Fabian Morgan created HDDS-14681:
------------------------------------
Summary: Support StringLike Condition and handle certain errors
more gracefully
Key: HDDS-14681
URL: https://issues.apache.org/jira/browse/HDDS-14681
Project: Apache Ozone
Issue Type: Sub-task
Reporter: Fabian Morgan
Assignee: Fabian Morgan
When testing Polaris with the feature branch, it was discovered that Polaris is
sending StringLike as a condition in the IAM session policy, which previously
was being rejected as not supported per the design. This ticket adds that
support.
Furthermore, throughout the troubleshooting process, it was noticed that
certain errors weren't being handled gracefully:
1) Unsupported Condition operator in IAM session policy was returning 500
Internal Server Error (instead of 501 Not Implemented)
2) Malformed JSON in IAM session policy was returning 500 Internal Server
(instead of 400 Bad Request)
3) If the STS enabled flag was true, but the OzoneNativeAuthorizer was used
instead of Ranger, this returned 500 Internal Server Error (instead of 501 Not
Implemented)
4) When using STS Token for S3 API calls, if the assumed role in Ranger didn't
have a requisite permission for the S3 API call, an AccessDenied (403) error
was returned, which is fine. However, the OM log had a warn message that the
user associated with originalAccessKeyId did not have the permission, which was
confusing when the user did actually have that permission and it was the
assumed role that did not have the permission.
These additional 4 issues are also addressed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
