HDDS-4506. Support query parameter based v4 auth in S3g

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java

@@ -21,8 +21,10 @@
 import javax.enterprise.context.RequestScoped;
 import javax.enterprise.inject.Produces;
 import javax.inject.Inject;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.Context;
 import java.io.IOException;
-import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
 import java.security.PrivilegedExceptionAction;
 
 import org.apache.hadoop.hdds.conf.OzoneConfiguration;
@@ -31,16 +33,19 @@
 import org.apache.hadoop.ozone.client.OzoneClient;
 import org.apache.hadoop.ozone.client.OzoneClientFactory;
 import org.apache.hadoop.ozone.s3.exception.OS3Exception;
+import org.apache.hadoop.ozone.s3.signature.SignatureInfo;
+import org.apache.hadoop.ozone.s3.signature.SignatureInfo.Version;
+import org.apache.hadoop.ozone.s3.signature.SignatureProcessor;
+import org.apache.hadoop.ozone.s3.signature.StringToSignProducer;
 import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 
 import com.google.common.annotations.VisibleForTesting;
-import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO;
 import static org.apache.hadoop.ozone.s3.exception.S3ErrorTable.INTERNAL_ERROR;
 import static org.apache.hadoop.ozone.s3.exception.S3ErrorTable.MALFORMED_HEADER;
-import static org.apache.hadoop.ozone.s3.exception.S3ErrorTable.S3_AUTHINFO_CREATION_ERROR;
+import org.jetbrains.annotations.NotNull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -52,10 +57,11 @@ public class OzoneClientProducer {
 
   private static final Logger LOG =
       LoggerFactory.getLogger(OzoneClientProducer.class);
+
   private OzoneClient client;
 
   @Inject
-  private SignatureProcessor signatureParser;
+  private SignatureProcessor signatureProcessor;
 
   @Inject
   private OzoneConfiguration ozoneConfiguration;
@@ -66,61 +72,63 @@ public class OzoneClientProducer {
   @Inject
   private String omServiceID;
 
+  @Context
+  private ContainerRequestContext context;
 
   @Produces
   public OzoneClient createClient() throws OS3Exception, IOException {
     client = getClient(ozoneConfiguration);
     return client;
   }
-  
+
   @PreDestroy
-  public void destory() throws IOException {
+  public void destroy() throws IOException {
     client.close();
   }
 
   private OzoneClient getClient(OzoneConfiguration config)
       throws OS3Exception {
     OzoneClient ozoneClient = null;
     try {
-      // Check if any error occurred during creation of signatureProcessor.
-      if (signatureParser.getException() != null) {
-        throw signatureParser.getException();
+      SignatureInfo signatureInfo = signatureProcessor.parseSignature();
+
+      String stringToSign = "";
+      if (signatureInfo.getVersion() == Version.V4) {
+        stringToSign =
+            StringToSignProducer.createSignatureBase(signatureInfo, context);
       }
-      String awsAccessId = signatureParser.getAwsAccessId();
+
+      String awsAccessId = signatureInfo.getAwsAccessId();
       validateAccessId(awsAccessId);
 
       UserGroupInformation remoteUser =
           UserGroupInformation.createRemoteUser(awsAccessId);
       if (OzoneSecurityUtil.isSecurityEnabled(config)) {
         LOG.debug("Creating s3 auth info for client.");
-        try {
-          OzoneTokenIdentifier identifier = new OzoneTokenIdentifier();
-          identifier.setTokenType(S3AUTHINFO);
-          identifier.setStrToSign(signatureParser.getStringToSign());
-          identifier.setSignature(signatureParser.getSignature());
-          identifier.setAwsAccessId(awsAccessId);
-          identifier.setOwner(new Text(awsAccessId));
-          if (LOG.isTraceEnabled()) {
-            LOG.trace("Adding token for service:{}", omService);
-          }
-          Token<OzoneTokenIdentifier> token = new Token(identifier.getBytes(),
-              identifier.getSignature().getBytes(UTF_8),
-              identifier.getKind(),
-              omService);
-          remoteUser.addToken(token);
-        } catch (OS3Exception | URISyntaxException ex) {
-          throw S3_AUTHINFO_CREATION_ERROR;
+
+        if (signatureInfo.getVersion() == Version.NONE) {
+          throw MALFORMED_HEADER;
+        }
+
+        OzoneTokenIdentifier identifier = new OzoneTokenIdentifier();
+        identifier.setTokenType(S3AUTHINFO);
+        identifier.setStrToSign(stringToSign);
+        identifier.setSignature(signatureInfo.getSignature());
+        identifier.setAwsAccessId(awsAccessId);
+        identifier.setOwner(new Text(awsAccessId));
+        if (LOG.isTraceEnabled()) {
+          LOG.trace("Adding token for service:{}", omService);
         }
+        Token<OzoneTokenIdentifier> token = new Token(identifier.getBytes(),
+            identifier.getSignature().getBytes(StandardCharsets.UTF_8),
+            identifier.getKind(),
+            omService);
+        remoteUser.addToken(token);
+
       }
       ozoneClient =
-          remoteUser.doAs((PrivilegedExceptionAction<OzoneClient>)() -> {
-            if (omServiceID == null) {
-              return OzoneClientFactory.getRpcClient(ozoneConfiguration);
-            } else {
-              // As in HA case, we need to pass om service ID.
-              return OzoneClientFactory.getRpcClient(omServiceID,
-                  ozoneConfiguration);
-            }
+          remoteUser.doAs((PrivilegedExceptionAction<OzoneClient>) () -> {
+            return createOzoneClient();
           });
     } catch (OS3Exception ex) {
       if (LOG.isDebugEnabled()) {
@@ -138,6 +146,18 @@ private OzoneClient getClient(OzoneConfiguration config)
     return ozoneClient;
   }
 
+  @NotNull
+  @VisibleForTesting
+  OzoneClient createOzoneClient() throws IOException {
+    if (omServiceID == null) {
+      return OzoneClientFactory.getRpcClient(ozoneConfiguration);
+    } else {
+      // As in HA case, we need to pass om service ID.
+      return OzoneClientFactory.getRpcClient(omServiceID,
+          ozoneConfiguration);
+    }
+  }
+
   // ONLY validate aws access id when needed.
   private void validateAccessId(String awsAccessId) throws Exception {
     if (awsAccessId == null || awsAccessId.equals("")) {
@@ -151,7 +171,7 @@ public void setOzoneConfiguration(OzoneConfiguration config) {
   }
 
   @VisibleForTesting
-  public void setSignatureParser(SignatureProcessor signatureParser) {
-    this.signatureParser = signatureParser;
+  public void setSignatureParser(SignatureProcessor awsSignatureProcessor) {
+    this.signatureProcessor = awsSignatureProcessor;
   }
 }

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/EndpointBase.java

@@ -29,7 +29,6 @@
 import org.apache.hadoop.ozone.client.OzoneVolume;
 import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes;
-import org.apache.hadoop.ozone.s3.SignatureProcessor;
 import org.apache.hadoop.ozone.s3.exception.OS3Exception;
 import org.apache.hadoop.ozone.s3.exception.S3ErrorTable;
 
@@ -43,9 +42,6 @@ public class EndpointBase {
   @Inject
   private OzoneClient client;
 
-  @Inject
-  private SignatureProcessor signatureProcessor;
-
   protected OzoneBucket getBucket(OzoneVolume volume, String bucketName)
       throws OS3Exception, IOException {
     OzoneBucket bucket;
@@ -171,16 +167,6 @@ private Iterator<? extends OzoneBucket> iterateBuckets(
     }
   }
 
-  public SignatureProcessor getSignatureProcessor() {
-    return signatureProcessor;
-  }
-
-  @VisibleForTesting
-  public void setSignatureProcessor(
-      SignatureProcessor signatureProcessor) {
-    this.signatureProcessor = signatureProcessor;
-  }
-
   @VisibleForTesting
   public void setClient(OzoneClient ozoneClient) {
     this.client = ozoneClient;

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/OS3Exception.java

@@ -17,19 +17,19 @@
  */
 package org.apache.hadoop.ozone.s3.exception;
 
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlTransient;
+
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.dataformat.xml.XmlMapper;
 import com.fasterxml.jackson.module.jaxb.JaxbAnnotationModule;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.xml.bind.annotation.XmlAccessType;
-import javax.xml.bind.annotation.XmlAccessorType;
-import javax.xml.bind.annotation.XmlElement;
-import javax.xml.bind.annotation.XmlTransient;
-import javax.xml.bind.annotation.XmlRootElement;
-
 
 /**
  * This class represents exceptions raised from Ozone S3 service.
@@ -38,7 +38,7 @@
  */
 @XmlRootElement(name = "Error")
 @XmlAccessorType(XmlAccessType.NONE)
-public class OS3Exception extends  Exception {
+public class OS3Exception extends Exception {
   private static final Logger LOG =
       LoggerFactory.getLogger(OS3Exception.class);
   private static ObjectMapper mapper;

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/S3ErrorTable.java

@@ -120,7 +120,7 @@ public static OS3Exception newError(OS3Exception e, String resource) {
     OS3Exception err =  new OS3Exception(e.getCode(), e.getErrorMessage(),
         e.getHttpCode());
     err.setResource(resource);
-    LOG.error(err.toXml());
+    LOG.error(err.toXml(), e);
     return err;
   }
 }