Skip to content

Commit e7c5a70

Browse files
authored
HDDS-13857. [STS] Update verbiage for enhancing security and StringLike condition support (#10282)
1 parent 8322282 commit e7c5a70

1 file changed

Lines changed: 16 additions & 6 deletions

File tree

hadoop-hdds/docs/content/design/ozone-sts.md

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ subset of its capabilities. The restrictions are outlined below:
8181

8282
- The only supported prefix in ResourceArn is `arn:aws:s3:::` - all others will be rejected. **Note**: a ResourceArn
8383
of `*` is supported as well.
84-
- The only supported Condition operator is `StringEquals` - all others will be rejected.
84+
- The only supported Condition operators are `StringEquals` and `StringLike` - all others will be rejected.
8585
- The only supported Condition key is `s3:prefix` - all others will be rejected.
8686
- Only one Condition operator per Statement is supported - a Statement with more than one Condition will be rejected.
8787
- The only supported Effect is `Allow` - all others will be rejected.
@@ -135,9 +135,9 @@ to make S3 API calls
135135
- sessionPolicy - when using the RangerOzoneAuthorizer, if Ranger successfully authorizes the AssumeRole call,
136136
it will return a String representing the role the token was authorized for. Furthermore, if an AWS IAM Session Policy
137137
was included with the AssumeRole request, the String return value will also include resources (i.e. buckets, keys, etc.)
138-
and permissions (i.e. ACLType) corresponding to the AWS IAM Session Policy. These resources and permissions, if present,
139-
would further limit the scope of the permissions and resources granted by the role in Ranger, such that the temporary
140-
credential will have the permissions comprising the intersection of the role permissions and the sessionPolicy permissions.
138+
, permissions (i.e. ACLType - for legacy purposes), and actions (i.e. GetObject, GetObjectTagging, etc.) corresponding to the AWS IAM Session Policy. These resources, permissions and actions, if present,
139+
would further limit the scope of the permissions, resources and actions granted by the role in Ranger, such that the temporary
140+
credential will have the permissions and actions comprising the intersection of the role permissions and actions and the sessionPolicy permissions and actions.
141141
- HMAC-SHA256 signature - used to ensure the sessionToken was created by Ozone and was not altered since it was created.
142142
- expiration time of the token (via `ShortLivedTokenIdentifier#getExpiry()`)
143143
- UUID of the OzoneManager secret key used to sign the sessionToken and encrypt the secretAccessKey (via `ShortLivedTokenIdentifier#getSecretKeyId()`)
@@ -189,14 +189,24 @@ components:
189189
The grants parameter is optional, and would only be present if the AssumeRole API call had an IAM session policy JSON
190190
parameter supplied. A conversion utility, `IamSessionPolicyResolver` will process the IAM policy and convert it to a
191191
`Set<AssumeRoleRequest.OzoneGrant>`, in effect translating from S3 nomenclature for resources and actions to Ozone nomenclature of
192-
`IOzoneObj` and `ACLType`. Ranger would use all of this information to determine if the AssumeRole call should be
192+
`IOzoneObj`, `ACLType` and actions without the s3: prefix (such as GetObject or PutObject). Ranger would use all of this information to determine if the AssumeRole call should be
193193
successfully authorized, and if so, it will return a String representation of the granted permissions and paths.
194194

195195
The format of this String is entirely up to the Ranger team. What is required from the Ozone side is to supply this String to Ranger when any
196196
subsequent S3 API calls are made that use STS tokens. In order to achieve this, the sessionPolicy String from Ranger will
197197
be included in the sessionToken response to the AssumeRole API call (as mentioned above), and Ozone will supply this String
198198
to Ranger whenever STS tokens are used on S3 API calls via a new `RequestContext.sessionPolicy` field in the
199-
`IAccessAuthorizer#checkAccess(IOzoneObj, RequestContext)` call.
199+
`IAccessAuthorizer#checkAccess(IOzoneObj, RequestContext)` call. Another requirement from the Ozone side is to pass the action (without the s3: prefix) corresponding to the S3 api call into the `RequestContext.s3Action` field.
200+
201+
### 3.6.2 Additional Context on Permissions and Actions
202+
203+
In a prior iteration of this design, only permissions corresponding to Ozone `ACLType` (i.e. read, write, create, read_acl, etc.) were included in Ranger roles and session policies.
204+
However, after testing against AWS, it was found that ACLs used by Ozone and Ranger are not granular enough. For example, read on volume, read on bucket, and write on key can be used by either the S3 PutObjectTagging api (requiring `s3:PutObjectTagging` action) or the S3 DeleteObjectTagging api (requiring `s3:DeleteObjectTagging` action).
205+
Similarly, because the S3 PutObject api (`s3:PutObject` action) requires read on volume, read on bucket, and create and write on key, someone with `s3:PutObject` access could previously also call the S3 PutObjectTagging api, even though they did not have access to the `s3:PutObjectTagging` action (as an example).
206+
AWS does not allow an STS token that is restricted for one action to issue calls to an api that is associated with a different action. To prevent having more access than requested (or different access than requested), ACL permissions can be constrained further by S3 actions.
207+
208+
To do this constraining, the `RequestContext.s3Action` field is introduced so that if populated, the RangerOzoneAuthorizer would further restrict the permissions according to the action.
209+
Additionally, the OzoneGrant would contain a Set<String> representing the S3 actions that are allowed for an inline policy. If all actions are allowed, then the Set<String> would be empty or null.
200210

201211
## 3.7 Overall Flow
202212

0 commit comments

Comments
 (0)