdentifier();
+    if (stsTokenIdentifier == null) {
+      return context;
+    }
+
+    final String sessionPolicy = stsTokenIdentifier.getSessionPolicy();
+
+    return RequestContext.newBuilder()

Review Comment:
   I worry that in the future someone will add a new field to context, and they 
will never know to change this code to add it.
   
   A pattern I've seen @adoroszlai use is to create a `toBuilder` method on the 
`requestContext` instance that returns a builder for the current object. That 
way, the creation of that builder is at least centralized in its own class so 
there is a natural place to add any new fields to it.
   
   Then you would just have:
   
   ```
   Builder b = context.toBuilder
     .setSessionPolicy(sessionPolicy)
     .build
   ```
   
   And the rest of the code would be inside the RequestContext.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to