HDDS-15273. Add OIDC AssumeRoleWithWebIdentity support to Ozone STS#10266
HDDS-15273. Add OIDC AssumeRoleWithWebIdentity support to Ozone STS#10266paf91 wants to merge 7 commits into
Conversation
Includes: - STS-focused OIDC/JWKS validator - OIDC config keys - AssumeRoleWithWebIdentity authorizer request shape - fail-closed default authorizer hook - S3G STS bootstrap auth bypass only for Action=AssumeRoleWithWebIdentity - design doc - unit tests
Includes: - OM protocol/client path for AssumeRoleWithWebIdentity - OM-side JWT validation in preExecute() - sanitized Ratis request without raw WebIdentityToken - WebIdentity-backed STS token identity model - backward-compatible STSTokenIdentifier authType - reuse of existing STS validation path for subsequent S3 requests - S3G STS XML response/routing for WebIdentity - tests proving no raw JWT persistence and replay determinism
|
Thanks @paf91 for the patch. As quick initial feedback: there is a compile error that prevents further test runs. |
My bad, the earlier validation was focused on selected unit/E2E tests and did not run the exact PR compile lane from CI from a clean state |
|
Thanks for the update. Please make sure to check results, there are checkstyle/pmd errors. |
Thanks, reran the relevant checks locally and fixed it. Now CI looks green |
|
Do you plan to add smoke tests that use the new Docker Compose cluster, including Keycloak or another IdP container? |
Not in this PR. I kept this focused on STS runtime + Java integration coverage. There is already a Keycloak Testcontainers IT with a real Keycloak container and real JWT exchange. I agree a Docker Compose smoke test would be useful for packaged config/deployment coverage. If you think it is a blocker, I can add a small one here; otherwise I’d prefer a follow-up JIRA/PR. |
|
Or maybe you can split this into smaller prs and leave this for the discussion of design review and the reference of basic implementation/MVP btw personally I really like this proposal because this make ozone more usable for modern cloud environment. actually I was trying to design this this morning haha |
Thanks, that is exactly the motivation: make Ozone STS usable in OIDC/cloud-native environments while keeping Ranger/Ozone authorizer as the PDP. I can split it if you think that would make review easier.. The split would be like:
My preference is to keep this PR together for now (I am lazy haha), since the pieces are connected already and the current PR already shows the full MVP flow end-to-end. |
|
I can resolve conflicts here if needed @peterxcli |
|
Up to you, or we can just leave it as a discussion. |
adoroszlai
left a comment
adoroszlai
left a comment
There was a problem hiding this comment.
maybe you can split this into smaller prs and leave this for the discussion of design review and the reference of basic implementation/MVP
My preference is to keep this PR together for now (I am lazy haha),
I think the former approach is better, but we can experiment with reviewing as a whole. (I'm guessing it will increase number of review rounds, hope you can accept that.)
| </description> | ||
| </property> | ||
| <property> | ||
| <name>ozone.sts.web.identity.enabled</name> |
There was a problem hiding this comment.
Please add these new config properties as @Config annotations in OidcConfig instead of XML + constants split between two files.
| @SuppressWarnings("checkstyle:ParameterNumber") | ||
| public AssumeRoleWithWebIdentityRequest(String host, InetAddress ip, | ||
| String user, Set<String> groups, Set<String> roles, String roleArn, | ||
| String roleSessionName, String issuer, String subject, String audience, | ||
| String providerId, Set<AssumeRoleRequest.OzoneGrant> grants) { |
There was a problem hiding this comment.
Please add a Builder class, newBuilder method, change the constructor to accept only the Builder instead of all properties, and make the constructor private.
| import org.apache.commons.lang3.StringUtils; | ||
|
|
||
| /** | ||
| * Thread-safe JWKS cache with refresh-on-unknown-kid semantics. |
There was a problem hiding this comment.
common is for code shared between client and server components. These classes in org.apache.hadoop.ozone.security.oidc are not needed in clients, please move them to ozone-manager (along with additional dependency nimbus-jose-jwt).
| requireNonBlank(issuerUri, OZONE_STS_WEB_IDENTITY_ISSUER_URI); | ||
| requireNonBlank(audience, OZONE_STS_WEB_IDENTITY_AUDIENCE); | ||
|
|
||
| if (requireHttps && !allowInsecureHttpForTests) { |
There was a problem hiding this comment.
Why do we need two config properties/flags? allowInsecureHttpForTests seems to be the test-specific version of requireHttps (inverted).
| <swagger-annotations-version>1.5.4</swagger-annotations-version> | ||
| <test.build.data>${test.build.dir}</test.build.data> | ||
| <test.build.dir>${project.build.directory}/test-dir</test.build.dir> | ||
| <testcontainers.version>1.21.3</testcontainers.version> |
| private static byte[] readFully(InputStream stream) throws IOException { | ||
| ByteArrayOutputStream out = new ByteArrayOutputStream(); | ||
| byte[] buffer = new byte[4096]; | ||
| int read; | ||
| while ((read = stream.read(buffer)) != -1) { | ||
| out.write(buffer, 0, read); | ||
| } | ||
| return out.toByteArray(); | ||
| } |
There was a problem hiding this comment.
Can reuse org.apache.commons.io.IOUtils.readFully?
| private boolean isWebIdentityEnabled() { | ||
| OzoneConfiguration conf = ozoneConfiguration; | ||
| if (conf == null) { | ||
| conf = OzoneConfigurationHolder.configuration(); | ||
| } | ||
| return conf != null && conf.getBoolean(OZONE_STS_WEB_IDENTITY_ENABLED, | ||
| OZONE_STS_WEB_IDENTITY_ENABLED_DEFAULT); | ||
| } | ||
|
|
||
| @VisibleForTesting | ||
| void setOzoneConfiguration(OzoneConfiguration conf) { | ||
| this.ozoneConfiguration = conf; | ||
| } |
There was a problem hiding this comment.
I think field injection can be replaced with constructor injection, making test-specific mutator unnecessary.
| private static String read(InputStream stream) throws Exception { | ||
| ByteArrayOutputStream out = new ByteArrayOutputStream(); | ||
| byte[] buffer = new byte[256]; | ||
| int read; | ||
| while ((read = stream.read(buffer)) != -1) { | ||
| out.write(buffer, 0, read); | ||
| } | ||
| return new String(out.toByteArray(), StandardCharsets.UTF_8); | ||
| } |
| required string roleArn = 1; | ||
| required string roleSessionName = 2; |
There was a problem hiding this comment.
Please add all single-value fields as optional, not required.
https://protobuf.dev/programming-guides/style/#required
https://protobuf.dev/programming-guides/proto2/#required-deprecated
|
@ChenSammi @errose28 @fmorg-git @Tejaskriya cab you please review the design doc? |
Please split design doc to its own PR against
|
|
|
Following review feedback, I split the design document into a separate PR against I removed the design doc from this implementation PR to keep #10266 focused on runtime/code changes. The operator/runtime Keycloak/Ranger guide remains in this PR because it is tied to the configuration and behavior introduced here. |
What changes were proposed in this pull request?
This PR adds OIDC/WebIdentity support to Apache Ozone STS by implementing
AssumeRoleWithWebIdentityon top of the existing STS runtime.The feature is disabled by default through
ozone.sts.web.identity.enabled=false, so there is no behavior change on upgrade unless explicitly enabled.This change allows clients to exchange a Keycloak/OIDC JWT for temporary S3 credentials. The returned credentials can then be used with normal AWS SigV4 requests and
x-amz-security-token.Architecture
The change extends the existing Ozone STS temporary credential path instead of introducing a parallel S3 authentication model:
x-amz-security-token.Keycloak groups and roles are treated only as identity attributes. Ranger or the configured Ozone authorizer remains the policy decision point.
This PR does not replace Kerberos daemon authentication, does not add OFS OIDC login, does not add CLI device-code login, does not add daemon-to-daemon OIDC authentication, and does not use Keycloak Authorization Services as the Ozone policy engine.
Backward compatibility
AssumeRoleflow is unchanged.AssumeRoletokens remain valid.AuthTypedeserialize asASSUME_ROLE, preserving compatibility with previously-issued tokens.Main implementation points
ozone.sts.web.identity.*configuration keys.AssumeRoleWithWebIdentityrequest/response models and S3G STS XML response handling./stsAction=AssumeRoleWithWebIdentitywhen explicitly enabled.WebIdentityTokenin OMpreExecute()before the Ratis-applied request is created.STSTokenIdentifierwith a backward-compatible auth type for WebIdentity-backed credentials.AssumeRoletoken compatibility.IAccessAuthorizer.generateAssumeRoleWithWebIdentitySessionPolicy(...).Security notes
SecretAccessKeyand temporary credential material follow the existing STS credential handling model.alg=noneis rejected.exp,nbf, andiatare validated.NOT_SUPPORTED_OPERATION.Configuration keys
ozone.sts.web.identity.enabledozone.sts.web.identity.issuer.uriozone.sts.web.identity.jwks.uriozone.sts.web.identity.audienceozone.sts.web.identity.username.claimozone.sts.web.identity.subject.claimozone.sts.web.identity.groups.claimozone.sts.web.identity.roles.claimozone.sts.web.identity.clock.skewozone.sts.web.identity.jwks.refresh.intervalozone.sts.web.identity.jwks.connect.timeoutozone.sts.web.identity.jwks.read.timeoutozone.sts.web.identity.jwks.size.limitozone.sts.web.identity.require.httpsozone.sts.web.identity.allow.insecure.http.for.testsDependency
Design / user docs added
hadoop-hdds/docs/content/security/OzoneSTSWebIdentityKeycloakRanger.mdDesign document was split into a separate PR against
master:#10338
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-15273
How was this patch tested?
The patch was tested with focused unit, S3 Gateway, OM, mini-cluster, and Keycloak Testcontainers coverage.
Unit and component tests
Result:
Result:
Result:
Mini-cluster E2E test
The mini-cluster E2E test verifies:
AssumeRoleWithWebIdentity;AccessKeyId,SecretAccessKey, andSessionToken;mvn -Dmaven.repo.local=/tmp/m2-ozone \ -pl hadoop-ozone/integration-test-s3 \ -am \ -DskipShade \ -Dtest=TestAssumeRoleWithWebIdentityEndToEnd \ testResult:
Keycloak Testcontainers integration test
The Keycloak IT starts a real Keycloak container, imports a test realm, obtains a real Keycloak JWT, exchanges it through Ozone STS, and uses the returned temporary credentials for S3 operations.
env DOCKER_HOST=unix:///var/run/docker.sock \ TESTCONTAINERS_DOCKER_SOCKET_OVERRIDE=/var/run/docker.sock \ mvn -Dapi.version=1.44 \ -Dmaven.repo.local=/tmp/m2-ozone \ -pl hadoop-ozone/integration-test-s3 \ -am \ -DskipShade \ -Dtest=TestAssumeRoleWithWebIdentityKeycloakIT \ testResult:
The
-Dapi.version=1.44parameter is used for Docker API compatibility in the local Docker environment.Static check
Result: