updates per design change

Author: Fabian Morgan

hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto

@@ -2397,11 +2397,11 @@ message RevokeSTSTokenResponse {
 }
 
 /**
- This will contain a list of revoked STS temporary access key IDs whose entries should be removed from
+ This will contain a list of revoked STS session tokens whose entries should be removed from
  the s3RevokedStsTokenTable.
 */
 message CleanupRevokedSTSTokensRequest {
-  repeated string accessKeyId = 1;
+  repeated string sessionToken = 1;
 }
 
 message CleanupRevokedSTSTokensResponse {

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3CleanupRevokedSTSTokensRequest.java

@@ -43,8 +43,8 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut
     final CleanupRevokedSTSTokensRequest request = getOmRequest().getCleanupRevokedSTSTokensRequest();
     final OMResponse.Builder omResponse = OmResponseUtil.getOMResponseBuilder(getOmRequest());
 
-    final List<String> accessKeyIds = request.getAccessKeyIdList();
-    return new S3CleanupRevokedSTSTokensResponse(accessKeyIds, omResponse.build());
+    final List<String> sessionTokens = request.getSessionTokenList();
+    return new S3CleanupRevokedSTSTokensResponse(sessionTokens, omResponse.build());
   }
 }
 

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/security/S3CleanupRevokedSTSTokensResponse.java

@@ -36,16 +36,16 @@
 @CleanupTableInfo(cleanupTables = {S3_REVOKED_STS_TOKEN_TABLE})
 public class S3CleanupRevokedSTSTokensResponse extends OMClientResponse {
 
-  private final List<String> accessKeyIds;
+  private final List<String> sessionTokens;
 
-  public S3CleanupRevokedSTSTokensResponse(List<String> accessKeyIds, @Nonnull OMResponse omResponse) {
+  public S3CleanupRevokedSTSTokensResponse(List<String> sessionTokens, @Nonnull OMResponse omResponse) {
     super(omResponse);
-    this.accessKeyIds = accessKeyIds;
+    this.sessionTokens = sessionTokens;
   }
 
   @Override
   public void addToDBBatch(OMMetadataManager omMetadataManager, BatchOperation batchOperation) throws IOException {
-    if (accessKeyIds == null || accessKeyIds.isEmpty()) {
+    if (sessionTokens == null || sessionTokens.isEmpty()) {
       return;
     }
     if (!getOMResponse().hasStatus() || getOMResponse().getStatus() != OK) {
@@ -57,8 +57,8 @@ public void addToDBBatch(OMMetadataManager omMetadataManager, BatchOperation bat
       return;
     }
 
-    for (String accessKeyId : accessKeyIds) {
-      table.deleteWithBatch(batchOperation, accessKeyId);
+    for (String sessionToken : sessionTokens) {
+      table.deleteWithBatch(batchOperation, sessionToken);
     }
   }
 }

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/service/RevokedSTSTokenCleanupService.java

@@ -47,7 +47,7 @@
 
 /**
  * Background service that periodically scans the revoked STS token table and submits OM requests to
- * remove entries whose session token has expired.
+ * remove entries have been present past the cleanup threshold.
  */
 public class RevokedSTSTokenCleanupService extends BackgroundService {
   private static final Logger LOG = LoggerFactory.getLogger(RevokedSTSTokenCleanupService.class);
@@ -127,19 +127,19 @@ public BackgroundTaskResult call() throws Exception {
       final Table<String, Long> revokedStsTokenTable = metadataManager.getS3RevokedStsTokenTable();
 
       // Collect entries that have existed for over 12 hours during the scan
-      final List<String> accessKeyIdsToCleanup = new ArrayList<>();
+      final List<String> sessionTokensToCleanup = new ArrayList<>();
 
       // Iterate over all entries in the revoked STS token table and remove
       // those whose initialCreationTimeMillis is more than 12 hours
       try (Table.KeyValueIterator<String, Long> iterator = revokedStsTokenTable.iterator()) {
         iterator.seekToFirst();
         while (iterator.hasNext()) {
           final Table.KeyValue<String, Long> entry = iterator.next();
-          final String accessKeyId = entry.getKey();
+          final String sessionToken = entry.getKey();
           final Long initialCreationTimeMillis = entry.getValue();
 
           if (shouldCleanup(initialCreationTimeMillis)) {
-            accessKeyIdsToCleanup.add(accessKeyId);
+            sessionTokensToCleanup.add(sessionToken);
           }
         }
       } catch (IOException e) {
@@ -149,11 +149,11 @@ public BackgroundTaskResult call() throws Exception {
       }
 
       final long deletedInRun;
-      if (!accessKeyIdsToCleanup.isEmpty()) {
-        LOG.info("Found {} revoked STS token entries to clean up.", accessKeyIdsToCleanup.size());
-        final boolean success = submitCleanupRequest(accessKeyIdsToCleanup);
+      if (!sessionTokensToCleanup.isEmpty()) {
+        LOG.info("Found {} revoked STS token entries to clean up.", sessionTokensToCleanup.size());
+        final boolean success = submitCleanupRequest(sessionTokensToCleanup);
         if (success) {
-          deletedInRun = accessKeyIdsToCleanup.size();
+          deletedInRun = sessionTokensToCleanup.size();
         } else {
           deletedInRun = 0;
           LOG.warn(
@@ -178,7 +178,7 @@ public BackgroundTaskResult call() throws Exception {
     }
 
     /**
-     * Returns true if the given STS session token has expired.
+     * Returns true if the given STS session token has been in the table past the cleanup threshold.
      */
     private boolean shouldCleanup(long initialCreationTimeMillis) {
       final long now = CLOCK.millis();
@@ -197,9 +197,9 @@ private boolean shouldCleanup(long initialCreationTimeMillis) {
     /**
      * Builds and submits an OMRequest to delete the provided revoked STS token(s).
      */
-    private boolean submitCleanupRequest(List<String> expiredAccessKeyIds) {
+    private boolean submitCleanupRequest(List<String> sessionTokens) {
       final CleanupRevokedSTSTokensRequest request = CleanupRevokedSTSTokensRequest.newBuilder()
-          .addAllAccessKeyId(expiredAccessKeyIds)
+          .addAllSessionToken(sessionTokens)
           .build();
 
       final OMRequest omRequest = OMRequest.newBuilder()

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/service/TestRevokedSTSTokenCleanupService.java

@@ -66,13 +66,13 @@ public void setUp() {
 
   @Test
   public void submitsCleanupRequestForOnlyExpiredTokens() throws Exception {
-    // If there are two revoked entries, one expired and one not expired, only the expired access key id should be
+    // If there are two revoked entries, one expired and one not expired, only the expired session token should be
     // submitted for cleanup.
     final long nowMillis = testClock.millis();
     final long expiredCreationTimeMillis = nowMillis - TimeUnit.HOURS.toMillis(13); // older than 12h threshold
     final long validCreationTimeMillis = nowMillis - TimeUnit.HOURS.toMillis(1);
-    revokedStsTokenTable.put("ASIA1234567890", expiredCreationTimeMillis);
-    revokedStsTokenTable.put("ASIA4567890123", validCreationTimeMillis);
+    revokedStsTokenTable.put("session-token-a", expiredCreationTimeMillis);
+    revokedStsTokenTable.put("session-token-b", validCreationTimeMillis);
 
     final AtomicReference<OMRequest> capturedRequest = new AtomicReference<>();
 
@@ -91,7 +91,7 @@ public void submitsCleanupRequestForOnlyExpiredTokens() throws Exception {
 
       final CleanupRevokedSTSTokensRequest cleanupRevokedSTSTokensRequest =
           omRequest.getCleanupRevokedSTSTokensRequest();
-      assertThat(cleanupRevokedSTSTokensRequest.getAccessKeyIdList()).containsExactly("ASIA1234567890");
+      assertThat(cleanupRevokedSTSTokensRequest.getSessionTokenList()).containsExactly("session-token-a");
     }
   }
 
@@ -100,8 +100,8 @@ public void doesNotSubmitRequestWhenThereAreNoExpiredTokens() throws Exception {
     // If only non-expired entries exist in the revoked sts token table, no cleanup request should be submitted and
     // no metrics should be updated.
     final long nowMillis = testClock.millis();
-    revokedStsTokenTable.put("ASIA1234567890", nowMillis - TimeUnit.HOURS.toMillis(1));
-    revokedStsTokenTable.put("ASIA0123456789", nowMillis - TimeUnit.HOURS.toMillis(2));
+    revokedStsTokenTable.put("session-token-c", nowMillis - TimeUnit.HOURS.toMillis(1));
+    revokedStsTokenTable.put("session-token-d", nowMillis - TimeUnit.HOURS.toMillis(2));
 
     final AtomicReference<OMRequest> capturedRequest = new AtomicReference<>();
 
@@ -140,8 +140,8 @@ public void doesNotUpdateMetricsOnRatisSubmissionServiceExceptionFailure() throw
     // If there are expired tokens in the table but the OM request submission to clean up the entries fails with a
     // service exception, the metrics should not be updated
     final long nowMillis = testClock.millis();
-    revokedStsTokenTable.put("ASIA1234567890", nowMillis - TimeUnit.HOURS.toMillis(13));
-    revokedStsTokenTable.put("ASIA0987654321", nowMillis - TimeUnit.HOURS.toMillis(14));
+    revokedStsTokenTable.put("session-token-e", nowMillis - TimeUnit.HOURS.toMillis(13));
+    revokedStsTokenTable.put("session-token-f", nowMillis - TimeUnit.HOURS.toMillis(14));
 
     final AtomicInteger submitAttempts = new AtomicInteger(0);
 
@@ -163,7 +163,7 @@ public void doesNotUpdateMetricsOnNonSuccessfulResponse() throws Exception {
     // If there is an expired token in the table but the OM request submission to clean up the entries gets a
     // non-successful response, the metrics should not be updated
     final long nowMillis = testClock.millis();
-    revokedStsTokenTable.put("ASIA1234567890", nowMillis - TimeUnit.HOURS.toMillis(20));
+    revokedStsTokenTable.put("session-token-f", nowMillis - TimeUnit.HOURS.toMillis(20));
 
     try (MockedStatic<OzoneManagerRatisUtils> ozoneManagerRatisUtilsMock = mockStatic(OzoneManagerRatisUtils.class)) {
       // Return a non-successful response
@@ -181,9 +181,9 @@ public void doesNotUpdateMetricsOnNonSuccessfulResponse() throws Exception {
   public void handlesAllExpiredTokens() throws Exception {
     // If all the tokens in the table are expired on a particular run, ensure the metrics are updated appropriately
     final long nowMillis = testClock.millis();
-    revokedStsTokenTable.put("ASIA1234567890", nowMillis - TimeUnit.HOURS.toMillis(13));
-    revokedStsTokenTable.put("ASIA0123456789", nowMillis - TimeUnit.HOURS.toMillis(14));
-    revokedStsTokenTable.put("ASIA9876543210", nowMillis - TimeUnit.HOURS.toMillis(15));
+    revokedStsTokenTable.put("session-token-g", nowMillis - TimeUnit.HOURS.toMillis(13));
+    revokedStsTokenTable.put("session-token-h", nowMillis - TimeUnit.HOURS.toMillis(14));
+    revokedStsTokenTable.put("session-token-i", nowMillis - TimeUnit.HOURS.toMillis(15));
 
     final AtomicReference<OMRequest> capturedRequest = new AtomicReference<>();
 
@@ -202,8 +202,8 @@ public void handlesAllExpiredTokens() throws Exception {
 
       final CleanupRevokedSTSTokensRequest cleanupRevokedSTSTokensRequest =
           omRequest.getCleanupRevokedSTSTokensRequest();
-      assertThat(cleanupRevokedSTSTokensRequest.getAccessKeyIdList())
-          .containsExactlyInAnyOrder("ASIA1234567890", "ASIA0123456789", "ASIA9876543210");
+      assertThat(cleanupRevokedSTSTokensRequest.getSessionTokenList())
+          .containsExactlyInAnyOrder("session-token-g", "session-token-h", "session-token-i");
     }
   }