fmorg-git commented on code in PR #9507:
URL: https://github.com/apache/ozone/pull/9507#discussion_r2651670399
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3RevokeSTSTokenRequest.java:
##########
@@ -64,27 +57,12 @@ public OMRequest preExecute(OzoneManager ozoneManager)
throws IOException {
final OzoneManagerProtocolProtos.RevokeSTSTokenRequest revokeReq =
getOmRequest().getRevokeSTSTokenRequest();
- // Get the original (long-lived) access key id from the session token
- // and enforce the same permission model that is used for S3 secret
- // operations (get/set/revoke). Only the owner of the original access
- // key (or an S3 / tenant admin) is allowed to revoke its temporary
- // STS credentials.
- final String sessionToken = revokeReq.getSessionToken();
- final String tempAccessKeyId = revokeReq.getAccessKeyId();
- final STSTokenIdentifier stsTokenIdentifier =
STSSecurityUtil.constructValidateAndDecryptSTSToken(
- sessionToken, ozoneManager.getSecretKeyClient(), CLOCK);
- originalAccessKeyId = stsTokenIdentifier.getOriginalAccessKeyId();
-
- // Validate that the Access Key ID in the request matches the one in the
token
- // to prevent users from revoking arbitrary keys using a valid token.
- if (!stsTokenIdentifier.getTempAccessKeyId().equals(tempAccessKeyId)) {
- throw new OMException("Access Key ID in request does not match the
session token",
- OMException.ResultCodes.INVALID_REQUEST);
+ // Only S3/Ozone admins can revoke STS tokens by temporary access key ID.
+ final UserGroupInformation ugi =
S3SecretRequestHelper.getOrCreateUgi(getUserInfo().getUserName());
+ if (!ozoneManager.isS3Admin(ugi)) {
Review Comment:
If we have the access key ID as the only input parameter to the CLI utility
that revokes STS tokens, we wouldn't know who the user was that created the
token. (The previous implementation that took both the access key ID and the
session token as parameters to the CLI utility had the capability to allow the
user who created the temporal access ID to revoke the token, but this was a
change to the design that was not agreed upon in Slack discussions, so this PR
modified that implementation). If we use the session token instead of access
key ID as the one input to the CLI utility, then we would know who created the
token, but this would again be a change to the design. Please let me know if
you prefer the design to be changed in this way to allow the user who created
the token to revoke the token.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
