Skip to content

HDDS-15194. [STS] Update IamSessionPolicyResolver to return S3 Actions#10204

Open
fmorg-git wants to merge 1 commit into
apache:HDDS-13323-stsfrom
fmorg-git:HDDS-15194
Open

HDDS-15194. [STS] Update IamSessionPolicyResolver to return S3 Actions#10204
fmorg-git wants to merge 1 commit into
apache:HDDS-13323-stsfrom
fmorg-git:HDDS-15194

Conversation

@fmorg-git

@fmorg-git fmorg-git commented May 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Please describe your PR in detail:

  • In https://issues.apache.org/jira/browse/HDDS-15137, each S3 api was associated with one or more S3 actions. In order for Ranger authorizer the authorize against those actions, the IamSessionPolicyResolver needs to be updated to return the S3 actions. This PR makes those updates.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-15194

How was this patch tested?

unit tests, smoke tests

@fmorg-git fmorg-git marked this pull request as draft May 6, 2026 22:06
@fmorg-git fmorg-git force-pushed the HDDS-15194 branch 2 times, most recently from 161764a to 8e717e0 Compare May 6, 2026 23:24
@fmorg-git fmorg-git mentioned this pull request May 14, 2026
Draft
@fmorg-git fmorg-git force-pushed the HDDS-15194 branch 2 times, most recently from db5ea93 to 5b69ecb Compare May 16, 2026 02:31
@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown

This PR has been marked as stale due to 21 days of inactivity. Please comment or remove the stale label to keep it open. Otherwise, it will be automatically closed in 7 days.

@github-actions github-actions Bot added the stale label Jun 7, 2026
@fmorg-git

fmorg-git commented Jun 7, 2026

Copy link
Copy Markdown
Contributor Author

commenting to remove stale label

@github-actions github-actions Bot removed the stale label Jun 8, 2026
@fmorg-git fmorg-git marked this pull request as ready for review June 24, 2026 16:59
@fmorg-git

fmorg-git commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

hi @ChenSammi - this PR has been rebased and is ready for review. Thanks!

@ChenSammi ChenSammi requested a review from Copilot June 25, 2026 05:31
Copilot AI reviewed Jun 25, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates IAM session policy resolution so that resolved AssumeRoleRequest.OzoneGrant entries include the concrete S3 action names (without the s3: prefix), enabling Ranger authorization decisions to be made against the same action set mapped in HDDS-15137.

Changes:

  • Track and emit per-resource S3 action names alongside ACLs, and group grants by (ACLs, S3 actions) rather than ACLs alone.
  • Expand s3:* into the full set of supported concrete S3Action values (removing the ALL_S3 sentinel) and adjust condition filtering accordingly.
  • Update/extend unit tests to validate action propagation and the new grouping behavior across resource types and authorizers.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/iam/IamSessionPolicyResolver.java Adds S3-action tracking to resolved grants, updates wildcard handling, and groups grants by both ACLs and actions.
hadoop-ozone/common/src/test/java/org/apache/hadoop/ozone/security/acl/iam/TestIamSessionPolicyResolver.java Updates expectations to include S3 actions per grant and covers new grouping/s3:* expansion semantics.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fmorg-git