elek commented on a change in pull request #1871:
URL: https://github.com/apache/ozone/pull/1871#discussion_r568416516
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
##########
@@ -472,6 +472,19 @@ public boolean verifySignature(OzoneTokenIdentifier
identifier,
private byte[] validateS3AuthInfo(OzoneTokenIdentifier identifier)
throws InvalidToken {
LOG.trace("Validating S3AuthInfo for identifier:{}", identifier);
+ if (identifier.getOwner() == null) {
+ throw new InvalidToken(
+ "Owner is missing from the S3 auth token");
+ }
+ if (!identifier.getOwner().toString().equals(identifier.getAwsAccessId()))
{
Review comment:
_awsaccessId_ is used as a primary key to find the stored secret in the
rockdb. If you use any wrong accessId the signature validation will be failed.
If the string2sign contains reference to a different accessId, the validation
will be failed as the signature won't be matched.
(At least this is my understanding, but let me know if I missed something...)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
