Re: [PR] HDDS-14067. [STS] Plumbing and CLI utility to revoke STS token [ozone]

Tue, 30 Dec 2025 14:34:33 -0800 


fmorg-git commented on code in PR #9507:
URL: https://github.com/apache/ozone/pull/9507#discussion_r2654068432


##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3RevokeSTSTokenRequest.java:
##########
@@ -64,27 +57,12 @@ public OMRequest preExecute(OzoneManager ozoneManager) 
throws IOException {
     final OzoneManagerProtocolProtos.RevokeSTSTokenRequest revokeReq =
         getOmRequest().getRevokeSTSTokenRequest();
 
-    // Get the original (long-lived) access key id from the session token
-    // and enforce the same permission model that is used for S3 secret
-    // operations (get/set/revoke). Only the owner of the original access
-    // key (or an S3 / tenant admin) is allowed to revoke its temporary
-    // STS credentials.
-    final String sessionToken = revokeReq.getSessionToken();
-    final String tempAccessKeyId = revokeReq.getAccessKeyId();
-    final STSTokenIdentifier stsTokenIdentifier = 
STSSecurityUtil.constructValidateAndDecryptSTSToken(
-        sessionToken, ozoneManager.getSecretKeyClient(), CLOCK);
-    originalAccessKeyId = stsTokenIdentifier.getOriginalAccessKeyId();
-
-    // Validate that the Access Key ID in the request matches the one in the 
token
-    // to prevent users from revoking arbitrary keys using a valid token.
-    if (!stsTokenIdentifier.getTempAccessKeyId().equals(tempAccessKeyId)) {
-      throw new OMException("Access Key ID in request does not match the 
session token",
-          OMException.ResultCodes.INVALID_REQUEST);
+    // Only S3/Ozone admins can revoke STS tokens by temporary access key ID.
+    final UserGroupInformation ugi = 
S3SecretRequestHelper.getOrCreateUgi(getUserInfo().getUserName());
+    if (!ozoneManager.isS3Admin(ugi)) {

Review Comment:
   I also updated the design accordingly with this commit: 
https://github.com/apache/ozone/pull/9223/commits/16a6bce64f2512ae156deabe44a5569a9599bf82



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to