You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2022/02/24 09:00:43 UTC

[GitHub] [ozone] JyotinderSingh opened a new pull request #3134: HDDS-6337. [FSO] Disable recursive access check flag for directories with no children.

JyotinderSingh opened a new pull request #3134:
URL: https://github.com/apache/ozone/pull/3134


   ## What changes were proposed in this pull request?
   
   If a directory under an FSO bucket does not contain any subfiles/directories - set the recursive flag for Ranger#getAcl call to false.
   
   ### Scenario:
   **Ranger Policy 1:**
   Key Resource | Permission | User
   -- | -- | --
   dir1/dir11, dir1/dir11/ | Read, Write, Delete | user2
   
   **Ranger Policy 2:**
   Key Resource | Permission | User
   -- | -- | --
   dir* | Read, Write, Delete | user1
   
   
   
   **Case:**
   <p>1) user2 has created a directory dir1/dir11. Since the explicit policy defined for user2, it will successfully create the directories.</p>
   <p>2) user1 has recursive permission, he can create any dirs under " dir* ". Say, user1 created a file under directory "dir1/dir11/file".</p>
   <p>3) user2 issues recursive delete on "dir1/dir11". <strong>(Recursive flag is sent to Ranger from internal Ozone call)</strong>.</p>
   <pre class="code panel" style="border-width: 1px;" data-language="code-java">$ kinit user2
   $ ozone fs -rm -R skipTrash o3fs:<span class="code-comment">//fso-buycket.vol1.fso-bucket/dir1/dir11</span></pre>
   <p><strong>Expected Result:</strong></p>
   <p>Fail to delete directory.</p>
   <p><strong>Actual Result:</strong></p>
   <p>Permission denied by Ranger.</p>
   <p><strong>Comments:</strong></p>
   <ul>
   <li>Since there is no permission for user2 with policy key resource dir*, Ranger is denying permission for users as access is not determined. Ranger has taken a conservative approach against all the defined policy paths irrespective of the given user who issues the recursive delete operation.</li>
   <li>Since there is a file under "dir1/dir11", we shouldn't allow this directory to be deleted, otherwise, this will lead to data loss.</li>
   </ul>
   <p><strong>Impact:</strong></p>
   <p>user2 will never be able to delete "dir1/dir11" since Ozone is always sending the recursive flag to the Ranger plugin - <strong>which is undesirable.</strong></p>
   <p><strong>Solution:</strong></p>
   <p>If no child exists under "dir1/dir11" then set the recursive flag to False and invoke Ranger#checkAcl.</p>
   <p><strong>Cost:</strong></p>
   <p>There will be an additional getChildren call on both DirectoryTable and FileTable at the Ozone side. Each of these would be a deterministic time call to RocksDB.</p>
   
   ## What is the link to the Apache JIRA
   
   https://issues.apache.org/jira/browse/HDDS-6337
   
   ## How was this patch tested?
   
   Unit Test added.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] rakeshadr commented on a change in pull request #3134: HDDS-6337. [FSO] Disable recursive access check flag for directories with no children.

Posted by GitBox <gi...@apache.org>.

rakeshadr commented on a change in pull request #3134:
URL: https://github.com/apache/ozone/pull/3134#discussion_r813808672



##########
File path: hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyDeleteRequestWithFSO.java
##########
@@ -39,6 +39,10 @@
  * Tests OmKeyDelete request with prefix layout.
  */
 public class TestOMKeyDeleteRequestWithFSO extends TestOMKeyDeleteRequest {
+  private static final String PARTIAL_PARENT_DIR = "c/d/";

Review comment:
       please rename var name : `PARTIAL_PARENT_DIR` ->` INTERMEDIATE_DIR`

##########
File path: hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyDeleteRequestWithFSO.java
##########
@@ -132,4 +149,68 @@ private void verifyPath(OzonePrefixPath ozonePrefixPath, String pathName,
       // expected
     }
   }
+
+  @Test
+  public void testRecursiveAccessCheck() throws Exception {
+    // Add volume, bucket and key entries to OM DB.
+    OMRequestTestUtils.addVolumeAndBucketToDB(volumeName, bucketName,
+        omMetadataManager, getBucketLayout());
+
+    // Case 1:
+    // We create an empty directory structure.
+    String partialKey = "x/y/";

Review comment:
       rename `partialKey` to -> either `intermediateDir` or `parentKey`. Also, please update the java comments by replacing `partial`.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] JyotinderSingh commented on pull request #3134: HDDS-6337. [FSO] Disable recursive access check flag for directories with no children.

Posted by GitBox <gi...@apache.org>.

JyotinderSingh commented on pull request #3134:
URL: https://github.com/apache/ozone/pull/3134#issuecomment-1049797554


   Thank you for the feedback @rakeshadr, I have addressed your comments.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] mukul1987 merged pull request #3134: HDDS-6337. [FSO] Disable recursive access check flag for directories with no children.

Posted by GitBox <gi...@apache.org>.

mukul1987 merged pull request #3134:
URL: https://github.com/apache/ozone/pull/3134


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org