diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java index 7390fcc18a0..542d636373f 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java @@ -472,6 +472,19 @@ public boolean verifySignature(OzoneTokenIdentifier identifier, private byte[] validateS3AuthInfo(OzoneTokenIdentifier identifier) throws InvalidToken { LOG.trace("Validating S3AuthInfo for identifier:{}", identifier); + if (identifier.getOwner() == null) { + throw new InvalidToken( + "Owner is missing from the S3 auth token"); + } + if (!identifier.getOwner().toString().equals(identifier.getAwsAccessId())) { + LOG.error( + "Owner and AWSAccessId is different in the S3 token. Possible " + + " security attack: {}", + identifier); + throw new InvalidToken( + "Invalid S3 identifier: owner=" + identifier.getOwner() + + ", awsAccessId=" + identifier.getAwsAccessId()); + } String awsSecret; try { awsSecret = s3SecretManager.getS3UserSecretString(identifier diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java index 215497430c4..7f17e0c70ca 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java @@ -18,6 +18,16 @@ package org.apache.hadoop.ozone.security; +import java.io.File; +import java.io.IOException; +import java.security.KeyPair; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Signature; +import java.security.cert.X509Certificate; +import java.util.HashMap; +import java.util.Map; + import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.security.x509.SecurityConfig; import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient; @@ -36,6 +46,9 @@ import org.apache.hadoop.security.token.Token; import org.apache.hadoop.test.LambdaTestUtils; import org.apache.hadoop.util.Time; + +import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_RATIS_ENABLE_KEY; +import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO; import org.junit.After; import org.junit.Assert; import org.junit.Before; @@ -43,19 +56,6 @@ import org.junit.Test; import org.junit.rules.TemporaryFolder; -import java.io.File; -import java.io.IOException; -import java.security.KeyPair; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.Signature; -import java.security.cert.X509Certificate; -import java.util.HashMap; -import java.util.Map; - -import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_RATIS_ENABLE_KEY; -import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO; - /** * Test class for {@link OzoneDelegationTokenSecretManager}. */ @@ -342,6 +342,7 @@ public void testValidateS3AUTHINFOSuccess() throws Exception { "20190221/us-west-1/s3/aws4_request\n" + "c297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d"); identifier.setAwsAccessId("testuser1"); + identifier.setOwner(new Text("testuser1")); secretManager.retrievePassword(identifier); } @@ -360,6 +361,7 @@ public void testValidateS3AUTHINFOFailure() throws Exception { "20190221/us-west-1/s3/aws4_request\n" + "c297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d"); identifier.setAwsAccessId("testuser2"); + identifier.setOwner(new Text("testuser2")); // Case 1: User don't have aws secret set. LambdaTestUtils.intercept(SecretManager.InvalidToken.class, " No S3 " + "secret found for S3 identifier",