Skip to content

HDDS-14801. [STS] Part 2 - IAM Session Policy and ListBucket improvements#9895

Draft
fmorg-git wants to merge 2 commits intoapache:HDDS-13323-stsfrom
fmorg-git:HDDS-14801
Draft

HDDS-14801. [STS] Part 2 - IAM Session Policy and ListBucket improvements#9895
fmorg-git wants to merge 2 commits intoapache:HDDS-13323-stsfrom
fmorg-git:HDDS-14801

Conversation

@fmorg-git
Copy link
Contributor

@fmorg-git fmorg-git commented Mar 10, 2026

Please describe your PR in detail:
We need to be able to tell whether an S3 STS call is authorized for listing files in a bucket only vs being able to download a file, because those are different actions in S3 (ListBucket vs GetObject). To differentiate, use LIST at key/object level for listing permission and use READ at key/object level for downloading permission. Currently, the OmMetadataReader authorizes only READ at key level for the listing operations. In order to not break existing functionality, have STS-specific checks that authorize against LIST permission instead. Further, because of how shallow listing works, in some cases (ex. root listing with a delimiter), it loses the context of what the original prefix was on the S3 request. For STS authorization, we need this original prefix, so introduce an optional listPrefix in the protocol to support this.



Here are a quick summary of the total requisite changes:

  1. Support passing list prefix on root listing so STS can authorize against it.
  2. Filter out non-ListBucket actions (ex GetObject, PutObject, ListBucketMultipartUploads, etc) when Conditions are present since we only support s3:prefix Condition and s3:prefix is only applicable for ListBucket and ListBucketVersions (we don't support this).
  3. Keep track of the operator (i.e. StringEquals or StringLike) when using Conditions. If the operator is StringEquals and a wildcard (* or ?) is used, ignore that condition since Ranger can’t authorize against literal asterisk or question mark.
  4. Change ListBucket to validate LIST permission on the object instead of READ so we can determine if we should allow listing the object or downloading the object (READ would be for downloading).

This part 2 PR is to change the OmMetadataReader to validate the LIST permission instead of READ, but only for STS requests.
This PR depends on #9894.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14801

How was this patch tested?

unit tests, smoke tests

@fmorg-git fmorg-git changed the base branch from master to HDDS-13323-sts March 10, 2026 16:16
@fmorg-git fmorg-git marked this pull request as draft March 10, 2026 16:16
@fmorg-git fmorg-git mentioned this pull request Mar 10, 2026
Draft
@fmorg-git fmorg-git marked this pull request as ready for review March 10, 2026 21:08
@fmorg-git fmorg-git marked this pull request as draft March 10, 2026 22:48
support passing original listPrefix on root listing so STS can author…
5b443c2 
…ize against it

Conflicts:
	hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmKeyArgs.java
authorize against LIST instead of READ for STS requests
a91adf8 
Conflicts:
	hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMetadataReader.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fmorg-git