[jira] [Updated] (HDDS-15137) [STS] Ensure each S3 API has an associated S3 Action

Tue, 05 May 2026 16:55:08 -0700 


     [ 
https://issues.apache.org/jira/browse/HDDS-15137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated HDDS-15137:
----------------------------------
    Labels: pull-request-available  (was: )

> [STS] Ensure each S3 API has an associated S3 Action
> ----------------------------------------------------
>
>                 Key: HDDS-15137
>                 URL: https://issues.apache.org/jira/browse/HDDS-15137
>             Project: Apache Ozone
>          Issue Type: Sub-task
>            Reporter: Fabian Morgan
>            Assignee: Fabian Morgan
>            Priority: Major
>              Labels: pull-request-available
>
> In order to restrict STS tokens on a fine-grained basis by action, each S3 
> api needs to be associated with an S3 action.  For example, both *HeadObject* 
> and *GetObject* S3 apis are associated with "s3:GetObject" action.  The 
> actions will not have the s3: prefix when used internally in Ozone and 
> Ranger.  
> Most apis have a 1-1 mapping with api and action like the *HeadObject* and 
> *GetObject* apis mentioned previously.  In order to avoid having to update 
> multiple call sites, an *S3GActionIamMapper* is introduced to leverage the 
> already existing api audit functionality and map api names to actions in a 
> thread local (*S3Authentication.getS3Action()*).  Then in 
> *OmMetadataReader.checkAcls()*, the *maybeAttachS3ActionFromThreadLocal* 
> function is used to read the thread local and set the s3Action in the 
> RequestContext if it exists.
> However, *CopyObject* and *UploadPartCopy* are special cases.  There is no 
> "s3:CopyObject" nor "s3:UploadPartCopy" action, but rather they both require 
> "s3:GetObject" action on the source object and "s3:PutObject" action on the 
> destination object.  For these special cases, a helper method 
> *runWithS3ActionString* is introduced in *EndpointBase.java* so the proper 
> permissions can be checked on the source and on the destination by 
> temporarily overriding the value in the thread local while the operation is 
> invoked, then setting it back to the previous value when done.
> Additionally, this ticket contains additional fixes found after testing with 
> these new changes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to