You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by er...@apache.org on 2022/06/15 22:09:54 UTC
[ozone] branch master updated: HDDS-6870 Clean up isTenantAdmin to use UGI (#3503)
This is an automated email from the ASF dual-hosted git repository.
erose pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 17d3301a90 HDDS-6870 Clean up isTenantAdmin to use UGI (#3503)
17d3301a90 is described below
commit 17d3301a908af2df7683a0c61b8ee3ae8dd41d6a
Author: Ritesh H Shukla <ke...@gmail.com>
AuthorDate: Wed Jun 15 15:09:49 2022 -0700
HDDS-6870 Clean up isTenantAdmin to use UGI (#3503)
---
.../apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java | 3 +--
.../main/java/org/apache/hadoop/ozone/om/OzoneManager.java | 3 ++-
.../hadoop/ozone/om/ratis/OzoneManagerStateMachine.java | 13 +++++++++----
.../ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java | 14 ++++++++------
.../ozone/om/ratis/TestOzoneManagerStateMachine.java | 13 +++++++++++--
.../hadoop/ozone/om/request/key/TestOMKeyRequest.java | 1 -
6 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
index 520c2041bc..faa998e4c3 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
@@ -672,8 +672,7 @@ public class OMMultiTenantManagerImpl implements OMMultiTenantManager {
} else {
return isTenantAdmin(callerUgi.getShortUserName(), tenantId, delegated)
|| isTenantAdmin(callerUgi.getUserName(), tenantId, delegated)
- || ozoneManager.isAdmin(callerUgi.getShortUserName())
- || ozoneManager.isAdmin(callerUgi.getUserName());
+ || ozoneManager.isAdmin(callerUgi);
}
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index a277c2d67b..408d2e67f4 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -4039,7 +4039,8 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
}
}
- public boolean isAdmin(String username) {
+ @VisibleForTesting
+ private boolean isAdmin(String username) {
if (omAdminUsernames == null) {
return false;
} else {
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java
index c8c69d4f6d..69b5e56415 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java
@@ -48,6 +48,7 @@ import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos
.OMResponse;
import org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler;
import org.apache.hadoop.ozone.protocolPB.RequestHandler;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.concurrent.HadoopExecutors;
import org.apache.ratis.proto.RaftProtos;
import org.apache.ratis.proto.RaftProtos.StateMachineLogEntryProto;
@@ -241,10 +242,14 @@ public class OzoneManagerStateMachine extends BaseStateMachine {
// Must authenticate prepare requests here, since we must determine
// whether or not to apply the prepare gate before proceeding with the
// prepare request.
- String username = request.getUserInfo().getUserName();
- if (ozoneManager.getAclsEnabled() && !ozoneManager.isAdmin(username)) {
- String message = "Access denied for user " + username + ". " +
- "Superuser privilege is required to prepare ozone managers.";
+ UserGroupInformation userGroupInformation =
+ UserGroupInformation.createRemoteUser(
+ request.getUserInfo().getUserName());
+ if (ozoneManager.getAclsEnabled()
+ && !ozoneManager.isAdmin(userGroupInformation)) {
+ String message = "Access denied for user " + userGroupInformation
+ + ". "
+ + "Superuser privilege is required to prepare ozone managers.";
OMException cause =
new OMException(message, OMException.ResultCodes.ACCESS_DENIED);
// Leader should not step down because of this failure.
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java
index 39ec6162c0..ad3c05de7c 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java
@@ -37,6 +37,7 @@ import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Finaliz
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse;
import org.apache.hadoop.ozone.upgrade.UpgradeFinalizer.StatusAndMessages;
+import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -66,12 +67,13 @@ public class OMFinalizeUpgradeRequest extends OMClientRequest {
OMClientResponse response = null;
try {
- if (ozoneManager.getAclsEnabled()
- && !ozoneManager.isAdmin(createUGI())) {
- throw new OMException("Access denied for user "
- + createUGI() + ". "
- + "Superuser privilege is required to finalize upgrade.",
- OMException.ResultCodes.ACCESS_DENIED);
+ if (ozoneManager.getAclsEnabled()) {
+ final UserGroupInformation ugi = createUGI();
+ if (!ozoneManager.isAdmin(ugi)) {
+ throw new OMException("Access denied for user " + ugi + ". "
+ + "Superuser privilege is required to finalize upgrade.",
+ OMException.ResultCodes.ACCESS_DENIED);
+ }
}
FinalizeUpgradeRequest request =
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java
index 48dca13046..db63fadf30 100644
--- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java
@@ -32,6 +32,7 @@ import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.KeyArgs
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.PrepareStatusResponse.PrepareStatus;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.PrepareRequest;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.UserInfo;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ratis.proto.RaftProtos;
import org.apache.ratis.protocol.exceptions.StateMachineException;
@@ -66,7 +67,6 @@ public class TestOzoneManagerStateMachine {
Mockito.mock(OzoneManagerRatisServer.class);
OzoneManager ozoneManager = Mockito.mock(OzoneManager.class);
// Allow testing of prepare pre-append gate.
- when(ozoneManager.isAdmin(any(String.class))).thenReturn(true);
when(ozoneManager.isAdmin(any(UserGroupInformation.class)))
.thenReturn(true);
@@ -270,8 +270,12 @@ public class TestOzoneManagerStateMachine {
.setCreateKeyRequest(CreateKeyRequest.newBuilder().setKeyArgs(args))
.setCmdType(Type.CreateKey)
.setClientId("123")
+ .setUserInfo(UserInfo
+ .newBuilder()
+ .setUserName("user")
+ .setHostName("localhost")
+ .setRemoteAddress("127.0.0.1"))
.build();
-
// Without prepare enabled, the txn should be returned unaltered.
TransactionContext submittedTrx = mockTransactionContext(createKeyRequest);
TransactionContext returnedTrx =
@@ -288,6 +292,11 @@ public class TestOzoneManagerStateMachine {
.setArgs(PrepareRequestArgs.getDefaultInstance()))
.setCmdType(Type.Prepare)
.setClientId("123")
+ .setUserInfo(UserInfo
+ .newBuilder()
+ .setUserName("user")
+ .setHostName("localhost")
+ .setRemoteAddress("127.0.0.1"))
.build();
submittedTrx = mockTransactionContext(prepareRequest);
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
index d538f208cd..26068664ff 100644
--- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
@@ -134,7 +134,6 @@ public class TestOMKeyRequest {
when(ozoneManager.isRatisEnabled()).thenReturn(true);
auditLogger = Mockito.mock(AuditLogger.class);
when(ozoneManager.getAuditLogger()).thenReturn(auditLogger);
- when(ozoneManager.isAdmin(any(String.class))).thenReturn(true);
when(ozoneManager.isAdmin(any(UserGroupInformation.class)))
.thenReturn(true);
when(ozoneManager.getBucketInfo(anyString(), anyString())).thenReturn(
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org