HDDS-13997. [STS] Plumbing for passing STS token through S3 api processing (#9372)

Author: fmorg-git

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/S3Auth.java

@@ -27,6 +27,8 @@ public class S3Auth {
   public static final String S3_AUTH_CHECK = "ozone.s3.auth.check";
   // User principal to be used for KMS encryption and decryption
   private String userPrincipal;
+  // Optional STS session token when using temporary credentials
+  private String sessionToken;
 
   public S3Auth(final String stringToSign,
                 final String signature,
@@ -57,4 +59,12 @@ public String getUserPrincipal() {
   public void setUserPrincipal(String userPrincipal) {
     this.userPrincipal = userPrincipal;
   }
+
+  public String getSessionToken() {
+    return sessionToken;
+  }
+
+  public void setSessionToken(String sessionToken) {
+    this.sessionToken = sessionToken;
+  }
 }

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java

@@ -314,15 +314,21 @@ private OMResponse submitRequest(OMRequest omRequest)
     OMRequest.Builder  builder = OMRequest.newBuilder(omRequest);
     // Insert S3 Authentication information for each request.
     if (getThreadLocalS3Auth() != null) {
-      builder.setS3Authentication(
+      final S3Authentication.Builder s3AuthBuilder =
           S3Authentication.newBuilder()
               .setSignature(
                   threadLocalS3Auth.get().getSignature())
               .setStringToSign(
                   threadLocalS3Auth.get().getStringTosSign())
               .setAccessId(
-                  threadLocalS3Auth.get().getAccessID())
-              .build());
+                  threadLocalS3Auth.get().getAccessID());
+
+      // Include STS session token if present so OM can validate it
+      if (threadLocalS3Auth.get().getSessionToken() != null) {
+        s3AuthBuilder.setSessionToken(threadLocalS3Auth.get().getSessionToken());
+      }
+
+      builder.setS3Authentication(s3AuthBuilder.build());
     }
     if (s3AuthCheck && getThreadLocalS3Auth() == null) {
       throw new IllegalArgumentException("S3 Auth expected to " +

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java

@@ -488,8 +488,9 @@ void checkAcls(ResourceType resType, StoreType store,
       throws IOException {
     UserGroupInformation user;
     if (getS3Auth() != null) {
+      final String effectiveAccessId = OzoneManager.getS3AuthEffectiveAccessId();
       String principal =
-          OzoneAclUtils.accessIdToUserPrincipal(getS3Auth().getAccessId());
+          OzoneAclUtils.accessIdToUserPrincipal(effectiveAccessId);
       user = UserGroupInformation.createRemoteUser(principal);
     } else {
       user = ProtobufRpcEngine.Server.getRemoteUser();
@@ -523,8 +524,9 @@ void checkAcls(ResourceType resType, StoreType store,
       throws IOException {
     UserGroupInformation user;
     if (getS3Auth() != null) {
+      final String effectiveAccessId = OzoneManager.getS3AuthEffectiveAccessId();
       String principal =
-          OzoneAclUtils.accessIdToUserPrincipal(getS3Auth().getAccessId());
+          OzoneAclUtils.accessIdToUserPrincipal(effectiveAccessId);
       user = UserGroupInformation.createRemoteUser(principal);
     } else {
       user = ProtobufRpcEngine.Server.getRemoteUser();

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java

@@ -307,6 +307,7 @@
 import org.apache.hadoop.ozone.security.OMCertificateClient;
 import org.apache.hadoop.ozone.security.OzoneDelegationTokenSecretManager;
 import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
+import org.apache.hadoop.ozone.security.STSTokenIdentifier;
 import org.apache.hadoop.ozone.security.STSTokenSecretManager;
 import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
 import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
@@ -378,6 +379,9 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
   private static final ThreadLocal<S3Authentication> S3_AUTH =
       new ThreadLocal<>();
 
+  // STS token (if present)
+  private static final ThreadLocal<STSTokenIdentifier> STS_TOKEN = new ThreadLocal<>();
+
   private static boolean securityEnabled = false;
 
   private final ReconfigurationHandler reconfigurationHandler;
@@ -858,6 +862,47 @@ public static S3Authentication getS3Auth() {
     return S3_AUTH.get();
   }
 
+  /**
+   * Set the STS token identifier for the current RPC handler thread.
+   */
+  public static void setStsTokenIdentifier(STSTokenIdentifier val) {
+    STS_TOKEN.set(val);
+  }
+
+  /**
+   * Get the STS token identifier for the current RPC handler thread.
+   */
+  public static STSTokenIdentifier getStsTokenIdentifier() {
+    return STS_TOKEN.get();
+  }
+
+  /**
+   * Returns the effective accessId for the current request.  If STS temporary credentials are being used,
+   * the access key id will be the original access key id (i.e. the creator of the token).
+   */
+  public static String getS3AuthEffectiveAccessId() throws OMException {
+    final S3Authentication s3Auth = getS3Auth();
+    if (s3Auth == null) {
+      return null;
+    }
+
+    // If session token is present, try to resolve originalAccessKeyId from token
+    if (s3Auth.hasSessionToken() && !s3Auth.getSessionToken().isEmpty()) {
+      final STSTokenIdentifier stsTokenIdentifier = getStsTokenIdentifier();
+      if (stsTokenIdentifier == null) {
+        throw new OMException(
+            "OMClientRequest has session token but no token identifier in OzoneManager", INVALID_REQUEST);
+      }
+      final String originalAccessKeyId = stsTokenIdentifier.getOriginalAccessKeyId();
+      if (originalAccessKeyId != null && !originalAccessKeyId.isEmpty()) {
+        return originalAccessKeyId;
+      } else {
+        throw new OMException("Invalid STS Token format - could not find originalAccessKeyId", INVALID_REQUEST);
+      }
+    }
+    return s3Auth.getAccessId();
+  }
+
   /** Returns the ThreadName prefix for the current OM. */
   public String getThreadNamePrefix() {
     return threadPrefix;
@@ -1269,6 +1314,15 @@ private void stopSecretManager() {
     }
   }
 
+  /**
+   * Get the secret key client for this OzoneManager.
+   *
+   * @return the secret key client
+   */
+  public SecretKeyClient getSecretKeyClient() {
+    return secretKeyClient;
+  }
+
   @Override
   public UUID refetchSecretKey() {
     secretKeyClient.refetchSecretKey();
@@ -3836,7 +3890,12 @@ S3VolumeContext getS3VolumeContext(boolean skipChecks) throws IOException {
             s3Volume);
       }
     } else {
-      String accessId = s3Auth.getAccessId();
+      // If this S3 request is authenticated with an STS session token, map
+      // the request to the *original* long-lived access ID so that the
+      // temporary credentials inherit that user's ACLs. Otherwise, fall back
+      // to the accessId included directly in the S3Authentication.
+      final String accessId = getS3AuthEffectiveAccessId();
+
       // If S3 Multi-Tenancy is not enabled, all S3 requests will be redirected
       // to the default s3v for compatibility
       final Optional<String> optionalTenantId = isS3MultiTenancyEnabled() ?
@@ -4621,8 +4680,8 @@ public ResolvedBucket resolveBucketLink(Pair<String, String> requested,
     if (aclEnabled) {
       UserGroupInformation ugi = getRemoteUser();
       if (getS3Auth() != null) {
-        ugi = UserGroupInformation.createRemoteUser(
-            OzoneAclUtils.accessIdToUserPrincipal(getS3Auth().getAccessId()));
+        final String principal = OzoneAclUtils.accessIdToUserPrincipal(getS3AuthEffectiveAccessId());
+        ugi = UserGroupInformation.createRemoteUser(principal);
       }
       InetAddress remoteIp = Server.getRemoteIp();
       resolved = resolveBucketLink(requested, new HashSet<>(),

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java

@@ -48,6 +48,7 @@
 import org.apache.hadoop.ozone.om.lock.OMLockDetails;
 import org.apache.hadoop.ozone.om.protocolPB.grpc.GrpcClientConstants;
 import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerRatisUtils;
+import org.apache.hadoop.ozone.om.request.s3.security.S3AssumeRoleRequest;
 import org.apache.hadoop.ozone.om.response.OMClientResponse;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.LayoutVersion;
@@ -168,11 +169,33 @@ public OzoneManagerProtocolProtos.UserInfo getUserInfo() throws IOException {
     OzoneManagerProtocolProtos.UserInfo.Builder userInfo =
         OzoneManagerProtocolProtos.UserInfo.newBuilder();
 
-    // If S3 Authentication is set, determine user based on access ID.
+    // If S3 Authentication is set, determine user based on STS token first,
+    // falling back to accessId if session token not present.
     if (omRequest.hasS3Authentication()) {
-      String principal = OzoneAclUtils.accessIdToUserPrincipal(
-          omRequest.getS3Authentication().getAccessId());
-      userInfo.setUserName(principal);
+      final String accessKeyId = omRequest.getS3Authentication().getAccessId();
+      if (accessKeyId.startsWith(S3AssumeRoleRequest.STS_TOKEN_PREFIX) &&
+          !omRequest.getS3Authentication().hasSessionToken()) {
+        throw new IOException("Error with STS token", new AuthenticationException(
+            "Missing session token for accessKeyId: " + accessKeyId));
+      }
+      if (omRequest.getS3Authentication().hasSessionToken()) {
+        try {
+          final String originalAccessKeyId = OzoneManager.getS3AuthEffectiveAccessId();
+          if (originalAccessKeyId != null && !originalAccessKeyId.isEmpty()) {
+            final String principal = OzoneAclUtils.accessIdToUserPrincipal(originalAccessKeyId);
+            userInfo.setUserName(principal);
+          } else {
+            throw new AuthenticationException(
+                "Invalid STS Token - originalAccessKeyId was null or empty: " + originalAccessKeyId);
+          }
+        } catch (Exception e) {
+          throw new IOException("Error with STS Token", e);
+        }
+      } else {
+        String principal = OzoneAclUtils.accessIdToUserPrincipal(
+            omRequest.getS3Authentication().getAccessId());
+        userInfo.setUserName(principal);
+      }
     } else if (user != null) {
       // Added not null checks, as in UT's these values might be null.
       userInfo.setUserName(user.getUserName());

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3AssumeRoleRequest.java

@@ -21,7 +21,9 @@
 import java.io.IOException;
 import java.net.InetAddress;
 import java.security.SecureRandom;
+import java.time.Clock;
 import java.time.Instant;
+import java.time.ZoneOffset;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.ipc.ProtobufRpcEngine;
 import org.apache.hadoop.ozone.om.OzoneAclUtils;
@@ -58,7 +60,6 @@ public class S3AssumeRoleRequest extends OMClientRequest {
 
   private static final int MIN_TOKEN_EXPIRATION_SECONDS = 900;    // 15 minutes in seconds
   private static final int MAX_TOKEN_EXPIRATION_SECONDS = 43200;  // 12 hours in seconds
-  private static final String STS_TOKEN_PREFIX = "ASIA";
   private static final int STS_ACCESS_KEY_ID_LENGTH = 20;
   private static final int STS_SECRET_ACCESS_KEY_LENGTH = 40;
   private static final int STS_ROLE_ID_LENGTH = 16;
@@ -70,6 +71,9 @@ public class S3AssumeRoleRequest extends OMClientRequest {
   private static final String CHARS_FOR_SECRET_ACCESS_KEYS = CHARS_FOR_ACCESS_KEY_IDS +
       "abcdefghijklmnopqrstuvwxyz/+";
   private static final int CHARS_FOR_SECRET_ACCESS_KEYS_LENGTH = CHARS_FOR_SECRET_ACCESS_KEYS.length();
+  private static final Clock CLOCK = Clock.system(ZoneOffset.UTC);
+
+  public static final String STS_TOKEN_PREFIX = "ASIA";
 
   public S3AssumeRoleRequest(OMRequest omRequest) {
     super(omRequest);
@@ -197,7 +201,7 @@ private String generateSessionToken(String targetRoleName, OMRequest omRequest,
 
     return ozoneManager.getSTSTokenSecretManager().createSTSTokenString(
         tempAccessKeyId, originalAccessKeyId, roleArn, assumeRoleRequest.getDurationSeconds(), secretAccessKey,
-        sessionPolicy);
+        sessionPolicy, CLOCK);
   }
 
   /**

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerProtocolServerSideTranslatorPB.java

@@ -174,6 +174,7 @@ private OMResponse internalProcessRequest(OMRequest request) throws ServiceExcep
       return ozoneManager.getOmExecutionFlow().submit(request);
     } finally {
       OzoneManager.setS3Auth(null);
+      OzoneManager.setStsTokenIdentifier(null);
     }
   }
 

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/S3SecurityUtil.java

@@ -21,6 +21,8 @@
 import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO;
 
 import com.google.protobuf.ServiceException;
+import java.time.Clock;
+import java.time.ZoneOffset;
 import org.apache.hadoop.hdds.annotation.InterfaceAudience;
 import org.apache.hadoop.hdds.annotation.InterfaceStability;
 import org.apache.hadoop.io.Text;
@@ -41,6 +43,8 @@
 @InterfaceStability.Evolving
 public final class S3SecurityUtil {
 
+  private static final Clock CLOCK = Clock.system(ZoneOffset.UTC);
+
   private S3SecurityUtil() {
   }
 
@@ -54,6 +58,19 @@ private S3SecurityUtil() {
   public static void validateS3Credential(OMRequest omRequest,
       OzoneManager ozoneManager) throws ServiceException, OMException {
     if (ozoneManager.isSecurityEnabled()) {
+      // If STS session token is present, decode, decrypt and validate it once and save in thread-local
+      if (omRequest.getS3Authentication().hasSessionToken()) {
+        final String token = omRequest.getS3Authentication().getSessionToken();
+        if (!token.isEmpty()) {
+          final STSTokenIdentifier stsTokenIdentifier = STSSecurityUtil.constructValidateAndDecryptSTSToken(
+              token, ozoneManager.getSecretKeyClient(), CLOCK);
+          // HMAC signature and expiration were validated above.  Now validate AWS signature.
+          validateSTSTokenAwsSignature(stsTokenIdentifier, omRequest);
+          OzoneManager.setStsTokenIdentifier(stsTokenIdentifier);
+          return;
+        }
+      }
+
       OzoneTokenIdentifier s3Token = constructS3Token(omRequest);
       try {
         // authenticate user with signature verification through
@@ -89,4 +106,22 @@ private static OzoneTokenIdentifier constructS3Token(OMRequest omRequest) {
     s3Token.setOwner(new Text(auth.getAccessId()));
     return s3Token;
   }
+
+  /**
+   * Validates the AWS signature of an STSTokenIdentifier that has already been decrypted.
+   * @param stsTokenIdentifier      the decrypted STS token
+   * @param omRequest               the OMRequest containing STS token
+   * @throws OMException            if the AWS signature validation fails
+   */
+  private static void validateSTSTokenAwsSignature(STSTokenIdentifier stsTokenIdentifier, OMRequest omRequest)
+      throws OMException {
+    final String secretAccessKey = stsTokenIdentifier.getSecretAccessKey();
+    final S3Authentication s3Authentication = omRequest.getS3Authentication();
+    if (AWSV4AuthValidator.validateRequest(
+        s3Authentication.getStringToSign(), s3Authentication.getSignature(), secretAccessKey)) {
+      return;
+    }
+    throw new OMException(
+        "STS token validation failed for token: " + omRequest.getS3Authentication().getSessionToken(), INVALID_TOKEN);
+  }
 }