Re: [PR] HDDS-15137. [STS] Ensure each S3 API has an associated S3 Action [ozone]

Thu, 11 Jun 2026 15:09:02 -0700 


fmorg-git commented on code in PR #10197:
URL: https://github.com/apache/ozone/pull/10197#discussion_r3399470162


##########
hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/EndpointBase.java:
##########
@@ -225,6 +228,39 @@ protected void init() {
     // hook method
   }
 
+  /**
+   * Sets the IAM S3 action on thread-local {@link S3Auth} for fine-grained 
STS authorization.
+   * Called when the handler resolves the {@link S3GAction}.
+   */
+  protected void applyS3Action(S3GAction action) {
+    if (s3Auth != null) {
+      s3Auth.setS3Action(S3GActionIamMapper.toS3ActionString(action));
+    }
+  }
+
+  /**
+   * Temporarily override the S3 action string set on {@link S3Auth} for 
authorization.
+   * <p>
+   * This does not change S3G auditing (which is based on {@link S3GAction}).
+   * The action string is the IAM-style S3 action name without the {@code s3:} 
prefix (for example
+   * {@code GetObject}, {@code PutObject}, {@code GetObjectTagging}).
+   * This is used for special case APIs like CopyObject that don't have a 1-1 
s3 action mapping, but
+   * requires GetObject on the source file and PutObject on the destination 
file.
+   */
+  protected <T, E extends Exception> T runWithS3ActionString(String s3Action, 
CheckedSupplier<T, E> checkedSupplier)
+      throws E {
+    if (s3Auth == null) {
+      return checkedSupplier.get();
+    }
+    final String originalS3Action = s3Auth.getS3Action();
+    s3Auth.setS3Action(s3Action);
+    try {
+      return checkedSupplier.get();
+    } finally {
+      s3Auth.setS3Action(originalS3Action);
+    }
+  }
+  
   protected OzoneVolume getVolume() throws IOException {

Review Comment:
   updated - 58686144442c8cade64263055957e729e621e765



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to