You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Mukul Kumar Singh (Jira)" <ji...@apache.org> on 2021/05/11 01:46:00 UTC
[jira] [Commented] (HDDS-5205) Make admin check work for SCM HA
cluster
[ https://issues.apache.org/jira/browse/HDDS-5205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17342239#comment-17342239 ]
Mukul Kumar Singh commented on HDDS-5205:
-----------------------------------------
[~bharat], should we use shortUserName even here ?
> Make admin check work for SCM HA cluster
> ----------------------------------------
>
> Key: HDDS-5205
> URL: https://issues.apache.org/jira/browse/HDDS-5205
> Project: Apache Ozone
> Issue Type: Task
> Components: SCM HA, Security
> Reporter: Bharat Viswanadham
> Assignee: Bharat Viswanadham
> Priority: Major
>
> By default, the user started principal is added to scmAdminUsernames.
> {code:java}
> String scmUsername = UserGroupInformation.getCurrentUser().getUserName();
> if (!scmAdminUsernames.contains(scmUsername)) {
> scmAdminUsernames.add(scmUsername);
> }
> {code}
> In HA cluster, when kinit with scm2 principal when scm1 is leader, we get access denied as we check getUserName() and also when adding to adminlist we use getUserName.
> In OM we don't have this kind of issue, as getShortUserName() is used.
> {code:java}
> String omSPN = UserGroupInformation.getCurrentUser().getShortUserName();
> if (!ozAdmins.contains(omSPN)) {
> ozAdmins.add(omSPN);
> }
> {code}
> And during admin check it compares with both userName and shortUserName.
> {code:java}
> if (ozAdmins.contains(callerUgi.getShortUserName()) ||
> ozAdmins.contains(callerUgi.getUserName()) ||
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org