Can any user retrieve the s3 secret of another user before him ?

[azro352]

Hi

I was reading some parts of the code and found an undocumented endpoint PUT /secret/{username} that allows to retrieve a specific user credentials

As I don't see any validation or else, does that mean that a any user A can ask for the credentials of a user B, and

• if user B never asked for his credentials, the A get them, and B won't be able to retrieve, he'd need to revoke and generate
• if user B already asked for his credentials, then A gets an error ?

Does that means that this endpoint shouldn't be directly accessible by users ? Like endpoint DELETE /secret/{username}, if you can revoke another user credential, that could cause trouble

Thanks

[kerneltime]

@azro352 you can find more details for the change here https://issues.apache.org/jira/browse/HDDS-8050
This is protected by kerberos and is a way for users to get their own S3 credentials.
Did you encounter a problem with this feature?
The relevant tests/sample usage
hadoop-ozone/dist/src/main/smoketest/s3/secretgenerate.robot
and
hadoop-ozone/dist/src/main/smoketest/s3/secretrevoke.robot

[kerneltime]

An administrator can invalidate or delete credentials. A random user cannot step on another user.

[kerneltime]

If you would like feel free to contribute a robot test for the scenarios you have in mind.

[azro352]

I don't see any mention of admin in the 2 links you gave, neither the test nor the documentation

Also I don't see any difference of validation between

• PUT /secret each user retrieve its secret
• PUT /secret/<username> rerieve secret of other user

[ChenSammi]

The ozone administrator or same user validation is checked at server side(OM), not client side(s3 gateway)
https://github.com/apache/ozone/blob/master/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.java#L68

[errose28]

@ChenSammi is correct, validation is present within the OM, not on the S3 gateway. I'm currently closing this discussion since security should be discussed on [email protected] per this repository (and the ASF's) security policy.