[
https://issues.apache.org/jira/browse/HDDS-14861?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fabian Morgan updated HDDS-14861:
---------------------------------
Status: Patch Available (was: In Progress)
> [STS] Fix Latent S3 API issue when ListBuckets Missing a Required Permission
> ----------------------------------------------------------------------------
>
> Key: HDDS-14861
> URL: https://issues.apache.org/jira/browse/HDDS-14861
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Fabian Morgan
> Assignee: Fabian Morgan
> Priority: Major
> Labels: pull-request-available
>
> Currently, in latent S3 api handling, if user wants to make a list-buckets
> call and is missing either the READ or LIST permission on the volume, when
> using AWS cli, it gives an internal server error after 4 retries. Because
> this is a latent S3 api bug, the same thing happens with STS. This ticket
> fixes the underlying issue so a proper AccessDenied error is returned.
> Here is explanation of underlying issue:
> When the ListAllMyBuckets call is missing LIST permission on the volume (or
> READ permission), Ozone Manager correctly throws an OMException with code
> PERMISSION_DENIED. However, OzoneVolume$BucketIterator.getNextListOfBuckets()
> catches this OMException (which is an IOException) and wraps it in an
> unchecked RuntimeException.
> In the S3 Gateway, EndpointBase.iterateBuckets() has a catch (OMException e)
> block designed to translate PERMISSION_DENIED into an S3 AccessDenied (403)
> response. Because the exception is wrapped in a RuntimeException, it bypasses
> this catch block and propagates all the way up to the http server, resulting
> in a generic 500 Internal Server Error.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
