HDDS-14150. [STS] Connect STS Endpoint to Backend Processing

[fmorg-git]

Please describe your PR in detail:

• Connect S3 Gateway STS Endpoint to Backend OzoneManager Processing
• Add configuration flag check in OzoneManager so STS assume role call is disallowed if configuration flag is not true. Also ensure non-native authorizer is being used as well.
• A future PR will move duplicate constants and STS validation methods from the endpoint and backend OzoneManager to a shared location.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14150

How was this patch tested?

unit tests and smoke testing

[ChenSammi]

testAssumeRoleRejectedWhenStsEnabledAndNativeAuthorizerNotUsed ->

testAssumeRoleAllowedWhenStsEnabledAndNativeAuthorizerNotUsed

[fmorg-git]

updated 21381a9

[ChenSammi]

Since "X-Amz-Security-Token" is case insensitive, it's better to loop the queryParams, and use the compareToIgnoreCase to compare the parameter name.

[fmorg-git]

updated 21381a9

[ChenSammi]

Shall we return the requestId from OM, and add the requestId in assumeRole audit log?

[ChenSammi]

It's better we catch the exception from assumeRole() and generateAssumeRoleResponse(), wrap it as OS3Exception to return.

[ChenSammi]

It looks like audit log is not supported in S3AssumeRoleRequest currently.

[len548]

I believe in case of signature mismatch, we should catch OMException too

[fmorg-git]

updated - per internal communication, I identified that the endpoint was returning plain text instead of XML, so I revamped the error handling to use a new OSTSException that conforms to AWS XML structure. It distinguishes between signature mismatch and access denied similar to AWS bdb33a4

[fmorg-git]

It looks like audit log is not supported in S3AssumeRoleRequest currently.

updated - per internal communication, I mentioned with @len548 that I'll add the audit log here 85c38d0

[ChenSammi]

You can leverage Strings.isNullOrEmpty() for string null and empty check. Strings.isNullOrEmpty is wildly used in Ozone.

[fmorg-git]

updated 21381a9

[len548]

I think we can remove all the appearance of OS3Exception in S3STSEndpoint class. While developing in the previous PR, I added them to handle errors in endpoint. Later I replaced the way to handle errors with XML format instead of OS3Exception and I forgot to remove them. Can you remove them please?

[fmorg-git]

I think we can remove all the appearance of OS3Exception in S3STSEndpoint class. While developing in the previous PR, I added them to handle errors in endpoint. Later I replaced the way to handle errors with XML format instead of OS3Exception and I forgot to remove them. Can you remove them please?

Per internal communication, I noticed recently the endpoint was returning plain text for errors when it should have been returning XML. The OS3Exception has an error XML format, but testing against AWS STS shows the error response XML structure for STS errors is slightly different than for S3 errors, so I revamped the error handling in this commit bdb33a4

[fmorg-git]

This PR is getting a little big and unwieldy - I will close this and break it up into multiple PRs.

1. Just connect the endpoint and Ozone manager and a few small PR comment updates (i.e. ce3e85c and 21381a9)
2. Revamp the error handling in the endpoint to conform the AWS XML (i.e. bdb33a4)
3. Add audit log to S3G and OM and correlate requestID between them (i.e. 85c38d0 and future work to correlate requestID)