You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Siyao Meng (Jira)" <ji...@apache.org> on 2022/05/24 08:51:00 UTC
[jira] [Comment Edited] (HDDS-6600) [MultiTenancy] No user validation on assignUser API
[ https://issues.apache.org/jira/browse/HDDS-6600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17536841#comment-17536841 ]
Siyao Meng edited comment on HDDS-6600 at 5/24/22 8:50 AM:
-----------------------------------------------------------
We do not have user name validation for tenant user assign operation *by OM itself. But once connected to a real Ranger. The "add user to Ranger role" will fail in request preExecute if the user doesn't exist in Ranger.*
--- OUTDATED RESPONSE BELOW ---
We could also check the user existence using this REST call to Ranger during user assign operation (in OM request preExecute):
{code:title=Example of checking user existence}
$ curl -k 'https://ranger:6182/service/xusers/users?name=hive' \
-H 'Accept: application/json' -H 'Cookie: -' 2> /dev/null | jq
{
"startIndex": 0,
"pageSize": 200,
"totalCount": 1,
"resultSize": 1,
"sortType": "asc",
"sortBy": "name",
"queryTimeMS": 1652468048033,
"vXUsers": [
{
"id": 8,
"createDate": "2022-04-07T13:46:00Z",
"updateDate": "2022-04-07T13:46:00Z",
"owner": "rangerusersync",
"updatedBy": "rangerusersync",
"name": "hive",
"password": "*****",
"description": "hive - add from Unix box",
"groupIdList": [
41
],
"groupNameList": [
"hive"
],
"status": 0,
"isVisible": 1,
"userSource": 1,
"userRoleList": [
"ROLE_USER"
],
"otherAttributes": "{\"sync_source\":\"Unix\",\"full_name\":\"hive\",\"original_name\":\"hive\"}"
}
]
}
{code}
{code:title=Non-existent user}
$ curl -k 'https://ranger:6182/service/xusers/users?name=nonexistentuser' \
-H 'Accept: application/json' -H 'Cookie: -' 2> /dev/null | jq
{
"startIndex": 0,
"pageSize": 0,
"totalCount": 0,
"resultSize": 0,
"queryTimeMS": 1652468102735,
"vXUsers": []
}
{code}
was (Author: smeng):
Correct. We do not have user name validation for tenant user assign operation.
I tried to add the validation back then in an earlier PR quite a while back.
Now as I think again, we could check the user existence using this REST call to Ranger during user assign operation (in OM request preExecute):
{code:title=Example of checking user existence}
$ curl -k 'https://ranger:6182/service/xusers/users?name=hive' \
-H 'Accept: application/json' -H 'Cookie: -' 2> /dev/null | jq
{
"startIndex": 0,
"pageSize": 200,
"totalCount": 1,
"resultSize": 1,
"sortType": "asc",
"sortBy": "name",
"queryTimeMS": 1652468048033,
"vXUsers": [
{
"id": 8,
"createDate": "2022-04-07T13:46:00Z",
"updateDate": "2022-04-07T13:46:00Z",
"owner": "rangerusersync",
"updatedBy": "rangerusersync",
"name": "hive",
"password": "*****",
"description": "hive - add from Unix box",
"groupIdList": [
41
],
"groupNameList": [
"hive"
],
"status": 0,
"isVisible": 1,
"userSource": 1,
"userRoleList": [
"ROLE_USER"
],
"otherAttributes": "{\"sync_source\":\"Unix\",\"full_name\":\"hive\",\"original_name\":\"hive\"}"
}
]
}
{code}
{code:title=Non-existent user}
$ curl -k 'https://ranger:6182/service/xusers/users?name=nonexistentuser' \
-H 'Accept: application/json' -H 'Cookie: -' 2> /dev/null | jq
{
"startIndex": 0,
"pageSize": 0,
"totalCount": 0,
"resultSize": 0,
"queryTimeMS": 1652468102735,
"vXUsers": []
}
{code}
> [MultiTenancy] No user validation on assignUser API
> ---------------------------------------------------
>
> Key: HDDS-6600
> URL: https://issues.apache.org/jira/browse/HDDS-6600
> Project: Apache Ozone
> Issue Type: Bug
> Components: Ozone Manager
> Affects Versions: 1.3.0
> Reporter: Soumitra Sulav
> Priority: Major
> Labels: ozone-multitenancy
>
> No validation of user while running assignUser API under tenant.
> Non-existent User
> {code:java}
> bash-4.2$ ozone tenant user assign user -t tenantone
> Assigned 'user' to 'tenantone' with accessId 'tenantone$user'.
> export AWS_ACCESS_KEY_ID='tenantone$user'
> export AWS_SECRET_ACCESS_KEY='b58a64f66e6091cd22cdd1666e226c82e8138ba7a86804a3086d108ef6036961'{code}
> Invalid user (tried regex)
> {code:java}
> bash-4.2$ ozone tenant user assign "*" -t tenantone
> Assigned '*' to 'tenantone' with accessId 'tenantone$*'.
> export AWS_ACCESS_KEY_ID='tenantone$*'
> export AWS_SECRET_ACCESS_KEY='27f9420833b1433774660654a8cc054e76d630e0d5d2ee3d0e3a1c327ecc5ac8'
> bash-4.2$ ozone tenant user assign "user*" -t tenantone
> Assigned 'user*' to 'tenantone' with accessId 'tenantone$user*'.
> export AWS_ACCESS_KEY_ID='tenantone$user*'
> export AWS_SECRET_ACCESS_KEY='99c4652cc90a4f5b46396432b00c3422f0ba481528cdc968b91ee6cedaa2f649'{code}
> User of length greater than 100
> {code:java}
> bash-4.2$ ozone tenant user assign --tenant=tenantone 'testuser-f27b137a62cd8b021239527c725d6a9d56e0cdce8ca7db6a4b923c941452df00sfdadfdadfsddfaddsajjdakfisfiaidhikakdkjdkasjkdas'
> Assigned 'testuser-f27b137a62cd8b021239527c725d6a9d56e0cdce8ca7db6a4b923c941452df00sfdadfdadfsddfaddsajjdakfisfiaidhikakdkjdkasjkdas' to 'tenantone' with accessId 'tenantone$testuser-f27b137a62cd8b021239527c725d6a9d56e0cdce8ca7db6a4b923c941452df00sfdadfdadfsddfaddsajjdakfisfiaidhikakdkjdkasjkdas'.
> export AWS_ACCESS_KEY_ID='tenantone$testuser-f27b137a62cd8b021239527c725d6a9d56e0cdce8ca7db6a4b923c941452df00sfdadfdadfsddfaddsajjdakfisfiaidhikakdkjdkasjkdas'
> export AWS_SECRET_ACCESS_KEY='b9e5ad69c39561446b571419dba3e39b0b90936040c63b2a70ba5b94a7fb9f85'
> {code}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org