fmorg-git opened a new pull request, #10009: URL: https://github.com/apache/ozone/pull/10009
Please describe your PR in detail: * Currently, S3 APIs are not consistent in how ACL checks are applied. For example, `PutObject` (i.e. OMKeyCreateRequest, OMAllocateBlockRequest, OMKeyCommitRequest), `DeleteObject` (i.e. OMKeyDeleteRequest), `PutObjectTagging` (i.e. S3PutObjectTaggingRequest), etc. perform their ACL checks in `preExecute()` which is on the OM leader RPC thread. However, APIs like `DeleteBucket` (i.e. OMBucketDeleteRequest), `PutBucketAcl` (i.e. OMBucketAclRequest), etc. perform their ACL checks in `validateAndUpdateCache()` which is on the Ratis apply thread. This affects STS in that the STSTokenIdentifier ThreadLocal currently is not available on the Ratis apply thread, so if the STS token has an inline session policy, some ACL checks that should pass would fail. This ticket addresses the inconsistency by ensuring the ThreadLocal is always available on the Ratis apply thread via updates to `OzoneManagerStateMachine`. * This PR depends on https://github.com/apache/ozone/pull/9977 ## What is the link to the Apache JIRA https://issues.apache.org/jira/browse/HDDS-14935 ## How was this patch tested? unit tests, smoke tests -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
