You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "Ethan Rose (Jira)" <ji...@apache.org> on 2023/10/17 19:48:00 UTC

[jira] [Commented] (HDDS-9388) OM Ratis Write: Move ACL check and Bucket resolution to preExecute

    [ https://issues.apache.org/jira/browse/HDDS-9388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776368#comment-17776368 ] 

Ethan Rose commented on HDDS-9388:
----------------------------------

The ACL checks could be taking place in the Ranger plugin or rocksDB if native ACLs are being used. For Ranger, the plugin is already reading ACL information async from Ranger. For native ACLs, this would change the behavior slightly. Although we are only reading committed OM DB state, we could still have the following execution:
 # preExecute for ACL revoke request passes (request 1)
 # preExecute ACL check for a write request passes (request 2)
 # ACLs are revoked in applyTransaction for request 1, making them visible
 # applyTransaction of request 2 passes

So even though OM ordered the requests as 1 then 2, the ACL revoke does not fail request 2. I think this is only a minor problem that we can live with:
 * ACL change would still take effect almost instantly
 * The global request order is not exposed to the client. Reads also don't go through Ratis so there is no guarantee that ACL checks on read happen before or after apply, only that they see the consistent state.
 * There is no inconsistent state at the end of the executions
 * Ranger ACLs are async anyways which is closer to this model.

We should definitely implement this, but it is good to note the slight behavior change here.

> OM Ratis Write: Move ACL check and Bucket resolution to preExecute
> ------------------------------------------------------------------
>
>                 Key: HDDS-9388
>                 URL: https://issues.apache.org/jira/browse/HDDS-9388
>             Project: Apache Ozone
>          Issue Type: Improvement
>          Components: Ozone Manager
>            Reporter: Duong
>            Assignee: Duong
>            Priority: Major
>              Labels: performance
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org