HDDS-4763. Owner field of S3AUTHINFO type delegation token should be validated #1871
Conversation
| throw new InvalidToken( | ||
| "Owner is missing from the S3 auth token"); | ||
| } | ||
| if (!identifier.getOwner().toString().equals(identifier.getAwsAccessId())) { |
There was a problem hiding this comment.
Thanks @elek for working on this. I have one question about the awsaccessId from identifier or owner, they can all be modified by the attacker as well. What we need to check is compare awsaccessId from the identifier.stringtosign using s3 signatureparser (after verify the secret) with the one from the owner/awsid from the identifier.
There was a problem hiding this comment.
awsaccessId is used as a primary key to find the stored secret in the rockdb. If you use any wrong accessId the signature validation will be failed. If the string2sign contains reference to a different accessId, the validation will be failed as the signature won't be matched.
(At least this is my understanding, but let me know if I missed something...)
There was a problem hiding this comment.
Make sense to me. I further check the hadoop rpc code and the UGI of token user is taken from the owner field of the identifier. Because S3 token identifier is not protected with a token signature like Hadoop delegation token, the proposed check of owner against awsaccessid is the right fix.
…validated (apache#1871) Change-Id: I6085e579dec1a43471411f7ccd735e5a03bc93bd
What changes were proposed in this pull request?
Adding a check for S3AUTH token validation.
Please see the jira for the motivation.
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-4763
How was this patch tested?
Test method is explained in the Jira (with the code to test it).