HDDS-14420. [STS] Add audit logging to endpoint and OzoneManager for STS

hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java

@@ -758,12 +758,13 @@ public Iterator<OzoneSnapshotDiff> listSnapshotDiffJobs(
    * @param roleSessionName         The session name (should be unique) for this operation
    * @param durationSeconds         The duration in seconds for the token validity
    * @param awsIamSessionPolicy     The AWS IAM JSON session policy
+   * @param requestId               The requestId from the STS endpoint
    * @return AssumeRoleResponseInfo The AssumeRole response information containing temporary credentials
    * @throws IOException            if an error occurs during the AssumeRole operation
    */
   public AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
-      String awsIamSessionPolicy) throws IOException {
-    return proxy.assumeRole(roleArn, roleSessionName, durationSeconds, awsIamSessionPolicy);
+      String awsIamSessionPolicy, String requestId) throws IOException {
+    return proxy.assumeRole(roleArn, roleSessionName, durationSeconds, awsIamSessionPolicy, requestId);
   }
 
   /**

hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java

@@ -1367,11 +1367,12 @@ void deleteObjectTagging(String volumeName, String bucketName, String keyName)
    * @param roleSessionName         The session name (should be unique) for this operation
    * @param durationSeconds         The duration in seconds for the token validity
    * @param awsIamSessionPolicy     The AWS IAM JSON session policy
+   * @param requestId               The requestId from the STS endpoint
    * @return AssumeRoleResponseInfo The AssumeRole response information containing temporary credentials
    * @throws IOException            if an error occurs during the AssumeRole operation
    */
   AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
-      String awsIamSessionPolicy) throws IOException;
+      String awsIamSessionPolicy, String requestId) throws IOException;
 
   /**
    * Revokes an STS token.

hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java

@@ -2793,8 +2793,8 @@ public void deleteObjectTagging(String volumeName, String bucketName,
 
   @Override
   public AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
-      String awsIamSessionPolicy) throws IOException {
-    return ozoneManagerClient.assumeRole(roleArn, roleSessionName, durationSeconds, awsIamSessionPolicy);
+      String awsIamSessionPolicy, String requestId) throws IOException {
+    return ozoneManagerClient.assumeRole(roleArn, roleSessionName, durationSeconds, awsIamSessionPolicy, requestId);
   }
 
   @Override

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/S3STSUtils.java

@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.om.helpers;
+
+import com.google.common.base.Strings;
+import java.util.Map;
+
+/**
+ * Utility class containing constants and validation methods shared by STS endpoint and OzoneManager processing.
+ */
+public final class S3STSUtils {
+
+  private S3STSUtils() {
+  }
+
+  /**
+   * Adds standard AssumeRole audit params.
+   */
+  public static void addAssumeRoleAuditParams(Map<String, String> auditParams, String roleArn, String roleSessionName,
+      String awsIamSessionPolicy, int duration, String requestId) {
+
+    auditParams.put("action", "AssumeRole");
+    auditParams.put("roleArn", roleArn);
+    auditParams.put("roleSessionName", roleSessionName);
+    auditParams.put("duration", String.valueOf(duration));
+    auditParams.put("isPolicyIncluded", Strings.isNullOrEmpty(awsIamSessionPolicy) ? "N" : "Y");
+    auditParams.put("requestId", requestId);
+  }
+}

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java

@@ -1184,11 +1184,12 @@ default void deleteObjectTagging(OmKeyArgs args) throws IOException {
    * @param roleSessionName         The session name (should be unique) for this operation
    * @param durationSeconds         The duration in seconds for the token validity
    * @param awsIamSessionPolicy     The AWS IAM JSON session policy
+   * @param requestId               The requestId from the STS endpoint
    * @return AssumeRoleResponseInfo The AssumeRole response information containing temporary credentials
    * @throws IOException            if an error occurs during the AssumeRole operation
    */
   default AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
-      String awsIamSessionPolicy) throws IOException {
+      String awsIamSessionPolicy, String requestId) throws IOException {
     throw new UnsupportedOperationException("OzoneManager does not require this to be implemented");
   }
 

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java

@@ -2659,13 +2659,14 @@ public void deleteObjectTagging(OmKeyArgs args) throws IOException {
 
   @Override
   public AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
-      String awsIamSessionPolicy) throws IOException {
+      String awsIamSessionPolicy, String requestId) throws IOException {
     final OzoneManagerProtocolProtos.AssumeRoleRequest.Builder request =
         OzoneManagerProtocolProtos.AssumeRoleRequest.newBuilder()
             .setRoleArn(roleArn)
             .setRoleSessionName(roleSessionName)
             .setDurationSeconds(durationSeconds)
-            .setAwsIamSessionPolicy(awsIamSessionPolicy != null ? awsIamSessionPolicy : "");
+            .setAwsIamSessionPolicy(awsIamSessionPolicy != null ? awsIamSessionPolicy : "")
+            .setRequestId(requestId);
 
     final OMRequest omRequest = createOMRequest(Type.AssumeRole)
         .setAssumeRoleRequest(request)

hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto

@@ -2379,6 +2379,7 @@ message AssumeRoleRequest {
   required string roleSessionName         = 2;
   optional int32 durationSeconds          = 3 [default = 3600];
   optional string awsIamSessionPolicy     = 4;
+  required string requestId               = 5;
 }
 
 message AssumeRoleResponse {

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/helpers/OMAuditLogger.java

@@ -95,6 +95,8 @@ private static void init() {
     CMD_AUDIT_ACTION_MAP.put(Type.GetObjectTagging, OMAction.GET_OBJECT_TAGGING);
     CMD_AUDIT_ACTION_MAP.put(Type.PutObjectTagging, OMAction.PUT_OBJECT_TAGGING);
     CMD_AUDIT_ACTION_MAP.put(Type.DeleteObjectTagging, OMAction.DELETE_OBJECT_TAGGING);
+    CMD_AUDIT_ACTION_MAP.put(Type.AssumeRole, OMAction.S3_ASSUME_ROLE);
+    CMD_AUDIT_ACTION_MAP.put(Type.RevokeSTSToken, OMAction.REVOKE_STS_TOKEN);
   }
 
   private static OMAction getAction(OzoneManagerProtocolProtos.OMRequest request) {

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3AssumeRoleRequest.java

@@ -24,19 +24,25 @@
 import java.net.InetAddress;
 import java.security.SecureRandom;
 import java.time.Clock;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
 import org.apache.hadoop.ipc.ProtobufRpcEngine;
+import org.apache.hadoop.ozone.audit.AuditLogger;
+import org.apache.hadoop.ozone.audit.OMAction;
 import org.apache.hadoop.ozone.om.OzoneAclUtils;
 import org.apache.hadoop.ozone.om.OzoneManager;
 import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.apache.hadoop.ozone.om.execution.flowcontrol.ExecutionContext;
+import org.apache.hadoop.ozone.om.helpers.S3STSUtils;
 import org.apache.hadoop.ozone.om.request.OMClientRequest;
 import org.apache.hadoop.ozone.om.request.util.OmResponseUtil;
 import org.apache.hadoop.ozone.om.response.OMClientResponse;
 import org.apache.hadoop.ozone.om.response.s3.security.S3AssumeRoleResponse;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.AssumeRoleRequest;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.AssumeRoleResponse;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest;
@@ -89,33 +95,39 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut
     final OMRequest omRequest = getOmRequest();
     final AssumeRoleRequest assumeRoleRequest = omRequest.getAssumeRoleRequest();
     final int durationSeconds = assumeRoleRequest.getDurationSeconds();
-
-    // Validate duration
-    if (durationSeconds < MIN_TOKEN_EXPIRATION_SECONDS || durationSeconds > MAX_TOKEN_EXPIRATION_SECONDS) {
-      final OMException omException = new OMException(
-          "Duration must be between " + MIN_TOKEN_EXPIRATION_SECONDS + " and " + MAX_TOKEN_EXPIRATION_SECONDS,
-          OMException.ResultCodes.INVALID_REQUEST);
-      return new S3AssumeRoleResponse(
-          createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), omException));
-    }
-
-    // Validate role session name
     final String roleSessionName = assumeRoleRequest.getRoleSessionName();
-    final S3AssumeRoleResponse roleSessionNameErrorResponse = validateRoleSessionName(roleSessionName, omRequest);
-    if (roleSessionNameErrorResponse != null) {
-      return roleSessionNameErrorResponse;
-    }
-
     final String roleArn = assumeRoleRequest.getRoleArn();
+    final String awsIamSessionPolicy = assumeRoleRequest.getAwsIamSessionPolicy();
+    final String requestId = assumeRoleRequest.getRequestId();
+
+    final Map<String, String> auditMap = new HashMap<>();
+    // In HA environments, only the tempAccessKeyId on the leader is used by S3G, so it could be helpful to
+    // have the leader information
+    auditMap.put("omRole", ozoneManager.isLeaderReady() ? "LEADER" : "FOLLOWER");
+    final AuditLogger auditLogger = ozoneManager.getAuditLogger();
+    final OzoneManagerProtocolProtos.UserInfo userInfo = omRequest.getUserInfo();
+    S3STSUtils.addAssumeRoleAuditParams(
+        auditMap, roleArn, roleSessionName, awsIamSessionPolicy, durationSeconds, requestId);
+
+    Exception exception = null;
+    OMClientResponse omClientResponse;
     try {
+      // Validate duration
+      if (durationSeconds < MIN_TOKEN_EXPIRATION_SECONDS || durationSeconds > MAX_TOKEN_EXPIRATION_SECONDS) {
+        throw new OMException(
+            "Duration must be between " + MIN_TOKEN_EXPIRATION_SECONDS + " and " + MAX_TOKEN_EXPIRATION_SECONDS,
+            OMException.ResultCodes.INVALID_REQUEST);
+      }
+
+      // Validate role session name
+      validateRoleSessionName(roleSessionName);
+
       // Validate role ARN and extract role
       final String targetRoleName = AwsRoleArnValidator.validateAndExtractRoleNameFromArn(roleArn);
 
       if (!omRequest.hasS3Authentication()) {
-        final String msg = "S3AssumeRoleRequest does not have S3 authentication";
-        final OMException omException = new OMException(msg, OMException.ResultCodes.INVALID_REQUEST);
-        return new S3AssumeRoleResponse(
-            createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), omException));
+        throw new OMException(
+            "S3AssumeRoleRequest does not have S3 authentication", OMException.ResultCodes.INVALID_REQUEST);
       }
 
       // Generate temporary AWS credentials using cryptographically strong SecureRandom
@@ -134,46 +146,51 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut
       // Calculate expiration of session token
       final long expirationEpochSeconds = clock.instant().plusSeconds(durationSeconds).getEpochSecond();
 
+      // Add tempAccessKeyId to the log so it can be determined which permanent user created the tempAccessKeyId
+      auditMap.put("tempAccessKeyId", tempAccessKeyId);
+
       final AssumeRoleResponse.Builder responseBuilder = AssumeRoleResponse.newBuilder()
           .setAccessKeyId(tempAccessKeyId)
           .setSecretAccessKey(secretAccessKey)
           .setSessionToken(sessionToken)
           .setExpirationEpochSeconds(expirationEpochSeconds)
           .setAssumedRoleId(assumedRoleId);
 
-      return new S3AssumeRoleResponse(
+      omClientResponse = new S3AssumeRoleResponse(
           OmResponseUtil.getOMResponseBuilder(omRequest)
               .setAssumeRoleResponse(responseBuilder.build())
               .build());
     } catch (OMException e) {
-      return new S3AssumeRoleResponse(createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), e));
+      exception = e;
+      omClientResponse = new S3AssumeRoleResponse(
+          createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), e));
     } catch (IOException e) {
       final OMException omException = new OMException(
           "Failed to generate STS token for role: " + roleArn, e, OMException.ResultCodes.INTERNAL_ERROR);
-      return new S3AssumeRoleResponse(
+      exception = omException;
+      omClientResponse = new S3AssumeRoleResponse(
           createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), omException));
     }
+
+    // Audit log
+    markForAudit(auditLogger, buildAuditMessage(OMAction.S3_ASSUME_ROLE, auditMap, exception, userInfo));
+
+    return omClientResponse;
   }
 
   /**
    * Ensures RoleSessionName is valid.
    */
-  private S3AssumeRoleResponse validateRoleSessionName(String roleSessionName, OMRequest omRequest) {
+  private void validateRoleSessionName(String roleSessionName) throws OMException {
     if (StringUtils.isBlank(roleSessionName)) {
-      final OMException omException = new OMException(
-          "RoleSessionName is required", OMException.ResultCodes.INVALID_REQUEST);
-      return new S3AssumeRoleResponse(
-          createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), omException));
+      throw new OMException("RoleSessionName is required", OMException.ResultCodes.INVALID_REQUEST);
     }
     if (roleSessionName.length() < ASSUME_ROLE_SESSION_NAME_MIN_LENGTH ||
         roleSessionName.length() > ASSUME_ROLE_SESSION_NAME_MAX_LENGTH) {
-      final OMException omException = new OMException(
+      throw new OMException(
           "RoleSessionName length must be between " + ASSUME_ROLE_SESSION_NAME_MIN_LENGTH + " and " +
           ASSUME_ROLE_SESSION_NAME_MAX_LENGTH, OMException.ResultCodes.INVALID_REQUEST);
-      return new S3AssumeRoleResponse(
-          createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), omException));
     }
-    return null;
   }
 
   /**