HDDS-14066. [STS] Database updates for revoked STS tokens (#9420)

Author: fmorg-git

hadoop-ozone/interface-storage/src/main/java/org/apache/hadoop/ozone/om/OMMetadataManager.java

@@ -484,6 +484,14 @@ String getMultipartKeyFSO(String volume, String bucket, String key, String
    */
   Table<String, String> getMetaTable();
 
+  /**
+   * Gets the S3RevokedStsTokenTable.
+   *
+   * @return Table.
+   */
+  Table<String, String> getS3RevokedStsTokenTable();
+
+
   /**
    * Returns number of rows in a table.  This should not be used for very
    * large tables.

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataManagerImpl.java

@@ -181,6 +181,8 @@ public class OmMetadataManagerImpl implements OMMetadataManager,
   private TypedTable<String, String> snapshotRenamedTable;
   private TypedTable<String, CompactionLogEntry> compactionLogTable;
 
+  private TypedTable<String, String> s3RevokedStsTokenTable;
+
   private OzoneManager ozoneManager;
 
   // Epoch is used to generate the objectIDs. The most significant 2 bits of
@@ -486,6 +488,9 @@ protected void initializeOmTables(CacheType cacheType,
     // TODO: [SNAPSHOT] Initialize table lock for snapshotRenamedTable.
 
     compactionLogTable = initializer.get(OMDBDefinition.COMPACTION_LOG_TABLE_DEF);
+
+    // temporaryAccessKeyId -> sessionToken
+    s3RevokedStsTokenTable = initializer.get(OMDBDefinition.S3_REVOKED_STS_TOKEN_TABLE_DEF);
   }
 
   /**
@@ -1683,6 +1688,11 @@ public Table<String, CompactionLogEntry> getCompactionLogTable() {
     return compactionLogTable;
   }
 
+  @Override
+  public Table<String, String> getS3RevokedStsTokenTable() {
+    return s3RevokedStsTokenTable;
+  }
+
   /**
    * Get Snapshot Chain Manager.
    *

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/codec/OMDBDefinition.java

@@ -49,13 +49,14 @@
  * OM database definitions.
  * <pre>
  * {@code
- * User, Token and Secret Tables:
+ * User, Token, Secret and Revoked STS Token Tables:
  * |------------------------------------------------------------------------|
- * |        Column Family |                 Mapping                         |
+ * |          Column Family |                 Mapping                       |
  * |------------------------------------------------------------------------|
- * |            userTable |             /user :- UserVolumeInfo             |
- * |          dTokenTable |      OzoneTokenID :- renew_time                 |
- * |        s3SecretTable | s3g_access_key_id :- s3Secret                   |
+ * |              userTable |             /user :- UserVolumeInfo           |
+ * |            dTokenTable |      OzoneTokenID :- renew_time               |
+ * |          s3SecretTable | s3g_access_key_id :- s3Secret                 |
+ * | s3RevokedStsTokenTable | sts_access_key_id :- sessionToken             |
  * |------------------------------------------------------------------------|
  * }
  * </pre>
@@ -139,7 +140,7 @@
 public final class OMDBDefinition extends DBDefinition.WithMap {
 
   //---------------------------------------------------------------------------
-  // User, Token and Secret Tables:
+  // User, Token, Secret and Revoked STS Token Tables:
   public static final String USER_TABLE = "userTable";
   /** userTable: /user :- UserVolumeInfo. */
   public static final DBColumnFamilyDefinition<String, PersistedUserVolumeInfo> USER_TABLE_DEF
@@ -161,6 +162,13 @@ public final class OMDBDefinition extends DBDefinition.WithMap {
           StringCodec.get(),
           S3SecretValue.getCodec());
 
+  public static final String S3_REVOKED_STS_TOKEN_TABLE = "s3RevokedStsTokenTable";
+  /** s3RevokedStsTokenTable: sts_access_key_id :- sessionToken.*/
+  public static final DBColumnFamilyDefinition<String, String> S3_REVOKED_STS_TOKEN_TABLE_DEF
+      = new DBColumnFamilyDefinition<>(S3_REVOKED_STS_TOKEN_TABLE,
+          StringCodec.get(),
+          StringCodec.get());
+
   //---------------------------------------------------------------------------
   // Volume, Bucket, Prefix and Transaction Tables:
   public static final String VOLUME_TABLE = "volumeTable";
@@ -339,7 +347,8 @@ public final class OMDBDefinition extends DBDefinition.WithMap {
           TENANT_STATE_TABLE_DEF,
           TRANSACTION_INFO_TABLE_DEF,
           USER_TABLE_DEF,
-          VOLUME_TABLE_DEF);
+          VOLUME_TABLE_DEF,
+          S3_REVOKED_STS_TOKEN_TABLE_DEF);
 
   private static final OMDBDefinition INSTANCE = new OMDBDefinition();
 

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOmMetadataManager.java

@@ -38,6 +38,7 @@
 import static org.apache.hadoop.ozone.om.codec.OMDBDefinition.OPEN_KEY_TABLE;
 import static org.apache.hadoop.ozone.om.codec.OMDBDefinition.PREFIX_TABLE;
 import static org.apache.hadoop.ozone.om.codec.OMDBDefinition.PRINCIPAL_TO_ACCESS_IDS_TABLE;
+import static org.apache.hadoop.ozone.om.codec.OMDBDefinition.S3_REVOKED_STS_TOKEN_TABLE;
 import static org.apache.hadoop.ozone.om.codec.OMDBDefinition.S3_SECRET_TABLE;
 import static org.apache.hadoop.ozone.om.codec.OMDBDefinition.SNAPSHOT_INFO_TABLE;
 import static org.apache.hadoop.ozone.om.codec.OMDBDefinition.SNAPSHOT_RENAMED_TABLE;
@@ -52,6 +53,7 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -137,7 +139,8 @@ public class TestOmMetadataManager {
       TENANT_STATE_TABLE,
       SNAPSHOT_INFO_TABLE,
       SNAPSHOT_RENAMED_TABLE,
-      COMPACTION_LOG_TABLE
+      COMPACTION_LOG_TABLE,
+      S3_REVOKED_STS_TOKEN_TABLE
   };
 
   private OMMetadataManager omMetadataManager;
@@ -1289,4 +1292,29 @@ public void testGetMultipartUploadKeys() throws Exception {
 
     assertEquals(25, noPagination.size());
   }
+
+  @Test
+  public void testS3RevokedStsTokenTablePutAndGet() throws Exception {
+    // Ensure the table is initialized
+    assertNotNull(omMetadataManager.getS3RevokedStsTokenTable(), "s3RevokedStsTokenTable should be initialized");
+
+    final String tempAccessKeyId1 = "ASIA7VUS1EOBCW8RRJVR";
+    final String sessionToken1 = "test-session-token-1";
+    final String tempAccessKeyId2 = "ASIA904E65QIGL9ON305";
+    final String sessionToken2 = "test-session-token-2";
+
+    omMetadataManager.getS3RevokedStsTokenTable()
+        .put(tempAccessKeyId1, sessionToken1);
+    omMetadataManager.getS3RevokedStsTokenTable()
+        .put(tempAccessKeyId2, sessionToken2);
+
+    // Verify get and getIfExist return the stored value
+    assertEquals(sessionToken1, omMetadataManager.getS3RevokedStsTokenTable().get(tempAccessKeyId1));
+    assertEquals(sessionToken1, omMetadataManager.getS3RevokedStsTokenTable().getIfExist(tempAccessKeyId1));
+    assertEquals(sessionToken2, omMetadataManager.getS3RevokedStsTokenTable().get(tempAccessKeyId2));
+    assertEquals(sessionToken2, omMetadataManager.getS3RevokedStsTokenTable().getIfExist(tempAccessKeyId2));
+
+    // Unknown key should return null for getIfExist
+    assertNull(omMetadataManager.getS3RevokedStsTokenTable().getIfExist("ASIA_UNKNOWN_ACCESS_KEY"));
+  }
 }