fmorg-git · fmorg-git · Oct 28, 2025 · Oct 28, 2025
diff --git a/...op-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/AssumeRoleRequest.java b/...op-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/AssumeRoleRequest.java
@@ -0,0 +1,95 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.security.acl;
+
+import java.net.InetAddress;
+import java.util.AbstractMap;
+import java.util.Objects;
+import java.util.Set;
+import net.jcip.annotations.Immutable;
+import org.apache.hadoop.ozone.security.acl.iam.IamSessionPolicyResolver;
+import org.apache.hadoop.security.UserGroupInformation;
+
+/**
+ * Represents an S3 AssumeRole request that needs to be authorized by an IAccessAuthorizer.
+ * The grants parameter can be obtained via a call to
+ * {@link IamSessionPolicyResolver#resolve(String, String, IamSessionPolicyResolver.AuthorizerType)},
+ * or it can be null if the access must not be limited beyond the role.
+ */
+@Immutable
+public class AssumeRoleRequest {
+  private final String host;
+  private final InetAddress ip;
+  private final UserGroupInformation clientUgi;
+  private final String targetRoleName;
+  private final Set<AbstractMap.SimpleImmutableEntry<Set<IOzoneObj>, Set<IAccessAuthorizer.ACLType>>> grants;
+
+  public AssumeRoleRequest(
+      String host,
+      InetAddress ip,
+      UserGroupInformation clientUgi,
+      String targetRoleName,
+      Set<AbstractMap.SimpleImmutableEntry<Set<IOzoneObj>, Set<IAccessAuthorizer.ACLType>>> grants
+  ) {
+
+    this.host = host;
+    this.ip = ip;
+    this.clientUgi = clientUgi;
+    this.targetRoleName = targetRoleName;
+    this.grants = grants;
+  }
+
+  public String getHost() {
+    return host;
+  }
+
+  public InetAddress getIp() {
+    return ip;
+  }
+
+  public UserGroupInformation getClientUgi() {
+    return clientUgi;
+  }
+
+  public String getTargetRoleName() {
+    return targetRoleName;
+  }
+
+  public Set<AbstractMap.SimpleImmutableEntry<Set<IOzoneObj>, Set<IAccessAuthorizer.ACLType>>> getGrants() {
+    return grants;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+
+    final AssumeRoleRequest that = (AssumeRoleRequest) o;
+    return Objects.equals(host, that.host) &&
+        Objects.equals(ip, that.ip) &&
+        Objects.equals(clientUgi, that.clientUgi) &&
+        Objects.equals(targetRoleName, that.targetRoleName) &&
+        Objects.equals(grants, that.grants);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(host, ip, clientUgi, targetRoleName, grants);
+  }
+}
diff --git a/...op-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java b/...op-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java
@@ -48,6 +48,25 @@ public interface IAccessAuthorizer {
   boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
       throws OMException;
 
+  /**
+   * Attempts to authorize an STS AssumeRole request. If authorized, returns a String
+   * representation of the authorized session policy. This return value must be supplied on the subsequent
+   * {@link IAccessAuthorizer#checkAccess(IOzoneObj, RequestContext)} call, using the
+   * {@link RequestContext.Builder#setSessionPolicy(String)} parameter, and the authorizer will
+   * use the Role permissions and the session policy permissions to determine if
+   * the attempted action should be allowed for the given STS token.
+   * <p>
+   * The user making this call must have the {@link ACLType#GEN_ACCESS_TOKEN} permission.
+   *
+   * @param assumeRoleRequest   the AssumeRole request containing role and optional limited scope policy grants
+   * @return                    a String representing the permissions granted according to the authorizer.
+   * @throws OMException        if the caller is not authorized, either for the role and/or policy or for the
+   *                            {@link ACLType#GEN_ACCESS_TOKEN} permission
+   */
+  default String generateAssumeRoleSessionPolicy(AssumeRoleRequest assumeRoleRequest) throws OMException {
+    return null;
+  }
+
   /**
    * @return true for Ozone-native authorizer
    */
@@ -67,7 +86,9 @@ enum ACLType {
     READ_ACL,
     WRITE_ACL,
     ALL,
-    NONE;
+    NONE,
+    GEN_ACCESS_TOKEN;   // ability to create STS tokens
+
     private static int length = ACLType.values().length;
     static {
       if (length > 16) {

diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java
@@ -43,20 +43,41 @@ public class RequestContext {
    */
   private final boolean recursiveAccessCheck;
 
+  /**
+   * Represents optional session policy JSON for Ranger to use when authorizing
+   * an STS token.  This value would have come as a result of a previous
+   * {@link IAccessAuthorizer#generateAssumeRoleSessionPolicy(AssumeRoleRequest)} call.
+   */
+  private final String sessionPolicy;
+
   @SuppressWarnings("parameternumber")
   public RequestContext(String host, InetAddress ip,
       UserGroupInformation clientUgi, String serviceId,
       ACLIdentityType aclType, ACLType aclRights,
       String ownerName) {
     this(host, ip, clientUgi, serviceId, aclType, aclRights, ownerName,
-            false);
+        false, null);
   }
 
   @SuppressWarnings("parameternumber")
   public RequestContext(String host, InetAddress ip,
       UserGroupInformation clientUgi, String serviceId,
       ACLIdentityType aclType, ACLType aclRights,
       String ownerName, boolean recursiveAccessCheck) {
+    this(host, ip, clientUgi, serviceId, aclType, aclRights, ownerName,
+        recursiveAccessCheck, null);
+  }
+
+  @SuppressWarnings("parameternumber")
+  public RequestContext(String host,
+                        InetAddress ip,
+                        UserGroupInformation clientUgi,
+                        String serviceId,
+                        ACLIdentityType aclType,
+                        ACLType aclRights,
+                        String ownerName,
+                        boolean recursiveAccessCheck,
+                        String sessionPolicy) {
     this.host = host;
     this.ip = ip;
     this.clientUgi = clientUgi;
@@ -65,6 +86,7 @@ public RequestContext(String host, InetAddress ip,
     this.aclRights = aclRights;
     this.ownerName = ownerName;
     this.recursiveAccessCheck = recursiveAccessCheck;
+    this.sessionPolicy = sessionPolicy;
   }
 
   /**
@@ -85,6 +107,7 @@ public static class Builder {
     private String ownerName;
 
     private boolean recursiveAccessCheck;
+    private String sessionPolicy;
 
     public Builder setHost(String bHost) {
       this.host = bHost;
@@ -130,9 +153,14 @@ public Builder setRecursiveAccessCheck(boolean recursiveAccessCheckFlag) {
       return this;
     }
 
+    public Builder setSessionPolicy(String sessionPolicy) {
+      this.sessionPolicy = sessionPolicy;
+      return this;
+    }
+
     public RequestContext build() {
       return new RequestContext(host, ip, clientUgi, serviceId, aclType,
-          aclRights, ownerName, recursiveAccessCheck);
+          aclRights, ownerName, recursiveAccessCheck, sessionPolicy);
     }
   }
 
@@ -144,21 +172,31 @@ public static RequestContext.Builder getBuilder(
       UserGroupInformation ugi, InetAddress remoteAddress, String hostName,
       ACLType aclType, String ownerName) {
     return getBuilder(ugi, remoteAddress, hostName, aclType, ownerName,
-            false);
+        false);
   }
 
   public static RequestContext.Builder getBuilder(
       UserGroupInformation ugi, InetAddress remoteAddress, String hostName,
       ACLType aclType, String ownerName, boolean recursiveAccessCheck) {
-    RequestContext.Builder contextBuilder = RequestContext.newBuilder()
+    return getBuilder(ugi, remoteAddress, hostName, aclType, ownerName, recursiveAccessCheck, null);
+  }
+
+  public static RequestContext.Builder getBuilder(UserGroupInformation ugi,
+                                                  InetAddress remoteAddress,
+                                                  String hostName,
+                                                  ACLType aclType,
+                                                  String ownerName,
+                                                  boolean recursiveAccessCheck,
+                                                  String sessionPolicy) {
+    return RequestContext.newBuilder()
         .setClientUgi(ugi)
         .setIp(remoteAddress)
         .setHost(hostName)
         .setAclType(ACLIdentityType.USER)
         .setAclRights(aclType)
         .setOwnerName(ownerName)
-        .setRecursiveAccessCheck(recursiveAccessCheck);
-    return contextBuilder;
+        .setRecursiveAccessCheck(recursiveAccessCheck)
+        .setSessionPolicy(sessionPolicy);
   }
 
   public static RequestContext.Builder getBuilder(UserGroupInformation ugi,
@@ -206,4 +244,8 @@ public String getOwnerName() {
   public boolean isRecursiveAccessCheck() {
     return recursiveAccessCheck;
   }
+
+  public String getSessionPolicy() {
+    return sessionPolicy;
+  }
 }
diff --git a/...zone/common/src/test/java/org/apache/hadoop/ozone/security/acl/TestAssumeRoleRequest.java b/...zone/common/src/test/java/org/apache/hadoop/ozone/security/acl/TestAssumeRoleRequest.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.security.acl;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertSame;
+
+import java.util.Collections;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.junit.jupiter.api.Test;
+
+/**
+ * Tests for {@link AssumeRoleRequest}.
+ */
+public class TestAssumeRoleRequest {
+
+  @Test
+  public void testConstructorAndGetters() {
+    final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("om");
+
+    final AssumeRoleRequest assumeRoleRequest1 = new AssumeRoleRequest("host",
+        null,
+        ugi,
+        "roleA",
+        Collections.emptySet()
+    );
+    final AssumeRoleRequest assumeRoleRequest2 = new AssumeRoleRequest("host",
+        null,
+        ugi,
+        "roleA",
+        Collections.emptySet()
+    );
+
+    assertEquals("host", assumeRoleRequest1.getHost());
+    assertNull(assumeRoleRequest1.getIp());
+    assertSame(ugi, assumeRoleRequest1.getClientUgi());
+    assertEquals("roleA", assumeRoleRequest1.getTargetRoleName());
+    assertEquals(Collections.emptySet(), assumeRoleRequest1.getGrants());
+
+    assertEquals(assumeRoleRequest1, assumeRoleRequest2);
+    assertEquals(assumeRoleRequest1.hashCode(), assumeRoleRequest2.hashCode());
+
+    final AssumeRoleRequest assumeRoleRequest3 = new AssumeRoleRequest("host",
+        null,
+        ugi,
+        "roleB",
+        null
+    );
+    assertNotEquals(assumeRoleRequest1, assumeRoleRequest3);
+  }
+}
+
+