You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by ra...@apache.org on 2021/01/20 13:06:44 UTC
[ozone] branch master updated: HDDS-4593. Refine IAccessAuthorizer
interface to do recursive ACL check on a path (#1790)
This is an automated email from the ASF dual-hosted git repository.
rakeshr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 026c625 HDDS-4593. Refine IAccessAuthorizer interface to do recursive ACL check on a path (#1790)
026c625 is described below
commit 026c625d48623b6b4879d70b963e3f008ee26f1e
Author: Rakesh Radhakrishnan <ra...@apache.org>
AuthorDate: Wed Jan 20 18:36:28 2021 +0530
HDDS-4593. Refine IAccessAuthorizer interface to do recursive ACL check on a path (#1790)
---
.../hadoop/ozone/security/acl/RequestContext.java | 48 ++++++++++-
.../ozone/security/acl/TestRequestContext.java | 94 ++++++++++++++++++++++
2 files changed, 140 insertions(+), 2 deletions(-)
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java
index 043cd55..5e11558 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java
@@ -35,11 +35,28 @@ public class RequestContext {
private final ACLType aclRights;
private final String ownerName;
+ /**
+ * Represents recursive access check required for all the sub-paths of the
+ * given path. If the given path is not a directory, there is no effect for
+ * this flag. A true value represents recursive check, false represents
+ * non-recursive check.
+ */
+ private final boolean recursiveAccessCheck;
+
@SuppressWarnings("parameternumber")
public RequestContext(String host, InetAddress ip,
UserGroupInformation clientUgi, String serviceId,
ACLIdentityType aclType, ACLType aclRights,
String ownerName) {
+ this(host, ip, clientUgi, serviceId, aclType, aclRights, ownerName,
+ false);
+ }
+
+ @SuppressWarnings("parameternumber")
+ public RequestContext(String host, InetAddress ip,
+ UserGroupInformation clientUgi, String serviceId,
+ ACLIdentityType aclType, ACLType aclRights,
+ String ownerName, boolean recursiveAccessCheck) {
this.host = host;
this.ip = ip;
this.clientUgi = clientUgi;
@@ -47,6 +64,7 @@ public class RequestContext {
this.aclType = aclType;
this.aclRights = aclRights;
this.ownerName = ownerName;
+ this.recursiveAccessCheck = recursiveAccessCheck;
}
/**
@@ -66,6 +84,8 @@ public class RequestContext {
*/
private String ownerName;
+ private boolean recursiveAccessCheck;
+
public Builder setHost(String bHost) {
this.host = bHost;
return this;
@@ -105,9 +125,14 @@ public class RequestContext {
return this;
}
+ public Builder setRecursiveAccessCheck(boolean recursiveAccessCheckFlag) {
+ this.recursiveAccessCheck = recursiveAccessCheckFlag;
+ return this;
+ }
+
public RequestContext build() {
return new RequestContext(host, ip, clientUgi, serviceId, aclType,
- aclRights, ownerName);
+ aclRights, ownerName, recursiveAccessCheck);
}
}
@@ -115,16 +140,25 @@ public class RequestContext {
return new Builder();
}
+
public static RequestContext.Builder getBuilder(
UserGroupInformation ugi, InetAddress remoteAddress, String hostName,
ACLType aclType, String ownerName) {
+ return getBuilder(ugi, remoteAddress, hostName, aclType, ownerName,
+ false);
+ }
+
+ public static RequestContext.Builder getBuilder(
+ UserGroupInformation ugi, InetAddress remoteAddress, String hostName,
+ ACLType aclType, String ownerName, boolean recursiveAccessCheck) {
RequestContext.Builder contextBuilder = RequestContext.newBuilder()
.setClientUgi(ugi)
.setIp(remoteAddress)
.setHost(hostName)
.setAclType(ACLIdentityType.USER)
.setAclRights(aclType)
- .setOwnerName(ownerName);
+ .setOwnerName(ownerName)
+ .setRecursiveAccessCheck(recursiveAccessCheck);
return contextBuilder;
}
@@ -163,4 +197,14 @@ public class RequestContext {
public String getOwnerName() {
return ownerName;
}
+
+ /**
+ * A true value represents recursive access check required for all the
+ * sub-paths of the given path, false represents non-recursive check.
+ * <p>
+ * If the given path is not a directory, there is no effect for this flag.
+ */
+ public boolean isRecursiveAccessCheck() {
+ return recursiveAccessCheck;
+ }
}
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestRequestContext.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestRequestContext.java
new file mode 100644
index 0000000..b8b0363
--- /dev/null
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestRequestContext.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.ozone.security.acl;
+
+import org.apache.hadoop.security.UserGroupInformation;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * Test request context.
+ */
+public class TestRequestContext {
+
+ @Test
+ public void testRecursiveAccessFlag() {
+ RequestContext context = getUserRequestContext("om",
+ IAccessAuthorizer.ACLType.CREATE, false, "volume1",
+ true);
+ Assert.assertTrue("Wrongly sets recursiveAccessCheck flag value",
+ context.isRecursiveAccessCheck());
+
+ context = getUserRequestContext("om",
+ IAccessAuthorizer.ACLType.CREATE, false, "volume1",
+ false);
+ Assert.assertFalse("Wrongly sets recursiveAccessCheck flag value",
+ context.isRecursiveAccessCheck());
+
+ context = getUserRequestContext(
+ "user1", IAccessAuthorizer.ACLType.CREATE,
+ true, "volume1");
+ Assert.assertFalse("Wrongly sets recursiveAccessCheck flag value",
+ context.isRecursiveAccessCheck());
+
+ RequestContext.Builder builder = new RequestContext.Builder();
+
+ Assert.assertFalse("Wrongly sets recursive flag value",
+ builder.build().isRecursiveAccessCheck());
+
+ builder.setRecursiveAccessCheck(true);
+ Assert.assertTrue("Wrongly sets recursive flag value",
+ builder.build().isRecursiveAccessCheck());
+
+ context = new RequestContext("host", null,
+ null, "serviceId",
+ IAccessAuthorizer.ACLIdentityType.GROUP,
+ IAccessAuthorizer.ACLType.CREATE, "owner");
+ Assert.assertFalse("Wrongly sets recursive flag value",
+ context.isRecursiveAccessCheck());
+
+ context = new RequestContext("host", null,
+ null, "serviceId",
+ IAccessAuthorizer.ACLIdentityType.GROUP,
+ IAccessAuthorizer.ACLType.CREATE, "owner", false);
+ Assert.assertFalse("Wrongly sets recursive flag value",
+ context.isRecursiveAccessCheck());
+
+ context = new RequestContext("host", null,
+ null, "serviceId",
+ IAccessAuthorizer.ACLIdentityType.GROUP,
+ IAccessAuthorizer.ACLType.CREATE, "owner", true);
+ Assert.assertTrue("Wrongly sets recursive flag value",
+ context.isRecursiveAccessCheck());
+ }
+
+ private RequestContext getUserRequestContext(String username,
+ IAccessAuthorizer.ACLType type, boolean isOwner, String ownerName,
+ boolean recursiveAccessCheck) {
+ return RequestContext.getBuilder(
+ UserGroupInformation.createRemoteUser(username), null, null,
+ type, ownerName, recursiveAccessCheck).build();
+ }
+
+ private RequestContext getUserRequestContext(String username,
+ IAccessAuthorizer.ACLType type, boolean isOwner, String ownerName) {
+ return RequestContext.getBuilder(
+ UserGroupInformation.createRemoteUser(username), null, null,
+ type, ownerName).build();
+ }
+}
+
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org