sodonnel commented on code in PR #8819: URL: https://github.com/apache/ozone/pull/8819#discussion_r2394193548
########## hadoop-hdds/docs/content/design/sts.md: ########## @@ -0,0 +1,245 @@ +--- +title: Security Token Service (STS) for Ozone +summary: Allows clients to generate temporary S3 credentials using a REST API. +date: 2025-07-16 +jira: HDDS-13323 +status: implementing +author: Ren Koike +--- +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. See accompanying LICENSE file. +--> +# Introduction + +S3 credentials used to communicate with Ozone S3 APIs are based on the kerberos credential used to run the ozone CLI to generate the S3 credential. There is a configuration to specify a S3 Administrator (or default to OM administrators) who can generate S3 credentials for other kerberos principals. + +Historically the Ozone community has had an interest in having a REST API to be able to programmatically be able to generate S3 credentials. + +With Amazon AWS, there is a central service which has the ability to generate [Security Tokens that span resources across services](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html). + +This document covers a basic proposal that describes how Ozone can offer a stand alone STS service that can be used by users to use REST APIs to retrieve. This can be later extended to integrate with a centralized STS service. + +## Goals +1. Allow privileged users to generate temporary S3 credentials using a REST API. +2. Allow users to access S3 APIs using the temporary credentials generated by the REST API. + +## Requirements + +### Functional requirements + +1. Allow privileged users to generate temporary S3 credentials with: + * Limited duration + * Restricted to specific bucket/prefix paths + * Restricted to specific S3 operations + * Issuing credentials either to self or another identity +2. The Ozone STS API can be called through the AWS SDKs. +3. Support for service equivalent to AWS STS AssumeRole with Kerberos authentication. +4. Authenticate the AssumeRoleKerberos call using Kerberos +5. Should work with Ozone native ACLs without Ranger +6. Authorize the credential issuance via Ranger +7. Store temporary credentials securely in Ozone Manager Review Comment: What if we don't store the tokens in OM? The token could have all the elements encoded within it and signed / encrypted by a secret key shared by all the OMs so it cannot be modified. That way, we don't need to store them or expire them or replicate them across OMs for failover. This is just an idea that might simplify things. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
