You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: hadoop-hdds/docs/content/design/ozone-sts.md
+16-6Lines changed: 16 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -81,7 +81,7 @@ subset of its capabilities. The restrictions are outlined below:
81
81
82
82
- The only supported prefix in ResourceArn is `arn:aws:s3:::` - all others will be rejected. **Note**: a ResourceArn
83
83
of `*` is supported as well.
84
-
- The only supported Condition operator is`StringEquals` - all others will be rejected.
84
+
- The only supported Condition operators are`StringEquals` and `StringLike` - all others will be rejected.
85
85
- The only supported Condition key is `s3:prefix` - all others will be rejected.
86
86
- Only one Condition operator per Statement is supported - a Statement with more than one Condition will be rejected.
87
87
- The only supported Effect is `Allow` - all others will be rejected.
@@ -135,9 +135,9 @@ to make S3 API calls
135
135
- sessionPolicy - when using the RangerOzoneAuthorizer, if Ranger successfully authorizes the AssumeRole call,
136
136
it will return a String representing the role the token was authorized for. Furthermore, if an AWS IAM Session Policy
137
137
was included with the AssumeRole request, the String return value will also include resources (i.e. buckets, keys, etc.)
138
-
and permissions (i.e. ACLType) corresponding to the AWS IAM Session Policy. These resourcesand permissions, if present,
139
-
would further limit the scope of the permissionsand resources granted by the role in Ranger, such that the temporary
140
-
credential will have the permissions comprising the intersection of the role permissions and the sessionPolicy permissions.
138
+
, permissions (i.e. ACLType - for legacy purposes), and actions (i.e. GetObject, GetObjectTagging, etc.) corresponding to the AWS IAM Session Policy. These resources, permissions and actions, if present,
139
+
would further limit the scope of the permissions, resources and actions granted by the role in Ranger, such that the temporary
140
+
credential will have the permissions and actions comprising the intersection of the role permissions and actions and the sessionPolicy permissions and actions.
141
141
- HMAC-SHA256 signature - used to ensure the sessionToken was created by Ozone and was not altered since it was created.
142
142
- expiration time of the token (via `ShortLivedTokenIdentifier#getExpiry()`)
143
143
- UUID of the OzoneManager secret key used to sign the sessionToken and encrypt the secretAccessKey (via `ShortLivedTokenIdentifier#getSecretKeyId()`)
@@ -189,14 +189,24 @@ components:
189
189
The grants parameter is optional, and would only be present if the AssumeRole API call had an IAM session policy JSON
190
190
parameter supplied. A conversion utility, `IamSessionPolicyResolver` will process the IAM policy and convert it to a
191
191
`Set<AssumeRoleRequest.OzoneGrant>`, in effect translating from S3 nomenclature for resources and actions to Ozone nomenclature of
192
-
`IOzoneObj` and `ACLType`. Ranger would use all of this information to determine if the AssumeRole call should be
192
+
`IOzoneObj`, `ACLType` and actions without the s3: prefix (such as GetObject or PutObject). Ranger would use all of this information to determine if the AssumeRole call should be
193
193
successfully authorized, and if so, it will return a String representation of the granted permissions and paths.
194
194
195
195
The format of this String is entirely up to the Ranger team. What is required from the Ozone side is to supply this String to Ranger when any
196
196
subsequent S3 API calls are made that use STS tokens. In order to achieve this, the sessionPolicy String from Ranger will
197
197
be included in the sessionToken response to the AssumeRole API call (as mentioned above), and Ozone will supply this String
198
198
to Ranger whenever STS tokens are used on S3 API calls via a new `RequestContext.sessionPolicy` field in the
`IAccessAuthorizer#checkAccess(IOzoneObj, RequestContext)` call. Another requirement from the Ozone side is to pass the action (without the s3: prefix) corresponding to the S3 api call into the `RequestContext.s3Action` field.
200
+
201
+
### 3.6.2 Additional Context on Permissions and Actions
202
+
203
+
In a prior iteration of this design, only permissions corresponding to Ozone `ACLType` (i.e. read, write, create, read_acl, etc.) were included in Ranger roles and session policies.
204
+
However, after testing against AWS, it was found that ACLs used by Ozone and Ranger are not granular enough. For example, read on volume, read on bucket, and write on key can be used by either the S3 PutObjectTagging api (requiring `s3:PutObjectTagging` action) or the S3 DeleteObjectTagging api (requiring `s3:DeleteObjectTagging` action).
205
+
Similarly, because the S3 PutObject api (`s3:PutObject` action) requires read on volume, read on bucket, and create and write on key, someone with `s3:PutObject` access could previously also call the S3 PutObjectTagging api, even though they did not have access to the `s3:PutObjectTagging` action (as an example).
206
+
AWS does not allow an STS token that is restricted for one action to issue calls to an api that is associated with a different action. To prevent having more access than requested (or different access than requested), ACL permissions can be constrained further by S3 actions.
207
+
208
+
To do this constraining, the `RequestContext.s3Action` field is introduced so that if populated, the RangerOzoneAuthorizer would further restrict the permissions according to the action.
209
+
Additionally, the OzoneGrant would contain a Set<String> representing the S3 actions that are allowed for an inline policy. If all actions are allowed, then the Set<String> would be empty or null.
0 commit comments