You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by ra...@apache.org on 2021/01/20 13:06:44 UTC

[ozone] branch master updated: HDDS-4593. Refine IAccessAuthorizer interface to do recursive ACL check on a path (#1790)

This is an automated email from the ASF dual-hosted git repository.

rakeshr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git


The following commit(s) were added to refs/heads/master by this push:
     new 026c625  HDDS-4593. Refine IAccessAuthorizer interface to do recursive ACL check on a path (#1790)
026c625 is described below

commit 026c625d48623b6b4879d70b963e3f008ee26f1e
Author: Rakesh Radhakrishnan <ra...@apache.org>
AuthorDate: Wed Jan 20 18:36:28 2021 +0530

    HDDS-4593. Refine IAccessAuthorizer interface to do recursive ACL check on a path (#1790)
---
 .../hadoop/ozone/security/acl/RequestContext.java  | 48 ++++++++++-
 .../ozone/security/acl/TestRequestContext.java     | 94 ++++++++++++++++++++++
 2 files changed, 140 insertions(+), 2 deletions(-)

diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java
index 043cd55..5e11558 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java
@@ -35,11 +35,28 @@ public class RequestContext {
   private final ACLType aclRights;
   private final String ownerName;
 
+  /**
+   * Represents recursive access check required for all the sub-paths of the
+   * given path. If the given path is not a directory, there is no effect for
+   * this flag. A true value represents recursive check, false represents
+   * non-recursive check.
+   */
+  private final boolean recursiveAccessCheck;
+
   @SuppressWarnings("parameternumber")
   public RequestContext(String host, InetAddress ip,
       UserGroupInformation clientUgi, String serviceId,
       ACLIdentityType aclType, ACLType aclRights,
       String ownerName) {
+    this(host, ip, clientUgi, serviceId, aclType, aclRights, ownerName,
+            false);
+  }
+
+  @SuppressWarnings("parameternumber")
+  public RequestContext(String host, InetAddress ip,
+      UserGroupInformation clientUgi, String serviceId,
+      ACLIdentityType aclType, ACLType aclRights,
+      String ownerName, boolean recursiveAccessCheck) {
     this.host = host;
     this.ip = ip;
     this.clientUgi = clientUgi;
@@ -47,6 +64,7 @@ public class RequestContext {
     this.aclType = aclType;
     this.aclRights = aclRights;
     this.ownerName = ownerName;
+    this.recursiveAccessCheck = recursiveAccessCheck;
   }
 
   /**
@@ -66,6 +84,8 @@ public class RequestContext {
      */
     private String ownerName;
 
+    private boolean recursiveAccessCheck;
+
     public Builder setHost(String bHost) {
       this.host = bHost;
       return this;
@@ -105,9 +125,14 @@ public class RequestContext {
       return this;
     }
 
+    public Builder setRecursiveAccessCheck(boolean recursiveAccessCheckFlag) {
+      this.recursiveAccessCheck = recursiveAccessCheckFlag;
+      return this;
+    }
+
     public RequestContext build() {
       return new RequestContext(host, ip, clientUgi, serviceId, aclType,
-          aclRights, ownerName);
+          aclRights, ownerName, recursiveAccessCheck);
     }
   }
 
@@ -115,16 +140,25 @@ public class RequestContext {
     return new Builder();
   }
 
+
   public static RequestContext.Builder getBuilder(
       UserGroupInformation ugi, InetAddress remoteAddress, String hostName,
       ACLType aclType, String ownerName) {
+    return getBuilder(ugi, remoteAddress, hostName, aclType, ownerName,
+            false);
+  }
+
+  public static RequestContext.Builder getBuilder(
+      UserGroupInformation ugi, InetAddress remoteAddress, String hostName,
+      ACLType aclType, String ownerName, boolean recursiveAccessCheck) {
     RequestContext.Builder contextBuilder = RequestContext.newBuilder()
         .setClientUgi(ugi)
         .setIp(remoteAddress)
         .setHost(hostName)
         .setAclType(ACLIdentityType.USER)
         .setAclRights(aclType)
-        .setOwnerName(ownerName);
+        .setOwnerName(ownerName)
+        .setRecursiveAccessCheck(recursiveAccessCheck);
     return contextBuilder;
   }
 
@@ -163,4 +197,14 @@ public class RequestContext {
   public String getOwnerName() {
     return ownerName;
   }
+
+  /**
+   * A true value represents recursive access check required for all the
+   * sub-paths of the given path, false represents non-recursive check.
+   * <p>
+   * If the given path is not a directory, there is no effect for this flag.
+   */
+  public boolean isRecursiveAccessCheck() {
+    return recursiveAccessCheck;
+  }
 }
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestRequestContext.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestRequestContext.java
new file mode 100644
index 0000000..b8b0363
--- /dev/null
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestRequestContext.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.ozone.security.acl;
+
+import org.apache.hadoop.security.UserGroupInformation;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * Test request context.
+ */
+public class TestRequestContext {
+
+  @Test
+  public void testRecursiveAccessFlag() {
+    RequestContext context = getUserRequestContext("om",
+            IAccessAuthorizer.ACLType.CREATE, false, "volume1",
+            true);
+    Assert.assertTrue("Wrongly sets recursiveAccessCheck flag value",
+            context.isRecursiveAccessCheck());
+
+    context = getUserRequestContext("om",
+            IAccessAuthorizer.ACLType.CREATE, false, "volume1",
+            false);
+    Assert.assertFalse("Wrongly sets recursiveAccessCheck flag value",
+            context.isRecursiveAccessCheck());
+
+    context = getUserRequestContext(
+            "user1", IAccessAuthorizer.ACLType.CREATE,
+            true, "volume1");
+    Assert.assertFalse("Wrongly sets recursiveAccessCheck flag value",
+            context.isRecursiveAccessCheck());
+
+    RequestContext.Builder builder = new RequestContext.Builder();
+
+    Assert.assertFalse("Wrongly sets recursive flag value",
+            builder.build().isRecursiveAccessCheck());
+
+    builder.setRecursiveAccessCheck(true);
+    Assert.assertTrue("Wrongly sets recursive flag value",
+            builder.build().isRecursiveAccessCheck());
+
+    context = new RequestContext("host", null,
+            null, "serviceId",
+            IAccessAuthorizer.ACLIdentityType.GROUP,
+            IAccessAuthorizer.ACLType.CREATE, "owner");
+    Assert.assertFalse("Wrongly sets recursive flag value",
+            context.isRecursiveAccessCheck());
+
+    context = new RequestContext("host", null,
+            null, "serviceId",
+            IAccessAuthorizer.ACLIdentityType.GROUP,
+            IAccessAuthorizer.ACLType.CREATE, "owner", false);
+    Assert.assertFalse("Wrongly sets recursive flag value",
+            context.isRecursiveAccessCheck());
+
+    context = new RequestContext("host", null,
+            null, "serviceId",
+            IAccessAuthorizer.ACLIdentityType.GROUP,
+            IAccessAuthorizer.ACLType.CREATE, "owner", true);
+    Assert.assertTrue("Wrongly sets recursive flag value",
+            context.isRecursiveAccessCheck());
+  }
+
+  private RequestContext getUserRequestContext(String username,
+      IAccessAuthorizer.ACLType type, boolean isOwner, String ownerName,
+      boolean recursiveAccessCheck) {
+    return RequestContext.getBuilder(
+            UserGroupInformation.createRemoteUser(username), null, null,
+            type, ownerName, recursiveAccessCheck).build();
+  }
+
+  private RequestContext getUserRequestContext(String username,
+      IAccessAuthorizer.ACLType type, boolean isOwner, String ownerName) {
+    return RequestContext.getBuilder(
+            UserGroupInformation.createRemoteUser(username), null, null,
+            type, ownerName).build();
+  }
+}
+


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org