len548 commented on code in PR #9343: URL: https://github.com/apache/ozone/pull/9343#discussion_r2687330914
########## hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3sts/S3STSEndpoint.java: ########## @@ -0,0 +1,298 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.s3sts; + +import java.io.IOException; +import java.time.Instant; +import java.time.format.DateTimeFormatter; +import java.util.Base64; +import java.util.Random; +import java.util.UUID; +import javax.ws.rs.FormParam; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import org.apache.hadoop.ozone.s3.exception.OS3Exception; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * AWS STS (Security Token Service) compatible endpoint for Ozone S3 Gateway. + * <p> + * This endpoint provides temporary security credentials compatible with + * AWS STS API, exposed on the webadmin port (19878) at /sts endpoint. + * <p> + * Currently supports only AssumeRole operation. Other STS operations will + * return appropriate error responses. + * + * @see <a href="https://docs.aws.amazon.com/STS/latest/APIReference/";>AWS STS API Reference</a> + */ +@Path("/") +@S3STSEnabled +public class S3STSEndpoint extends S3STSEndpointBase { + + private static final Logger LOG = LoggerFactory.getLogger(S3STSEndpoint.class); + + // STS API constants + private static final String STS_ACTION_PARAM = "Action"; + private static final String ASSUME_ROLE_ACTION = "AssumeRole"; + private static final String ROLE_ARN_PARAM = "RoleArn"; + private static final String ROLE_DURATION_SECONDS_PARAM = "DurationSeconds"; + private static final String GET_SESSION_TOKEN_ACTION = "GetSessionToken"; + private static final String ASSUME_ROLE_WITH_SAML_ACTION = "AssumeRoleWithSAML"; + private static final String ASSUME_ROLE_WITH_WEB_IDENTITY_ACTION = "AssumeRoleWithWebIdentity"; + private static final String GET_CALLER_IDENTITY_ACTION = "GetCallerIdentity"; + private static final String DECODE_AUTHORIZATION_MESSAGE_ACTION = "DecodeAuthorizationMessage"; + private static final String GET_ACCESS_KEY_INFO_ACTION = "GetAccessKeyInfo"; + + // Default token duration (in seconds) - AWS default is 3600 (1 hour) + private static final int DEFAULT_DURATION_SECONDS = 3600; + private static final int MAX_DURATION_SECONDS = 43200; // 12 hours + private static final int MIN_DURATION_SECONDS = 900; // 15 minutes + + /** + * STS endpoint that handles GET requests with query parameters. + * AWS STS supports both GET and POST requests. + * + * @param action The STS action to perform (AssumeRole, GetSessionToken, etc.) + * @param roleArn The ARN of the role to assume (for AssumeRole) + * @param roleSessionName Session name for the role (for AssumeRole) + * @param durationSeconds Duration of the token validity in seconds + * @param version AWS STS API version (should be "2011-06-15") Review Comment: Updated. ########## hadoop-hdds/common/src/main/resources/ozone-default.xml: ########## @@ -2022,6 +2022,50 @@ will be used for http authentication. </description> </property> + + <property> + <name>ozone.s3g.sts.http.enabled</name> + <value>false</value> + <tag>OZONE, S3GATEWAY</tag> + <description> + The boolean which enables the Ozone S3Gateway STS endpoint. + </description> + </property> + <property> + <name>ozone.s3g.sts.http-bind-host</name> + <value>0.0.0.0</value> + <tag>OZONE, S3GATEWAY</tag> + <description> + The bind host for the S3 Gateway STS HTTP server. + If not set, the value of ozone.s3g.http-bind-host is used. Review Comment: Agreed and updated. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
