[
https://issues.apache.org/jira/browse/HDDS-15617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sreeja reassigned HDDS-15617:
-----------------------------
Assignee: Sreeja (was: Gargi Jaiswal)
> Fix missing S3 ListBuckets auth validation on non-secure OM clusters
> --------------------------------------------------------------------
>
> Key: HDDS-15617
> URL: https://issues.apache.org/jira/browse/HDDS-15617
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: S3
> Reporter: Gargi Jaiswal
> Assignee: Sreeja
> Priority: Major
>
> {{s3-tests}} {color:#de350b}{{test_list_buckets_invalid_auth}}{color} and
> {color:#de350b}{{test_list_buckets_bad_auth}} {color}fail against Ozone S3
> Gateway. Requests with *unknown access keys* or *wrong secrets* should return
> {*}403 AccessDenied{*}, but Ozone is accepting them and listing buckets in
> non-secure cluster.
> *Root cause*
> OM validates S3 SigV4 signatures in
> *{{S3SecurityUtil.validateS3Credential()}}* only when cluster-wide security
> (Kerberos/TLS) is enabled. On *non-secure* clusters, {{delegationTokenMgr}}
> is not created, so S3 credential checks were skipped even though S3 Gateway
> always sends {{{}S3Authentication{}}}.
> SigV4 validation is separate from cluster transport security and should
> always run for S3 requests.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
