HDDS-14094. [STS] Background service to remove revoked tokens that are past expiration from DB

hadoop-hdds/common/src/main/resources/ozone-default.xml

@@ -4858,4 +4858,25 @@
     <value>5m</value>
     <description>Interval for cleaning up orphan snapshot local data versions corresponding to snapshots</description>
   </property>
+
+  <property>
+    <name>ozone.om.revoked.sts.token.cleanup.service.interval</name>
+    <value>3h</value>
+    <tag>OZONE, OM, PERFORMANCE, SECURITY</tag>
+    <description>
+      A background job that periodically checks revoked STS token entries and
+      deletes ones that have existed for 12 hours. This entry controls the interval of this
+      cleanup check. Unit could be defined with postfix (ns,ms,s,m,h,d).
+    </description>
+  </property>
+  <property>
+    <name>ozone.om.revoked.sts.token.cleanup.service.timeout</name>
+    <value>15m</value>
+    <tag>OZONE, OM, PERFORMANCE, SECURITY</tag>
+    <description>
+      A timeout value for the revoked STS token cleanup service. If this is set
+      greater than 0, the service will stop waiting for the deletion
+      completion after this time. Unit could be defined with postfix (ns,ms,s,m,h,d).
+    </description>
+  </property>
 </configuration>

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/OmUtils.java

@@ -344,6 +344,7 @@ public static boolean isReadOnly(
     case QuotaRepair:
     case PutObjectTagging:
     case DeleteObjectTagging:
+    case CleanupRevokedSTSTokens:
     case UnknownCommand:
       return false;
     case EchoRPC:

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java

@@ -682,6 +682,16 @@ public final class OMConfigKeys {
       "ozone.om.snapshot.local.data.manager.service.interval";
   public static final String OZONE_OM_SNAPSHOT_LOCAL_DATA_MANAGER_SERVICE_INTERVAL_DEFAULT = "5m";
 
+  public static final String OZONE_OM_REVOKED_STS_TOKEN_CLEANUP_SERVICE_INTERVAL
+      = "ozone.om.revoked.sts.token.cleanup.service.interval";
+  public static final String OZONE_OM_REVOKED_STS_TOKEN_CLEANUP_SERVICE_INTERVAL_DEFAULT
+      = "3h";
+
+  public static final String OZONE_OM_REVOKED_STS_TOKEN_CLEANUP_SERVICE_TIMEOUT
+      = "ozone.om.revoked.sts.token.cleanup.service.timeout";
+  public static final String OZONE_OM_REVOKED_STS_TOKEN_CLEANUP_SERVICE_TIMEOUT_DEFAULT
+      = "15m";
+
   /**
    * Never constructed.
    */

hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto

@@ -158,6 +158,7 @@ enum Type {
   DeleteObjectTagging = 142;
   AssumeRole = 143;
   RevokeSTSToken = 144;
+  CleanupRevokedSTSTokens = 145;
 }
 
 enum SafeMode {
@@ -308,6 +309,7 @@ message OMRequest {
   repeated SetSnapshotPropertyRequest       SetSnapshotPropertyRequests    = 143;
   optional AssumeRoleRequest                assumeRoleRequest              = 144;
   optional RevokeSTSTokenRequest            revokeSTSTokenRequest          = 145;
+  optional CleanupRevokedSTSTokensRequest   cleanupRevokedSTSTokensRequest = 146;
 }
 
 message OMResponse {
@@ -443,6 +445,7 @@ message OMResponse {
   optional DeleteObjectTaggingResponse       deleteObjectTaggingResponse   = 142;
   optional AssumeRoleResponse                assumeRoleResponse            = 143;
   optional RevokeSTSTokenResponse            revokeSTSTokenResponse        = 144;
+  optional CleanupRevokedSTSTokensResponse   cleanupRevokedSTSTokensResponse = 145;
 }
 
 enum Status {
@@ -2394,6 +2397,17 @@ message RevokeSTSTokenRequest {
 message RevokeSTSTokenResponse {
 }
 
+/**
+ This will contain a list of revoked STS temporary access key IDs whose entries should be removed from
+ the s3RevokedStsTokenTable.
+*/
+message CleanupRevokedSTSTokensRequest {
+  repeated string accessKeyId = 1;
+}
+
+message CleanupRevokedSTSTokensResponse {
+}
+
 /**
  The OM service that takes care of Ozone namespace.
 */

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java

@@ -287,6 +287,7 @@
 import org.apache.hadoop.ozone.om.service.DirectoryDeletingService;
 import org.apache.hadoop.ozone.om.service.OMRangerBGSyncService;
 import org.apache.hadoop.ozone.om.service.QuotaRepairTask;
+import org.apache.hadoop.ozone.om.service.RevokedSTSTokenCleanupService;
 import org.apache.hadoop.ozone.om.snapshot.OmSnapshotUtils;
 import org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature;
 import org.apache.hadoop.ozone.om.upgrade.OMLayoutVersionManager;
@@ -438,6 +439,7 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
   private final boolean isSpnegoEnabled;
   private final SecurityConfig secConfig;
   private S3SecretManager s3SecretManager;
+  private RevokedSTSTokenCleanupService revokedSTSTokenCleanupService;
   private final boolean isOmGrpcServerEnabled;
   private volatile boolean isOmRpcServerRunning = false;
   private volatile boolean isOmGrpcServerRunning = false;
@@ -1946,6 +1948,18 @@ public void start() throws IOException {
 
     keyManager.start(configuration);
 
+    final long revokedSTSTokenCleanupInterval = configuration.getTimeDuration(
+        OMConfigKeys.OZONE_OM_REVOKED_STS_TOKEN_CLEANUP_SERVICE_INTERVAL,
+        OMConfigKeys.OZONE_OM_REVOKED_STS_TOKEN_CLEANUP_SERVICE_INTERVAL_DEFAULT,
+        TimeUnit.MILLISECONDS);
+    final long revokedSTSTokenCleanupTimeout = configuration.getTimeDuration(
+        OMConfigKeys.OZONE_OM_REVOKED_STS_TOKEN_CLEANUP_SERVICE_TIMEOUT,
+        OMConfigKeys.OZONE_OM_REVOKED_STS_TOKEN_CLEANUP_SERVICE_TIMEOUT_DEFAULT,
+        TimeUnit.MILLISECONDS);
+    revokedSTSTokenCleanupService = new RevokedSTSTokenCleanupService(
+        revokedSTSTokenCleanupInterval, TimeUnit.MILLISECONDS, revokedSTSTokenCleanupTimeout, this);
+    revokedSTSTokenCleanupService.start();
+
     try {
       httpServer = new OzoneManagerHttpServer(configuration, this);
       httpServer.start();
@@ -2524,6 +2538,9 @@ public boolean stop() {
       if (edekCacheLoader != null) {
         edekCacheLoader.shutdown();
       }
+      if (revokedSTSTokenCleanupService != null) {
+        revokedSTSTokenCleanupService.shutdown();
+      }
       return true;
     } catch (Exception e) {
       LOG.error("OzoneManager stop failed.", e);

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java

@@ -68,6 +68,7 @@
 import org.apache.hadoop.ozone.om.request.key.acl.prefix.OMPrefixSetAclRequest;
 import org.apache.hadoop.ozone.om.request.s3.multipart.S3ExpiredMultipartUploadsAbortRequest;
 import org.apache.hadoop.ozone.om.request.s3.security.OMSetSecretRequest;
+import org.apache.hadoop.ozone.om.request.s3.security.S3CleanupRevokedSTSTokensRequest;
 import org.apache.hadoop.ozone.om.request.s3.security.S3GetSecretRequest;
 import org.apache.hadoop.ozone.om.request.s3.security.S3RevokeSTSTokenRequest;
 import org.apache.hadoop.ozone.om.request.s3.security.S3RevokeSecretRequest;
@@ -199,6 +200,8 @@ public static OMClientRequest createClientRequest(OMRequest omRequest,
       return new S3RevokeSecretRequest(omRequest);
     case RevokeSTSToken:
       return new S3RevokeSTSTokenRequest(omRequest);
+    case CleanupRevokedSTSTokens:
+      return new S3CleanupRevokedSTSTokensRequest(omRequest);
     case PurgeKeys:
       return new OMKeyPurgeRequest(omRequest);
     case PurgeDirectories:

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3CleanupRevokedSTSTokensRequest.java

@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.om.request.s3.security;
+
+import java.util.List;
+import org.apache.hadoop.ozone.om.OzoneManager;
+import org.apache.hadoop.ozone.om.execution.flowcontrol.ExecutionContext;
+import org.apache.hadoop.ozone.om.request.OMClientRequest;
+import org.apache.hadoop.ozone.om.request.util.OmResponseUtil;
+import org.apache.hadoop.ozone.om.response.OMClientResponse;
+import org.apache.hadoop.ozone.om.response.s3.security.S3CleanupRevokedSTSTokensResponse;
+import org.apache.hadoop.ozone.om.service.RevokedSTSTokenCleanupService;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.CleanupRevokedSTSTokensRequest;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse;
+
+/**
+ * Handles CleanupRevokedSTSTokens requests submitted by {@link RevokedSTSTokenCleanupService}.
+ */
+public class S3CleanupRevokedSTSTokensRequest extends OMClientRequest {
+
+  public S3CleanupRevokedSTSTokensRequest(OMRequest omRequest) {
+    super(omRequest);
+  }
+
+  @Override
+  public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, ExecutionContext context) {
+    final CleanupRevokedSTSTokensRequest request = getOmRequest().getCleanupRevokedSTSTokensRequest();
+    final OMResponse.Builder omResponse = OmResponseUtil.getOMResponseBuilder(getOmRequest());
+
+    final List<String> accessKeyIds = request.getAccessKeyIdList();
+    return new S3CleanupRevokedSTSTokensResponse(accessKeyIds, omResponse.build());
+  }
+}
+
+

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/security/S3CleanupRevokedSTSTokensResponse.java

@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.om.response.s3.security;
+
+import static org.apache.hadoop.ozone.om.codec.OMDBDefinition.S3_REVOKED_STS_TOKEN_TABLE;
+import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Status.OK;
+
+import jakarta.annotation.Nonnull;
+import java.io.IOException;
+import java.util.List;
+import org.apache.hadoop.hdds.utils.db.BatchOperation;
+import org.apache.hadoop.hdds.utils.db.Table;
+import org.apache.hadoop.ozone.om.OMMetadataManager;
+import org.apache.hadoop.ozone.om.response.CleanupTableInfo;
+import org.apache.hadoop.ozone.om.response.OMClientResponse;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse;
+
+/**
+ * Response for CleanupRevokedSTSTokens request.
+ */
+@CleanupTableInfo(cleanupTables = {S3_REVOKED_STS_TOKEN_TABLE})
+public class S3CleanupRevokedSTSTokensResponse extends OMClientResponse {
+
+  private final List<String> accessKeyIds;
+
+  public S3CleanupRevokedSTSTokensResponse(List<String> accessKeyIds, @Nonnull OMResponse omResponse) {
+    super(omResponse);
+    this.accessKeyIds = accessKeyIds;
+  }
+
+  @Override
+  public void addToDBBatch(OMMetadataManager omMetadataManager, BatchOperation batchOperation) throws IOException {
+    if (accessKeyIds == null || accessKeyIds.isEmpty()) {
+      return;
+    }
+    if (!getOMResponse().hasStatus() || getOMResponse().getStatus() != OK) {
+      return;
+    }
+
+    final Table<String, Long> table = omMetadataManager.getS3RevokedStsTokenTable();
+    if (table == null) {
+      return;
+    }
+
+    for (String accessKeyId : accessKeyIds) {
+      table.deleteWithBatch(batchOperation, accessKeyId);
+    }
+  }
+}
+
+