Skip to content

HDDS-14364. [STS] Revoked permanent credential must render all associated STS tokens useless #9602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fmorg-git wants to merge 3 commits into
base: HDDS-13323-sts
Choose a base branch
from
Open

HDDS-14364. [STS] Revoked permanent credential must render all associated STS tokens useless #9602

fmorg-git wants to merge 3 commits into from
+148 −32

Conversation

@fmorg-git
Copy link
Contributor

@fmorg-git fmorg-git commented Jan 7, 2026

Please describe your PR in detail:

  • To create STS tokens, the AssumeRole API must be called with a user that has permanent S3 credentials. If that user is revoked, then all session tokens created by that user must be rendered useless.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14364

How was this patch tested?

unit tests (and a prototype in a separate local branch)

@fmorg-git fmorg-git changed the base branch from master to HDDS-13323-sts January 7, 2026 20:03
@ChenSammi ChenSammi added the sts Changes for Ozone's S3 Security Token Service label Jan 12, 2026
@jojochuang jojochuang requested a review from sodonnel January 12, 2026 17:39
ChenSammi
ChenSammi reviewed Jan 13, 2026
View reviewed changes
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/S3SecurityUtil.java Outdated
private static boolean isOriginalAccessKeyIdRevoked(STSTokenIdentifier stsTokenIdentifier, OzoneManager ozoneManager)
throws OMException {
final String originalAccessKeyId = stsTokenIdentifier.getOriginalAccessKeyId();
if (originalAccessKeyId == null) {
Copy link
Contributor

@ChenSammi ChenSammi Jan 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

originalAccessKeyId is already checked in ensureEssentialFieldsArePresentInToken(). Rest looks good to me.

Copy link
Contributor Author

@fmorg-git fmorg-git Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

@fmorg-git fmorg-git requested a review from ChenSammi January 13, 2026 18:10
ChenSammi
ChenSammi approved these changes Jan 16, 2026
View reviewed changes
Copy link
Contributor

@ChenSammi ChenSammi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @fmorg-git . Wait for CI to pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChenSammi ChenSammi ChenSammi approved these changes

@sodonnel sodonnel Awaiting requested review from sodonnel

Assignees

No one assigned

Labels

sts Changes for Ozone's S3 Security Token Service

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fmorg-git @ChenSammi