plumbing and cli utility to revoke STS token

Author: Fabian Morgan

hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java

@@ -301,6 +301,7 @@ public final class OzoneConsts {
   public static final String S3_GETSECRET_USER = "S3GetSecretUser";
   public static final String S3_SETSECRET_USER = "S3SetSecretUser";
   public static final String S3_REVOKESECRET_USER = "S3RevokeSecretUser";
+  public static final String S3_REVOKESTSTOKEN_USER = "S3RevokeSTSTokenUser";
   public static final String RENAMED_KEYS_MAP = "renamedKeysMap";
   public static final String UNRENAMED_KEYS_MAP = "unRenamedKeysMap";
   public static final String MULTIPART_UPLOAD_PART_NUMBER = "partNumber";

hadoop-ozone/cli-shell/src/main/java/org/apache/hadoop/ozone/shell/s3/RevokeSTSTokenHandler.java

@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.shell.s3;
+
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
+import java.util.Scanner;
+import org.apache.hadoop.ozone.client.OzoneClient;
+import org.apache.hadoop.ozone.shell.OzoneAddress;
+import picocli.CommandLine.Command;
+import picocli.CommandLine.Option;
+
+/**
+ * Executes revocation of STS tokens.
+ *
+ * <p>This command marks the specified STS temporary access key id as revoked
+ * by adding it to the OM's revoked STS token table. Subsequent S3 requests
+ * using the same temporary access key id will be rejected once the revocation
+ * state has propagated.</p>
+ */
+@Command(name = "revokeststoken",
+    description = "Revoke S3 STS token for the given access key id")
+public class RevokeSTSTokenHandler extends S3Handler {
+
+  @Option(names = "-k",
+      required = true,
+      description = "STS temporary access key id (for example, ASIA...)")
+  private String accessKeyId;
+
+  @Option(names = "-t",
+      required = true,
+      description = "STS session token")
+  private String sessionToken;
+
+  @Option(names = "-y",
+      description = "Continue without interactive user confirmation")
+  private boolean yes;
+
+  @Override
+  protected boolean isApplicable() {
+    return securityEnabled();
+  }
+
+  @Override
+  protected void execute(OzoneClient client, OzoneAddress address)
+      throws IOException {
+
+    if (!yes) {
+      out().print("Enter 'y' to confirm STS token revocation for accessKeyId '" +
+          accessKeyId + "': ");
+      out().flush();
+      final Scanner scanner = new Scanner(new InputStreamReader(System.in, StandardCharsets.UTF_8));
+      final String confirmation = scanner.next().trim().toLowerCase();
+      if (!"y".equals(confirmation)) {
+        out().println("Revoke STS token operation cancelled.");
+        return;
+      }
+    }
+
+    client.getObjectStore().revokeSTSToken(accessKeyId, sessionToken);
+    out().println("STS token revoked for accessKeyId '" + accessKeyId + "'.");
+  }
+}

hadoop-ozone/cli-shell/src/main/java/org/apache/hadoop/ozone/shell/s3/S3Shell.java

@@ -28,7 +28,8 @@
     subcommands = {
         GetS3SecretHandler.class,
         SetS3SecretHandler.class,
-        RevokeS3SecretHandler.class
+        RevokeS3SecretHandler.class,
+        RevokeSTSTokenHandler.class
     })
 public class S3Shell extends Shell {
 

hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java

@@ -766,6 +766,16 @@ public AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName,
     return proxy.assumeRole(roleArn, roleSessionName, durationSeconds, awsIamSessionPolicy);
   }
 
+  /**
+   * Revokes an STS token.
+   * @param accessKeyId             The STS accessKeyId (starting with ASIA...)
+   * @param sessionToken            The STS session token
+   * @throws IOException            if an error occurs while revoking the STS token
+   */
+  public void revokeSTSToken(String accessKeyId, String sessionToken) throws IOException  {
+    proxy.revokeSTSToken(accessKeyId, sessionToken);
+  }
+
   /**
    * An Iterator to iterate over {@link SnapshotDiffJobIterator} list.
    */

hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java

@@ -1372,4 +1372,12 @@ void deleteObjectTagging(String volumeName, String bucketName, String keyName)
    */
   AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
       String awsIamSessionPolicy) throws IOException;
+
+  /**
+   * Revokes an STS token.
+   * @param accessKeyId             The STS accessKeyId (starting with ASIA...)
+   * @param sessionToken            The STS session token
+   * @throws IOException            if an error occurs while revoking the STS token
+   */
+  void revokeSTSToken(String accessKeyId, String sessionToken) throws IOException;
 }

hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java

@@ -2797,6 +2797,11 @@ public AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName,
     return ozoneManagerClient.assumeRole(roleArn, roleSessionName, durationSeconds, awsIamSessionPolicy);
   }
 
+  @Override
+  public void revokeSTSToken(String accessKeyId, String sessionToken) throws IOException {
+    ozoneManagerClient.revokeSTSToken(accessKeyId, sessionToken);
+  }
+
   private static ExecutorService createThreadPoolExecutor(
        int corePoolSize, int maximumPoolSize, String threadNameFormat) {
     return new ThreadPoolExecutor(corePoolSize, maximumPoolSize,

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/OmUtils.java

@@ -321,6 +321,7 @@ public static boolean isReadOnly(
     case DeleteOpenKeys:
     case SetS3Secret:
     case RevokeS3Secret:
+    case RevokeSTSToken:
     case PurgeDirectories:
     case PurgePaths:
     case CreateTenant:

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java

@@ -1191,4 +1191,14 @@ default AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName
       String awsIamSessionPolicy) throws IOException {
     throw new UnsupportedOperationException("OzoneManager does not require this to be implemented");
   }
+
+  /**
+   * Revokes an STS token.
+   * @param accessKeyId             The STS accessKeyId (starting with ASIA...)
+   * @param sessionToken            The STS session token
+   * @throws IOException            if an error occurs while revoking the STS token
+   */
+  default void revokeSTSToken(String accessKeyId, String sessionToken) throws IOException  {
+    throw new UnsupportedOperationException("OzoneManager does not require this to be implemented");
+  }
 }

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java

@@ -2675,6 +2675,21 @@ public AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName,
         handleError(submitRequest(omRequest)).getAssumeRoleResponse());
   }
 
+  @Override
+  public void revokeSTSToken(String accessKeyId, String sessionToken) throws IOException {
+    final OzoneManagerProtocolProtos.RevokeSTSTokenRequest request =
+        OzoneManagerProtocolProtos.RevokeSTSTokenRequest.newBuilder()
+            .setAccessKeyId(accessKeyId)
+            .setSessionToken(sessionToken)
+            .build();
+
+    final OMRequest omRequest = createOMRequest(Type.RevokeSTSToken)
+        .setRevokeSTSTokenRequest(request)
+        .build();
+
+    handleError(submitRequest(omRequest));
+  }
+
   private SafeMode toProtoBuf(SafeModeAction action) {
     switch (action) {
     case ENTER:

hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto

@@ -157,6 +157,7 @@ enum Type {
   GetObjectTagging = 141;
   DeleteObjectTagging = 142;
   AssumeRole = 143;
+  RevokeSTSToken = 144;
 }
 
 enum SafeMode {
@@ -306,6 +307,7 @@ message OMRequest {
   optional DeleteObjectTaggingRequest       deleteObjectTaggingRequest     = 142;
   repeated SetSnapshotPropertyRequest       SetSnapshotPropertyRequests    = 143;
   optional AssumeRoleRequest                assumeRoleRequest              = 144;
+  optional RevokeSTSTokenRequest            revokeSTSTokenRequest          = 145;
 }
 
 message OMResponse {
@@ -440,6 +442,7 @@ message OMResponse {
   optional PutObjectTaggingResponse          putObjectTaggingResponse      = 141;
   optional DeleteObjectTaggingResponse       deleteObjectTaggingResponse   = 142;
   optional AssumeRoleResponse                assumeRoleResponse            = 143;
+  optional RevokeSTSTokenResponse            revokeSTSTokenResponse        = 144;
 }
 
 enum Status {
@@ -2381,6 +2384,14 @@ message AssumeRoleResponse {
   required string assumedRoleId           = 5;
 }
 
+message RevokeSTSTokenRequest {
+    required string accessKeyId = 1;
+    required string sessionToken = 2;
+}
+
+message RevokeSTSTokenResponse {
+}
+
 /**
  The OM service that takes care of Ozone namespace.
 */