Skip to content

HDDS-15771. [STS] Add s3Action for expected bucket owner condition checks#10688

Merged
smengcl merged 1 commit into
apache:HDDS-13323-stsfrom
fmorg-git:HDDS-15771
Jul 8, 2026
Merged

HDDS-15771. [STS] Add s3Action for expected bucket owner condition checks#10688
smengcl merged 1 commit into
apache:HDDS-13323-stsfrom
fmorg-git:HDDS-15771

Conversation

@fmorg-git

Copy link
Copy Markdown
Contributor

Please describe your PR in detail:

  • RANGER-5667 makes a fix such that if a role has an action-matches condition with a value (such as PutObject), and in the incoming RequestContext.s3Action is null/empty, then the request is denied. Most of the S3 requests have an action associated, however, there are two edge cases currently where the RequestContext.s3Action is null: 1) in CopyObject with expected-bucket-owner/expected-source-bucket-owner headers 2) in UploadPartCopy with expected-bucket-owner/expected-source-bucket-owner headers.

This PR ensures that the bucket owner verification condition checks are have s3 action associated with them so that the Ranger authorization checks will pass.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-15771

How was this patch tested?

unit tests and smoke tests

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses an STS/Ranger authorization edge case for S3 copy-style operations (CopyObject and UploadPartCopy) when x-amz-expected-bucket-owner / x-amz-expected-source-bucket-owner headers are present. It ensures the internal bucket-owner verification lookups execute with a non-empty IAM-style s3Action (specifically GetObject) so Ranger “action-matches” conditions don’t incorrectly deny the request.

Changes:

  • Wrap source-bucket owner lookup in CopyObject and UploadPartCopy paths with runWithS3ActionString("GetObject", ...).
  • Add a focused unit test validating the S3Auth.s3Action value at the time of the source-bucket owner lookup for both CopyObject and UploadPartCopy.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/ObjectEndpoint.java Ensures source bucket owner lookup for copy-style operations runs under GetObject action string via runWithS3ActionString.
hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/endpoint/TestS3ActionOverrideForOwnerVerification.java Adds unit coverage to assert GetObject is set during source-bucket owner lookup in CopyObject and UploadPartCopy flows.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@smengcl smengcl left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm pending CI

@smengcl smengcl merged commit ef10673 into apache:HDDS-13323-sts Jul 8, 2026
89 of 91 checks passed
@smengcl

smengcl commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Merged. Thanks @fmorg-git

@fmorg-git

Copy link
Copy Markdown
Contributor Author

Thanks for the review and merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants