Fabian Morgan created HDDS-14861:
------------------------------------
Summary: [STS] Fix Latent S3 API issue when ListBuckets Missing a
Required Permission
Key: HDDS-14861
URL: https://issues.apache.org/jira/browse/HDDS-14861
Project: Apache Ozone
Issue Type: Sub-task
Reporter: Fabian Morgan
Assignee: Fabian Morgan
Currently, in latent S3 api handling, if user wants to make a list-buckets call
and is missing either the READ or LIST permission on the volume, when using AWS
cli, it gives an internal server error after 4 retries. Because this is a
latent S3 api bug, the same thing happens with STS. This ticket fixes the
underlying issue so a proper AccessDenied error is returned.
Here is explanation of underlying issue:
When the ListAllMyBuckets call is missing LIST permission on the volume (or
READ permission), Ozone Manager correctly throws an OMException with code
PERMISSION_DENIED. However, OzoneVolume$BucketIterator.getNextListOfBuckets()
catches this OMException (which is an IOException) and wraps it in an unchecked
RuntimeException.
In the S3 Gateway, EndpointBase.iterateBuckets() has a catch (OMException e)
block designed to translate PERMISSION_DENIED into an S3 AccessDenied (403)
response. Because the exception is wrapped in a RuntimeException, it bypasses
this catch block and propagates all the way up to the http server, resulting in
a generic 500 Internal Server Error.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
