ChenSammi commented on code in PR #9507:
URL: https://github.com/apache/ozone/pull/9507#discussion_r2652336999
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3RevokeSTSTokenRequest.java:
##########
@@ -64,27 +57,12 @@ public OMRequest preExecute(OzoneManager ozoneManager)
throws IOException {
final OzoneManagerProtocolProtos.RevokeSTSTokenRequest revokeReq =
getOmRequest().getRevokeSTSTokenRequest();
- // Get the original (long-lived) access key id from the session token
- // and enforce the same permission model that is used for S3 secret
- // operations (get/set/revoke). Only the owner of the original access
- // key (or an S3 / tenant admin) is allowed to revoke its temporary
- // STS credentials.
- final String sessionToken = revokeReq.getSessionToken();
- final String tempAccessKeyId = revokeReq.getAccessKeyId();
- final STSTokenIdentifier stsTokenIdentifier =
STSSecurityUtil.constructValidateAndDecryptSTSToken(
- sessionToken, ozoneManager.getSecretKeyClient(), CLOCK);
- originalAccessKeyId = stsTokenIdentifier.getOriginalAccessKeyId();
-
- // Validate that the Access Key ID in the request matches the one in the
token
- // to prevent users from revoking arbitrary keys using a valid token.
- if (!stsTokenIdentifier.getTempAccessKeyId().equals(tempAccessKeyId)) {
- throw new OMException("Access Key ID in request does not match the
session token",
- OMException.ResultCodes.INVALID_REQUEST);
+ // Only S3/Ozone admins can revoke STS tokens by temporary access key ID.
+ final UserGroupInformation ugi =
S3SecretRequestHelper.getOrCreateUgi(getUserInfo().getUserName());
+ if (!ozoneManager.isS3Admin(ugi)) {
Review Comment:
Despite the implementation consideration, on feature level, ideally, we
should allow the user who creates these tokens to revoke them. I didn't
realize that the previous discussion will lead to today's implementation
difficulty.
Since the session token has both the temporary access key ID and original
user principal, how about has the session token as the only option? But
temporary access key ID, is a string, so it is easy for user to call the CLI
pass in a temporary access key ID, while session token is a combination of
many strings and raw bytes, how can user easily pass in a session token,
through a input file which holds the session token?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
