5555import org .apache .hadoop .ozone .om .helpers .OzoneFileStatusLight ;
5656import org .apache .hadoop .ozone .om .helpers .S3VolumeContext ;
5757import org .apache .hadoop .ozone .om .protocolPB .grpc .GrpcClientConstants ;
58+ import org .apache .hadoop .ozone .protocol .proto .OzoneManagerProtocolProtos .S3Authentication ;
5859import org .apache .hadoop .ozone .security .STSTokenIdentifier ;
5960import org .apache .hadoop .ozone .security .acl .IAccessAuthorizer ;
6061import org .apache .hadoop .ozone .security .acl .IAccessAuthorizer .ACLIdentityType ;
@@ -236,9 +237,7 @@ public List<OzoneFileStatus> listStatus(OmKeyArgs args, boolean recursive,
236237 try {
237238 if (isAclEnabled ) {
238239 if (isStsS3Request ()) {
239- // We need to be able to tell the difference between being able to download a file and merely seeing the file
240- // name in a list. Use READ for download ability and LIST (here) for listing.
241- // When listPrefix is set (original S3 ListObjects prefix), authorize LIST on that prefix for the whole
240+ // When listPrefix is set (original S3 ListObjects prefix), authorize READ on that prefix for the whole
242241 // listing, including FSO traversal where keyName is an internal directory (e.g. userA) under prefix user.
243242 final String listPrefix = args .getListPrefix ();
244243 final String keyName = args .getKeyName ();
@@ -258,7 +257,7 @@ public List<OzoneFileStatus> listStatus(OmKeyArgs args, boolean recursive,
258257 } else {
259258 aclKey = "*" ;
260259 }
261- checkAcls (ResourceType .KEY , StoreType .OZONE , ACLType .LIST , bucket .realVolume (), bucket .realBucket (), aclKey );
260+ checkAcls (ResourceType .KEY , StoreType .OZONE , ACLType .READ , bucket .realVolume (), bucket .realBucket (), aclKey );
262261 } else {
263262 checkAcls (getResourceType (args ), StoreType .OZONE , ACLType .READ ,
264263 bucket , args .getKeyName ());
@@ -304,12 +303,7 @@ public OzoneFileStatus getFileStatus(OmKeyArgs args) throws IOException {
304303
305304 try {
306305 if (isAclEnabled ) {
307- if (isStsS3Request ()) {
308- checkAcls (getResourceType (args ), StoreType .OZONE , ACLType .LIST , bucket , args .getKeyName ());
309- } else {
310- checkAcls (getResourceType (args ), StoreType .OZONE , ACLType .READ ,
311- bucket , args .getKeyName ());
312- }
306+ checkAcls (getResourceType (args ), StoreType .OZONE , ACLType .READ , bucket , args .getKeyName ());
313307 }
314308 metrics .incNumGetFileStatus ();
315309 return keyManager .getFileStatus (args , getClientAddress ());
@@ -384,7 +378,7 @@ public ListKeysResult listKeys(String volumeName, String bucketName,
384378 final String aclKey = (keyPrefix == null || keyPrefix .isEmpty ()) ? "*" : keyPrefix ;
385379 captureLatencyNs (
386380 perfMetrics .getListKeysAclCheckLatencyNs (), () -> checkAcls (
387- ResourceType .KEY , StoreType .OZONE , ACLType .LIST , bucket .realVolume (), bucket .realBucket (), aclKey ));
381+ ResourceType .KEY , StoreType .OZONE , ACLType .READ , bucket .realVolume (), bucket .realBucket (), aclKey ));
388382 } else {
389383 captureLatencyNs (perfMetrics .getListKeysAclCheckLatencyNs (), () ->
390384 checkAcls (ResourceType .BUCKET , StoreType .OZONE , ACLType .LIST ,
@@ -634,7 +628,8 @@ public boolean checkAcls(ResourceType resType, StoreType storeType,
634628 public boolean checkAcls (OzoneObj obj , RequestContext context ,
635629 boolean throwIfPermissionDenied ) throws OMException {
636630
637- final RequestContext normalizedRequestContext = maybeAttachSessionPolicyFromThreadLocal (context );
631+ final RequestContext normalizedRequestContext = maybeAttachS3ActionFromThreadLocal (
632+ maybeAttachSessionPolicyFromThreadLocal (context ));
638633
639634 if (!captureLatencyNs (perfMetrics ::setCheckAccessLatencyNs ,
640635 () -> accessAuthorizer .checkAccess (obj , normalizedRequestContext ))) {
@@ -692,6 +687,22 @@ private RequestContext maybeAttachSessionPolicyFromThreadLocal(RequestContext co
692687 .build ();
693688 }
694689
690+ /**
691+ * Attaches s3 action to RequestContext if an S3Authentication is found in the Ozone Manager thread local,
692+ * and it has an s3 action. Otherwise, returns the RequestContext as it was before.
693+ * @param context the original RequestContext
694+ * @return RequestContext as before or with s3 action embedded
695+ */
696+ private RequestContext maybeAttachS3ActionFromThreadLocal (RequestContext context ) {
697+ final S3Authentication s3Authentication = OzoneManager .getS3Auth ();
698+ if (s3Authentication == null || !s3Authentication .hasS3Action ()) {
699+ return context ;
700+ }
701+ return context .toBuilder ()
702+ .setS3Action (s3Authentication .getS3Action ())
703+ .build ();
704+ }
705+
695706 static String getClientAddress () {
696707 String clientMachine = Server .getRemoteAddress ();
697708 if (clientMachine == null ) { //not a RPC client
0 commit comments