Skip to content

HDDS-14935. [STS] Handle Latent Inconsistencies in S3 API Acl Checks#10009

Draft
fmorg-git wants to merge 13 commits intoapache:HDDS-13323-stsfrom
fmorg-git:HDDS-14935
Draft

HDDS-14935. [STS] Handle Latent Inconsistencies in S3 API Acl Checks#10009
fmorg-git wants to merge 13 commits intoapache:HDDS-13323-stsfrom
fmorg-git:HDDS-14935

Conversation

@fmorg-git
Copy link
Copy Markdown
Contributor

@fmorg-git fmorg-git commented Mar 31, 2026
edited
Loading

Please describe your PR in detail:

  • Currently, S3 APIs are not consistent in how ACL checks are applied. For example, PutObject (i.e. OMKeyCreateRequest, OMAllocateBlockRequest, OMKeyCommitRequest), DeleteObject (i.e. OMKeyDeleteRequest), PutObjectTagging (i.e. S3PutObjectTaggingRequest), etc. perform their ACL checks in preExecute() which is on the OM leader RPC thread.

However, APIs like DeleteBucket (i.e. OMBucketDeleteRequest), PutBucketAcl (i.e. OMBucketSetAclRequest), etc. perform their ACL checks in validateAndUpdateCache() which is on the Ratis apply thread. This affects STS in that the STSTokenIdentifier ThreadLocal currently is not available on the Ratis apply thread, so if the STS token has an inline session policy, some ACL checks that should pass would fail. This ticket addresses the inconsistency by ensuring the ThreadLocal is always available on the Ratis apply thread via updates to OzoneManagerStateMachine.

A separate PR is already open to move the checks to the correct place (#9653 and https://issues.apache.org/jira/browse/HDDS-13855), but this ticket is a fallback in case any future API has the check in the incorrect place, so it won't break STS.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14935

How was this patch tested?

unit tests, smoke tests

Fabian Morgan added 13 commits March 13, 2026 09:49
support passing original listPrefix on root listing so STS can author…
5b443c2 
…ize against it

Conflicts:
	hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmKeyArgs.java
authorize against LIST instead of READ for STS requests
a91adf8 
Conflicts:
	hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMetadataReader.java
validate LIST permission on the key for ListBucket action instead of …
ae3d3d0 
…READ.
ignore wildcards in Condition for StringEquals operator
14437c3
filter out non-ListBucket actions where Conditions are present
a95980c
expose expiredToken error
efe87cb
better handling for PayloadTooLarge and small perf fix
aca2489
fix latent S3 API issue when ListBuckets missing a required permission
bfa4996
add acl checks to ListMultipartUploads for sts
13c2f2f
add acl checks to ListParts for sts
aa09066
updates to ACLs in IamSessionPolicyResolver
a91d5a7
getBucketLocation is not implemented
c463a67
handle latent inconsistencies in s3 api acl checks
8f9e629
@fmorg-git fmorg-git marked this pull request as draft March 31, 2026 01:07
@kerneltime kerneltime requested a review from sumitagrawl March 31, 2026 05:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sumitagrawl sumitagrawl Awaiting requested review from sumitagrawl

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fmorg-git