Re: [PR] HDDS-14150. [STS] Connect STS Endpoint to Backend Processing [ozone]

Fri, 23 Jan 2026 01:14:47 -0800 


ChenSammi commented on code in PR #9654:
URL: https://github.com/apache/ozone/pull/9654#discussion_r2720360102


##########
hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/signature/AWSSignatureProcessor.java:
##########
@@ -103,13 +103,47 @@ public SignatureInfo parseSignature() throws 
OS3Exception, IOException, NoSuchAl
     if (signatureInfo == null) {
       signatureInfo = new 
SignatureInfo.Builder(Version.NONE).setService("s3").build();
     }
+
+    // Capture STS session token if present (header-based or query-based).
+    // - Header-based SigV4: x-amz-security-token
+    // - Query-based (for presigned URLs): X-Amz-Security-Token
+    final String sessionToken = extractSessionToken(headers);
+    if (sessionToken != null && !sessionToken.isEmpty()) {
+      signatureInfo.setSessionToken(sessionToken);
+    }
+
     String payloadHash = getPayloadHash(headers, signatureInfo);
     signatureInfo.setPayloadHash(payloadHash);
     signatureInfo.setUnfilteredURI(
         context.getUriInfo().getRequestUri().getPath());
     return signatureInfo;
   }
 
+  private String extractSessionToken(LowerCaseKeyStringMap headers) {
+    // Header-based token
+    final String headerToken = headers.get("x-amz-security-token");
+    if (headerToken != null && !headerToken.isEmpty()) {
+      return headerToken;
+    }
+
+    // Query-based token - this would be used for presigned URLs
+    final MultivaluedMap<String, String> queryParams = 
context.getUriInfo().getQueryParameters();
+    if (queryParams == null) {
+      return null;
+    }
+    final String stsQueryParam = queryParams.getFirst("X-Amz-Security-Token");

Review Comment:
   Since "X-Amz-Security-Token" is case insensitive, it's better to loop the 
queryParams, and use the compareToIgnoreCase to compare the parameter name. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to