Skip to content

HDDS-13857. [STS] Update verbiage for revocation #9699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ChenSammi merged 1 commit into from
Feb 3, 2026
+4 −0
Merged

HDDS-13857. [STS] Update verbiage for revocation #9699

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions hadoop-hdds/docs/content/design/ozone-sts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,10 @@ will be created to run every 3 hours to delete revoked tokens that have been in
input parameter for the command-line utility will be the sessionToken - this value is returned in plain text as a result
of the AssumeRole call (mentioned above). In this way, specific STS tokens can be revoked as opposed to all tokens. Furthermore,
AWS doesn't have a standard API to revoke tokens therefore we are creating our own system.

Additionally, if the Kerberos identity of the user that created the STS token is revoked via the `ozone s3 revokesecret`
command, then all the existing and unexpired STS tokens that user created will be revoked.

Note: STS token revocation checks are strictly enforced and will fail-closed if there are internal errors such as not
being able to communicate with the revocation database table, etc.
Note: The creator of the STS token or an S3/tenant admin are the only ones allowed to revoke a token.
Expand Down