Skip to content

HDDS-14898. [STS] Fix Latent S3 API Issue having No Acl Check for ListParts#9976

Draft
fmorg-git wants to merge 10 commits intoapache:HDDS-13323-stsfrom
fmorg-git:HDDS-14898
Draft

HDDS-14898. [STS] Fix Latent S3 API Issue having No Acl Check for ListParts#9976
fmorg-git wants to merge 10 commits intoapache:HDDS-13323-stsfrom
fmorg-git:HDDS-14898

Conversation

@fmorg-git
Copy link
Contributor

@fmorg-git fmorg-git commented Mar 25, 2026
edited
Loading

Please describe your PR in detail:

  • Currently, there are no acl checks in the S3 ListParts implementation. This affects STS because, for example, if a token is scoped to have only PutObject access, the token can also call ListParts because there are no acl checks. This ticket adds the acl checks for STS requests because it is unclear how many users would be affected if acl checks were added to the base S3 apis.
  • This PR depends on HDDS-14894. [STS] Fix Latent S3 API Issue having No Acl Check for ListMultipartUploads #9971

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14898

How was this patch tested?

unit tests, smoke tests

Fabian Morgan added 10 commits March 13, 2026 09:49
support passing original listPrefix on root listing so STS can author…
5b443c2 
…ize against it

Conflicts:
	hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmKeyArgs.java
authorize against LIST instead of READ for STS requests
a91adf8 
Conflicts:
	hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMetadataReader.java
validate LIST permission on the key for ListBucket action instead of …
ae3d3d0 
…READ.
ignore wildcards in Condition for StringEquals operator
14437c3
filter out non-ListBucket actions where Conditions are present
a95980c
expose expiredToken error
efe87cb
better handling for PayloadTooLarge and small perf fix
aca2489
fix latent S3 API issue when ListBuckets missing a required permission
bfa4996
add acl checks to ListMultipartUploads for sts
13c2f2f
add acl checks to ListParts for sts
aa09066
@fmorg-git fmorg-git marked this pull request as draft March 25, 2026 19:02
@fmorg-git fmorg-git mentioned this pull request Mar 25, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fmorg-git