HDDS-13848. [STS] Artifacts for Ranger to authorize STS token (#9214)

(cherry picked from commit 281a5b3)

Author: fmorg-git

hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java

@@ -65,6 +65,7 @@ public final class OzoneConsts {
   public static final String OZONE_ACL_CREATE = "c";
   public static final String OZONE_ACL_READ_ACL = "x";
   public static final String OZONE_ACL_WRITE_ACL = "y";
+  public static final String OZONE_ACL_ASSUME_ROLE = "m";
 
   public static final String OZONE_DATE_FORMAT =
       "EEE, dd MMM yyyy HH:mm:ss zzz";

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/AssumeRoleRequest.java

@@ -0,0 +1,127 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.security.acl;
+
+import java.net.InetAddress;
+import java.util.Objects;
+import java.util.Set;
+import net.jcip.annotations.Immutable;
+import org.apache.hadoop.security.UserGroupInformation;
+
+/**
+ * Represents an S3 AssumeRole request that needs to be authorized by an IAccessAuthorizer.
+ * The grants parameter can be null if the access must not be limited beyond the role.
+ * Note that if the grants parameter is the empty set, this means the access should
+ * be the intersection of the role and the empty set, meaning no access will be granted.
+ */
+@Immutable
+public class AssumeRoleRequest {
+  private final String host;
+  private final InetAddress ip;
+  private final UserGroupInformation clientUgi;
+  private final String targetRoleName;
+  private final Set<OzoneGrant> grants;
+
+  public AssumeRoleRequest(String host, InetAddress ip, UserGroupInformation clientUgi, String targetRoleName,
+      Set<OzoneGrant> grants) {
+
+    this.host = host;
+    this.ip = ip;
+    this.clientUgi = clientUgi;
+    this.targetRoleName = targetRoleName;
+    this.grants = grants;
+  }
+
+  public String getHost() {
+    return host;
+  }
+
+  public InetAddress getIp() {
+    return ip;
+  }
+
+  public UserGroupInformation getClientUgi() {
+    return clientUgi;
+  }
+
+  public String getTargetRoleName() {
+    return targetRoleName;
+  }
+
+  public Set<OzoneGrant> getGrants() {
+    return grants;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    } else if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+
+    final AssumeRoleRequest that = (AssumeRoleRequest) o;
+    return Objects.equals(host, that.host) && Objects.equals(ip, that.ip) &&
+        Objects.equals(clientUgi, that.clientUgi) && Objects.equals(targetRoleName, that.targetRoleName) &&
+        Objects.equals(grants, that.grants);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(host, ip, clientUgi, targetRoleName, grants);
+  }
+
+  /**
+   * Encapsulates the IOzoneObj and associated permissions.
+   */
+  @Immutable
+  public static class OzoneGrant {
+    private final Set<IOzoneObj> objects;
+    private final Set<IAccessAuthorizer.ACLType> permissions;
+
+    public OzoneGrant(Set<IOzoneObj> objects, Set<IAccessAuthorizer.ACLType> permissions) {
+      this.objects = objects;
+      this.permissions = permissions;
+    }
+
+    public Set<IOzoneObj> getObjects() {
+      return objects;
+    }
+
+    public Set<IAccessAuthorizer.ACLType> getPermissions() {
+      return permissions;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+      if (this == o) {
+        return true;
+      } else if (o == null || getClass() != o.getClass()) {
+        return false;
+      }
+
+      final OzoneGrant that = (OzoneGrant) o;
+      return Objects.equals(objects, that.objects) && Objects.equals(permissions, that.permissions);
+    }
+
+    @Override
+    public int hashCode() {
+      return Objects.hash(objects, permissions);
+    }
+  }
+}

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java

@@ -17,6 +17,8 @@
 
 package org.apache.hadoop.ozone.security.acl;
 
+import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.NOT_SUPPORTED_OPERATION;
+
 import java.util.Arrays;
 import java.util.BitSet;
 import java.util.Collections;
@@ -48,6 +50,25 @@ public interface IAccessAuthorizer {
   boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
       throws OMException;
 
+  /**
+   * Attempts to authorize an STS AssumeRole request. If authorized, returns a String
+   * representation of the authorized session policy. This return value must be supplied on the subsequent
+   * {@link IAccessAuthorizer#checkAccess(IOzoneObj, RequestContext)} call, using the
+   * {@link RequestContext.Builder#setSessionPolicy(String)} parameter, and the authorizer will
+   * use the Role permissions and the session policy permissions to determine if
+   * the attempted action should be allowed for the given STS token.
+   * <p>
+   * The user making this call must have the {@link ACLType#ASSUME_ROLE} permission.
+   *
+   * @param assumeRoleRequest   the AssumeRole request containing role and optional limited scope policy grants
+   * @return                    a String representing the permissions granted according to the authorizer.
+   * @throws OMException        if the caller is not authorized, either for the role and/or policy or for the
+   *                            {@link ACLType#ASSUME_ROLE} permission
+   */
+  default String generateAssumeRoleSessionPolicy(AssumeRoleRequest assumeRoleRequest) throws OMException {
+    throw new OMException("The generateAssumeRoleSessionPolicy call is not supported", NOT_SUPPORTED_OPERATION);
+  }
+
   /**
    * @return true for Ozone-native authorizer
    */
@@ -67,7 +88,9 @@ enum ACLType {
     READ_ACL,
     WRITE_ACL,
     ALL,
-    NONE;
+    NONE,
+    ASSUME_ROLE;   // ability to create STS tokens
+
     private static int length = ACLType.values().length;
     static {
       if (length > 16) {
@@ -121,6 +144,8 @@ public static ACLType getACLRight(String type) {
         return ACLType.ALL;
       case OzoneConsts.OZONE_ACL_NONE:
         return ACLType.NONE;
+      case OzoneConsts.OZONE_ACL_ASSUME_ROLE:
+        return ACLType.ASSUME_ROLE;
       default:
         throw new IllegalArgumentException("[" + type + "] ACL right is not " +
             "recognized");
@@ -161,6 +186,8 @@ public static String getAclString(ACLType acl) {
         return OzoneConsts.OZONE_ACL_ALL;
       case NONE:
         return OzoneConsts.OZONE_ACL_NONE;
+      case ASSUME_ROLE:
+        return OzoneConsts.OZONE_ACL_ASSUME_ROLE;
       default:
         throw new IllegalArgumentException("ACL right is not recognized");
       }

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneObj.java

@@ -22,6 +22,7 @@
 import com.google.common.base.Preconditions;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.Objects;
 import org.apache.hadoop.ozone.OzoneConsts;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OzoneObj.ObjectType;
@@ -146,4 +147,20 @@ public Map<String, String> toAuditMap() {
     return auditMap;
   }
 
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    } else if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+
+    final OzoneObj that = (OzoneObj) o;
+    return resType == that.resType && storeType == that.storeType;
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(resType, storeType);
+  }
 }

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneObjInfo.java

@@ -19,6 +19,7 @@
 
 import static org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER;
 
+import java.util.Objects;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.ozone.om.helpers.OmKeyArgs;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
@@ -237,4 +238,22 @@ public OzoneObjInfo build() {
           name, ozonePrefixPath);
     }
   }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    } else if (!super.equals(o)) {
+      return false;
+    }
+
+    final OzoneObjInfo that = (OzoneObjInfo) o;
+    return Objects.equals(volumeName, that.volumeName) && Objects.equals(bucketName, that.bucketName) &&
+        Objects.equals(name, that.name) && Objects.equals(ozonePrefixPath, that.ozonePrefixPath);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(super.hashCode(), volumeName, bucketName, name, ozonePrefixPath);
+  }
 }

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java

@@ -43,20 +43,36 @@ public class RequestContext {
    */
   private final boolean recursiveAccessCheck;
 
+  /**
+   * Represents optional session policy JSON for Ranger to use when authorizing
+   * an STS token.  This value would have come as a result of a previous
+   * {@link IAccessAuthorizer#generateAssumeRoleSessionPolicy(AssumeRoleRequest)} call.
+   * The sessionPolicy includes the roleName.
+   */
+  private final String sessionPolicy;
+
   @SuppressWarnings("parameternumber")
   public RequestContext(String host, InetAddress ip,
       UserGroupInformation clientUgi, String serviceId,
       ACLIdentityType aclType, ACLType aclRights,
       String ownerName) {
     this(host, ip, clientUgi, serviceId, aclType, aclRights, ownerName,
-            false);
+        false, null);
   }
 
   @SuppressWarnings("parameternumber")
   public RequestContext(String host, InetAddress ip,
       UserGroupInformation clientUgi, String serviceId,
       ACLIdentityType aclType, ACLType aclRights,
       String ownerName, boolean recursiveAccessCheck) {
+    this(host, ip, clientUgi, serviceId, aclType, aclRights, ownerName,
+        recursiveAccessCheck, null);
+  }
+
+  @SuppressWarnings("parameternumber")
+  public RequestContext(String host, InetAddress ip, UserGroupInformation clientUgi, String serviceId,
+      ACLIdentityType aclType, ACLType aclRights, String ownerName, boolean recursiveAccessCheck,
+      String sessionPolicy) {
     this.host = host;
     this.ip = ip;
     this.clientUgi = clientUgi;
@@ -65,6 +81,7 @@ public RequestContext(String host, InetAddress ip,
     this.aclRights = aclRights;
     this.ownerName = ownerName;
     this.recursiveAccessCheck = recursiveAccessCheck;
+    this.sessionPolicy = sessionPolicy;
   }
 
   /**
@@ -85,6 +102,7 @@ public static class Builder {
     private String ownerName;
 
     private boolean recursiveAccessCheck;
+    private String sessionPolicy;
 
     public Builder setHost(String bHost) {
       this.host = bHost;
@@ -130,9 +148,14 @@ public Builder setRecursiveAccessCheck(boolean recursiveAccessCheckFlag) {
       return this;
     }
 
+    public Builder setSessionPolicy(String sessionPolicy) {
+      this.sessionPolicy = sessionPolicy;
+      return this;
+    }
+
     public RequestContext build() {
       return new RequestContext(host, ip, clientUgi, serviceId, aclType,
-          aclRights, ownerName, recursiveAccessCheck);
+          aclRights, ownerName, recursiveAccessCheck, sessionPolicy);
     }
   }
 
@@ -144,21 +167,26 @@ public static RequestContext.Builder getBuilder(
       UserGroupInformation ugi, InetAddress remoteAddress, String hostName,
       ACLType aclType, String ownerName) {
     return getBuilder(ugi, remoteAddress, hostName, aclType, ownerName,
-            false);
+        false);
   }
 
   public static RequestContext.Builder getBuilder(
       UserGroupInformation ugi, InetAddress remoteAddress, String hostName,
       ACLType aclType, String ownerName, boolean recursiveAccessCheck) {
-    RequestContext.Builder contextBuilder = RequestContext.newBuilder()
+    return getBuilder(ugi, remoteAddress, hostName, aclType, ownerName, recursiveAccessCheck, null);
+  }
+
+  public static RequestContext.Builder getBuilder(UserGroupInformation ugi, InetAddress remoteAddress, String hostName,
+      ACLType aclType, String ownerName, boolean recursiveAccessCheck, String sessionPolicy) {
+    return RequestContext.newBuilder()
         .setClientUgi(ugi)
         .setIp(remoteAddress)
         .setHost(hostName)
         .setAclType(ACLIdentityType.USER)
         .setAclRights(aclType)
         .setOwnerName(ownerName)
-        .setRecursiveAccessCheck(recursiveAccessCheck);
-    return contextBuilder;
+        .setRecursiveAccessCheck(recursiveAccessCheck)
+        .setSessionPolicy(sessionPolicy);
   }
 
   public static RequestContext.Builder getBuilder(UserGroupInformation ugi,
@@ -206,4 +234,8 @@ public String getOwnerName() {
   public boolean isRecursiveAccessCheck() {
     return recursiveAccessCheck;
   }
+
+  public String getSessionPolicy() {
+    return sessionPolicy;
+  }
 }