fmorg-git commented on code in PR #9484:
URL: https://github.com/apache/ozone/pull/9484#discussion_r2631849141
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3AssumeRoleRequest.java:
##########
@@ -201,18 +206,39 @@ private String generateSessionToken(String
targetRoleName, OMRequest omRequest,
return ozoneManager.getSTSTokenSecretManager().createSTSTokenString(
tempAccessKeyId, originalAccessKeyId, roleArn,
assumeRoleRequest.getDurationSeconds(), secretAccessKey,
- sessionPolicy, CLOCK);
+ sessionPolicy, clock);
}
/**
* Calls utility to convert IAM Policy to Ozone nomenclature and uses this
output as input
* to IAccessAuthorizer.generateAssumeRoleSessionPolicy() which is currently
only implemented
* by RangerOzoneAuthorizer.
*/
- private String getSessionPolicy(OzoneManager ozoneManager, String
originalAccessKeyId, String awsIamPolicy,
+ @VisibleForTesting
+ String getSessionPolicy(OzoneManager ozoneManager, String
originalAccessKeyId, String awsIamPolicy,
String hostName, InetAddress remoteIp, UserGroupInformation ugi, String
targetRoleName) throws IOException {
- // TODO sts - implement in a future PR
- return null;
+
+ final String volumeName;
+ if (ozoneManager.isS3MultiTenancyEnabled()) {
+ final Optional<String> tenantOpt = ozoneManager.getMultiTenantManager()
+ .getTenantForAccessID(originalAccessKeyId);
+ if (tenantOpt.isPresent()) {
+ volumeName = ozoneManager.getMultiTenantManager()
+ .getTenantVolumeName(tenantOpt.get());
+ } else {
+ volumeName =
HddsClientUtils.getDefaultS3VolumeName(ozoneManager.getConfiguration());
+ }
+ } else {
+ volumeName =
HddsClientUtils.getDefaultS3VolumeName(ozoneManager.getConfiguration());
+ }
+
+ final Set<OzoneGrant> grants = StringUtils.isBlank(awsIamPolicy) ?
+ null :
Review Comment:
good question - so `null` is different from `Collections.emptySet()`.
Please see the following for reference:
1. grants = `null` => no IAM session policy was supplied => user gets all
permissions of role
2. grants = `Collections.emptySet()` => Ozone determined IAM session policy
had mismatched action and resources, so it can't grant anything => user should
get no permissions and STS token would be useless
3. grants = `Set<OzoneGrant>` => valid IAM session policy was supplied =>
user gets intersection of role permissions and policy grants.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
