Gargi Jaiswal created HDDS-15617:
------------------------------------
Summary: Fix missing S3 ListBuckets auth validation on non-secure
OM clusters
Key: HDDS-15617
URL: https://issues.apache.org/jira/browse/HDDS-15617
Project: Apache Ozone
Issue Type: Sub-task
Components: S3
Reporter: Gargi Jaiswal
Assignee: Gargi Jaiswal
{{s3-tests}} {color:#de350b}{{test_list_buckets_invalid_auth}}{color} and
{color:#de350b}{{test_list_buckets_bad_auth}} {color}fail against Ozone S3
Gateway. Requests with *unknown access keys* or *wrong secrets* should return
{*}403 AccessDenied{*}, but Ozone is accepting them and listing buckets in
non-secure cluster.
*Root cause*
OM validates S3 SigV4 signatures in *{{S3SecurityUtil.validateS3Credential()}}*
only when cluster-wide security (Kerberos/TLS) is enabled. On *non-secure*
clusters, {{delegationTokenMgr}} is not created, so S3 credential checks were
skipped even though S3 Gateway always sends {{{}S3Authentication{}}}.
SigV4 validation is separate from cluster transport security and should always
run for S3 requests.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
