Skip to content

HDDS-14804. [STS] Part 3 - IAM Session Policy and ListBucket improvements#9896

Draft
fmorg-git wants to merge 3 commits intoapache:HDDS-13323-stsfrom
fmorg-git:HDDS-14804
Draft

HDDS-14804. [STS] Part 3 - IAM Session Policy and ListBucket improvements#9896
fmorg-git wants to merge 3 commits intoapache:HDDS-13323-stsfrom
fmorg-git:HDDS-14804

Conversation

@fmorg-git
Copy link
Contributor

@fmorg-git fmorg-git commented Mar 10, 2026

Please describe your PR in detail:
We need to be able to tell whether an S3 STS call is authorized for listing files in a bucket only vs being able to download a file, because those are different actions in S3 (ListBucket vs GetObject). To differentiate, use LIST at key/object level for listing permission and use READ at key/object level for downloading permission. Currently, the OmMetadataReader authorizes only READ at key level for the listing operations. In order to not break existing functionality, have STS-specific checks that authorize against LIST permission instead. Further, because of how shallow listing works, in some cases (ex. root listing with a delimiter), it loses the context of what the original prefix was on the S3 request. For STS authorization, we need this original prefix, so introduce an optional listPrefix in the protocol to support this.



Here are a quick summary of the total requisite changes:

  1. Support passing list prefix on root listing so STS can authorize against it.
  2. Filter out non-ListBucket actions (ex GetObject, PutObject, ListBucketMultipartUploads, etc) when Conditions are present since we only support s3:prefix Condition and s3:prefix is only applicable for ListBucket and ListBucketVersions (we don't support this).
  3. Keep track of the operator (i.e. StringEquals or StringLike) when using Conditions. If the operator is StringEquals and a wildcard (* or ?) is used, ignore that condition since Ranger can’t authorize against literal asterisk or question mark.
  4. Change ListBucket to validate LIST permission on the object instead of READ so we can determine if we should allow listing the object or downloading the object (READ would be for downloading).

This part 3 PR is to change the IAM Session Policy Resolver to validate LIST permission on the key for ListBucket action instead of READ.
This PR depends on #9895.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14804

How was this patch tested?

unit tests, smoke tests

@fmorg-git fmorg-git changed the title Hdds 14804 HDDS-14804. [STS] Part 2 - IAM Session Policy and ListBucket improvements Mar 10, 2026
@fmorg-git fmorg-git changed the title HDDS-14804. [STS] Part 2 - IAM Session Policy and ListBucket improvements HDDS-14804. [STS] Part 3 - IAM Session Policy and ListBucket improvements Mar 10, 2026
@fmorg-git fmorg-git marked this pull request as draft March 10, 2026 20:46
@fmorg-git fmorg-git marked this pull request as ready for review March 10, 2026 21:08
@fmorg-git fmorg-git mentioned this pull request Mar 10, 2026
Draft
@fmorg-git fmorg-git marked this pull request as draft March 10, 2026 22:48
Fabian Morgan added 3 commits March 13, 2026 09:49
support passing original listPrefix on root listing so STS can author…
5b443c2 
…ize against it

Conflicts:
	hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmKeyArgs.java
authorize against LIST instead of READ for STS requests
a91adf8 
Conflicts:
	hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMetadataReader.java
validate LIST permission on the key for ListBucket action instead of …
ae3d3d0 
…READ.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fmorg-git