Re: [PR] HDDS-14011. [STS] Ranger interactions for STS tokens (assumeRole and S3 api calls) [ozone]

Thu, 18 Dec 2025 06:49:03 -0800 


sodonnel commented on code in PR #9484:
URL: https://github.com/apache/ozone/pull/9484#discussion_r2631390014


##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3AssumeRoleRequest.java:
##########
@@ -201,18 +206,39 @@ private String generateSessionToken(String 
targetRoleName, OMRequest omRequest,
 
     return ozoneManager.getSTSTokenSecretManager().createSTSTokenString(
         tempAccessKeyId, originalAccessKeyId, roleArn, 
assumeRoleRequest.getDurationSeconds(), secretAccessKey,
-        sessionPolicy, CLOCK);
+        sessionPolicy, clock);
   }
 
   /**
    * Calls utility to convert IAM Policy to Ozone nomenclature and uses this 
output as input
    * to IAccessAuthorizer.generateAssumeRoleSessionPolicy() which is currently 
only implemented
    * by RangerOzoneAuthorizer.
    */
-  private String getSessionPolicy(OzoneManager ozoneManager, String 
originalAccessKeyId, String awsIamPolicy,
+  @VisibleForTesting
+  String getSessionPolicy(OzoneManager ozoneManager, String 
originalAccessKeyId, String awsIamPolicy,
       String hostName, InetAddress remoteIp, UserGroupInformation ugi, String 
targetRoleName) throws IOException {
-    // TODO sts - implement in a future PR
-    return null;
+
+    final String volumeName;
+    if (ozoneManager.isS3MultiTenancyEnabled()) {
+      final Optional<String> tenantOpt = ozoneManager.getMultiTenantManager()
+          .getTenantForAccessID(originalAccessKeyId);
+      if (tenantOpt.isPresent()) {
+        volumeName = ozoneManager.getMultiTenantManager()
+            .getTenantVolumeName(tenantOpt.get());
+      } else {
+        volumeName = 
HddsClientUtils.getDefaultS3VolumeName(ozoneManager.getConfiguration());
+      }
+    } else {
+      volumeName = 
HddsClientUtils.getDefaultS3VolumeName(ozoneManager.getConfiguration());
+    }
+
+    final Set<OzoneGrant> grants = StringUtils.isBlank(awsIamPolicy) ?
+        null :

Review Comment:
   Would it make it easier for other classes to use this if it returns 
Collections.emptySet rather than null if there are no grants? Have a think and 
see if it would make sense, and if not its ok as null.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to