[jira] [Updated] (HDDS-14681) [STS] Support StringLike Condition operator in IAM session policy and handle certain errors more gracefully

Thu, 19 Feb 2026 23:52:39 -0800 


     [ 
https://issues.apache.org/jira/browse/HDDS-14681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated HDDS-14681:
----------------------------------
    Labels: pull-request-available  (was: )

> [STS] Support StringLike Condition operator in IAM session policy and handle 
> certain errors more gracefully
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: HDDS-14681
>                 URL: https://issues.apache.org/jira/browse/HDDS-14681
>             Project: Apache Ozone
>          Issue Type: Sub-task
>            Reporter: Fabian Morgan
>            Assignee: Fabian Morgan
>            Priority: Major
>              Labels: pull-request-available
>
> When testing Polaris with the feature branch, it was discovered that Polaris 
> is sending StringLike as a condition in the IAM session policy, which 
> previously was being rejected as not supported per the design.  This ticket 
> adds that support.  
> Furthermore, throughout the troubleshooting process, it was noticed that 
> certain errors weren't being handled gracefully:
> 1) Unsupported Condition operator in IAM session policy was returning 500 
> Internal Server Error (instead of 501 Not Implemented)
> 2) Malformed JSON in IAM session policy was returning 500 Internal Server 
> (instead of 400 Bad Request)
> 3) If the STS enabled flag was true, but the OzoneNativeAuthorizer was used 
> instead of Ranger, this returned 500 Internal Server Error (instead of 501 
> Not Implemented)
> 4) When using STS Token for S3 API calls, if the assumed role in Ranger 
> didn't have a requisite permission for the S3 API call, an AccessDenied (403) 
> error was returned, which is fine.  However, the OM log had a warn message 
> that the user associated with originalAccessKeyId did not have the 
> permission, which was confusing when the user did actually have that 
> permission and it was the assumed role that did not have the permission.
> These additional 4 issues are also addressed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to