You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/05/12 16:15:10 UTC
[GitHub] [ozone] errose28 commented on a change in pull request #2217: HDDS-5138. Upgrade related RPC calls should be allowed only for admins.
errose28 commented on a change in pull request #2217:
URL: https://github.com/apache/ozone/pull/2217#discussion_r631195733
##########
File path: hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java
##########
@@ -663,13 +663,33 @@ public boolean getReplicationManagerStatus() {
@Override
public StatusAndMessages finalizeScmUpgrade(String upgradeClientID) throws
IOException {
+ // check admin authorization
+ String remoteUser = getRpcRemoteUsername();
+ try {
+ getScm().checkAdminAccess(remoteUser);
+ } catch (IOException e) {
+ LOG.error("Authorisation failed for finalize scm upgrade", e);
+ throw e;
+ }
return scm.finalizeUpgrade(upgradeClientID);
}
@Override
public StatusAndMessages queryUpgradeFinalizationProgress(
String upgradeClientID, boolean force, boolean readonly)
- throws IOException {
+ throws IOException {
+ if (!readonly) {
Review comment:
When readonly=true, the caller gets the status of the upgrade only. When readonly=false, the caller gets the status of the upgrade as well as any queued messages about the upgrade progress (see `StorageContainerManager#queryUpgradeFinalizationProgress`). These messages are only delivered once, since we don't keep track of which client has received which messages. Anyone should be able to query the status of the upgrade, but we do not want to allow regular users to steal upgrade messages intended for admins.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org