diff --git a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java index 9b186e8b9ba2..0cd5b4a455c8 100644 --- a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java +++ b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java @@ -44,7 +44,7 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_OM_CLIENT_PROTOCOL_VERSION; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_OM_CLIENT_PROTOCOL_VERSION_KEY; import static org.apache.hadoop.ozone.s3.exception.S3ErrorTable.INTERNAL_ERROR; -import static org.apache.hadoop.ozone.s3.exception.S3ErrorTable.MALFORMED_HEADER; +import static org.apache.hadoop.ozone.s3.exception.S3ErrorTable.ACCESS_DENIED; /** * This class creates the OzoneClient for the Rest endpoints. @@ -90,7 +90,12 @@ public S3Auth getSignature() { } String awsAccessId = signatureInfo.getAwsAccessId(); - validateAccessId(awsAccessId); + // ONLY validate aws access id when needed. + if (awsAccessId == null || awsAccessId.equals("")) { + LOG.debug("Malformed s3 header. awsAccessID: ", awsAccessId); + throw ACCESS_DENIED; + } + return new S3Auth(stringToSign, signatureInfo.getSignature(), awsAccessId); @@ -123,14 +128,6 @@ OzoneClient createOzoneClient() throws IOException { } } - // ONLY validate aws access id when needed. - private void validateAccessId(String awsAccessId) throws Exception { - if (awsAccessId == null || awsAccessId.equals("")) { - LOG.error("Malformed s3 header. awsAccessID: ", awsAccessId); - throw wrapOS3Exception(MALFORMED_HEADER); - } - } - public void setOzoneConfiguration(OzoneConfiguration config) { this.ozoneConfiguration = config; } diff --git a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/S3ErrorTable.java b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/S3ErrorTable.java index 86d9fc049cd8..7ef681ea3873 100644 --- a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/S3ErrorTable.java +++ b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/S3ErrorTable.java @@ -26,7 +26,7 @@ import static java.net.HttpURLConnection.HTTP_NOT_FOUND; import static java.net.HttpURLConnection.HTTP_PRECON_FAILED; import static java.net.HttpURLConnection.HTTP_NOT_IMPLEMENTED; -import static java.net.HttpURLConnection.HTTP_SERVER_ERROR; +import static java.net.HttpURLConnection.HTTP_INTERNAL_ERROR; import static org.apache.hadoop.ozone.s3.util.S3Consts.RANGE_NOT_SATISFIABLE; /** @@ -65,7 +65,7 @@ private S3ErrorTable() { public static final OS3Exception MALFORMED_HEADER = new OS3Exception( "AuthorizationHeaderMalformed", "The authorization header you provided " + - "is invalid.", HTTP_NOT_FOUND); + "is invalid.", HTTP_BAD_REQUEST); public static final OS3Exception NO_SUCH_KEY = new OS3Exception( "NoSuchKey", "The specified key does not exist", HTTP_NOT_FOUND); @@ -106,7 +106,7 @@ private S3ErrorTable() { public static final OS3Exception INTERNAL_ERROR = new OS3Exception( "InternalError", "We encountered an internal error. Please try again.", - HTTP_SERVER_ERROR); + HTTP_INTERNAL_ERROR); public static final OS3Exception ACCESS_DENIED = new OS3Exception( "AccessDenied", "User doesn't have the right to access this " + diff --git a/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/TestOzoneClientProducer.java b/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/TestOzoneClientProducer.java index 83305f029461..d02c3ccde8b4 100644 --- a/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/TestOzoneClientProducer.java +++ b/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/TestOzoneClientProducer.java @@ -17,6 +17,7 @@ */ package org.apache.hadoop.ozone.s3; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.core.MultivaluedHashMap; import javax.ws.rs.core.MultivaluedMap; @@ -31,6 +32,9 @@ import org.apache.hadoop.ozone.om.OMConfigKeys; import org.apache.hadoop.ozone.s3.signature.AWSSignatureProcessor; +import static java.net.HttpURLConnection.HTTP_BAD_REQUEST; +import static java.net.HttpURLConnection.HTTP_FORBIDDEN; + import static org.apache.hadoop.ozone.s3.signature.SignatureParser.AUTHORIZATION_HEADER; import static org.apache.hadoop.ozone.s3.signature.SignatureProcessor.CONTENT_MD5; import static org.apache.hadoop.ozone.s3.signature.SignatureProcessor.CONTENT_TYPE; @@ -118,7 +122,10 @@ public static Collection data() { }, { null, null, null, null, null, null - } + }, + { + "", null, null, null, null, null + }, }); } @@ -132,6 +139,36 @@ public void testGetClientFailure() { } } + @Test + public void testGetSignature() { + try { + System.err.println("Testing: " + authHeader); + OzoneConfiguration configuration = new OzoneConfiguration(); + configuration.set(OMConfigKeys.OZONE_OM_SERVICE_IDS_KEY, "ozone1"); + configuration.set(OMConfigKeys.OZONE_OM_ADDRESS_KEY, "ozone1addr:9399"); + producer.setOzoneConfiguration(configuration); + producer.getSignature(); + if ("".equals(authHeader)) { + fail("Empty AuthHeader must fail"); + } + } catch (WebApplicationException ex) { + if (authHeader == null || authHeader.equals("")) { + // Empty auth header should be 403 + Assert.assertEquals(HTTP_FORBIDDEN, ex.getResponse().getStatus()); + // TODO: Should return XML in body like this (bot not for now): + // + // AccessDeniedAccess Denied + // ...... + // + } else { + // Other requests have stale timestamp and thus should fail + Assert.assertEquals(HTTP_BAD_REQUEST, ex.getResponse().getStatus()); + } + } catch (Exception ex) { + fail("Unexpected exception: " + ex); + } + } + @Test public void testGetClientFailureWithMultipleServiceIds() { try {