You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/06/16 07:24:00 UTC
[GitHub] [ozone] pakapoj-tul opened a new pull request #2343: HDDS-5193. change to use getShortUserName instead of getUsername
pakapoj-tul opened a new pull request #2343:
URL: https://github.com/apache/ozone/pull/2343
HDDS-5193. change to use getShortUserName instead of getUsername
## What changes were proposed in this pull request?
IMHO, in kerberized cluster identity `pakapoj_tul@DEV.TAP` and `pakapoj_tul` are equal so I propose to use `getShortUsername()` instead of `getShortUsername()` from UGI interface when assign and/or compare any ACLs. To leverage **auth_to_local** property to translate any identity from `auth:KERBEROS` to plain username which should be consistent with identity from `auth:TOKEN`
## What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-5193
Please replace this section with the link to the Apache JIRA)
## How was this patch tested?
I manually tested on my ozone cluster, bare metal deployment. there are following tests
```
ozone sh vol create /vol1
ozone sh bucket create /vol1/bucket1
ozone fs -put sample_seq_data.snappy.orc /vol1/bucket1
ozone sh vol addacl --acl=user:pakapoj_tul:a /vol1
ozone sh bucket addacl --acl=user:pakapoj_tul:a /vol1/bucket1
ozone sh key addacl --acl=user:pakapoj_tul:a /vol1/bucket1/sample_seq_data.snappy.orc
ozone sh token get -t ozone.token
ozone s3 getsecret --om-service-id=dev-ozone
aws configure
aws s3 ls --endpoint http://mtg8-devozonem-01.dev.tap:9878 s3://common-bucket
aws s3api --endpoint http://mtg8-devozonem-01.dev.tap:9878 create-bucket --bucket buckettest
aws s3api --endpoint http://mtg8-devozonem-01.dev.tap:9878 delete-bucket --bucket buckettest
aws s3 cp --endpoint http://mtg8-devozonem-01.dev.tap:9878 README.md s3://common-bucket
aws s3 rm --endpoint http://mtg8-devozonem-01.dev.tap:9878 s3://common-bucket/README.md
```
also test by running spark application in cluster mode
```
val data = spark.read.format("orc").load(src)
data.write.format("orc").save(des)
```
given
```
src = "ofs://dev-ozone/vol1/bucket1/sample_seq_data.snappy.orc"
des = "ofs://dev-ozone/vol1/bucket1/mykey"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] pakapoj-tul commented on a change in pull request #2343: HDDS-5193. change to use getShortUserName instead of getUsername
Posted by GitBox <gi...@apache.org>.
pakapoj-tul commented on a change in pull request #2343:
URL: https://github.com/apache/ozone/pull/2343#discussion_r659482657
##########
File path: hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
##########
@@ -541,7 +541,7 @@ private static void verifySpaceQuota(long quota) throws OMException {
* @return listOfAcls
* */
private List<OzoneAcl> getAclList() {
- return OzoneAclUtil.getAclList(ugi.getUserName(), ugi.getGroupNames(),
+ return OzoneAclUtil.getAclList(ugi.getShortUserName(), ugi.getGroupNames(),
Review comment:
Hi @xiaoyuyao , thank for the reply, I was unable to response earlier due to the current workload.
yeah, I think the id should be from the server side also. donno the process earlier :) let me check then.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] pakapoj-tul commented on a change in pull request #2343: HDDS-5193. change to use getShortUserName instead of getUsername
Posted by GitBox <gi...@apache.org>.
pakapoj-tul commented on a change in pull request #2343:
URL: https://github.com/apache/ozone/pull/2343#discussion_r659482657
##########
File path: hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
##########
@@ -541,7 +541,7 @@ private static void verifySpaceQuota(long quota) throws OMException {
* @return listOfAcls
* */
private List<OzoneAcl> getAclList() {
- return OzoneAclUtil.getAclList(ugi.getUserName(), ugi.getGroupNames(),
+ return OzoneAclUtil.getAclList(ugi.getShortUserName(), ugi.getGroupNames(),
Review comment:
Hi @xiaoyuyao , thank for the reply, I was unable to response earlier due to the workload.
yeah, I think the id should be from the server side also. donno the process earlier :) let me check then.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] pakapoj-tul commented on a change in pull request #2343: HDDS-5193. change to use getShortUserName instead of getUsername
Posted by GitBox <gi...@apache.org>.
pakapoj-tul commented on a change in pull request #2343:
URL: https://github.com/apache/ozone/pull/2343#discussion_r665911628
##########
File path: hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
##########
@@ -541,7 +541,7 @@ private static void verifySpaceQuota(long quota) throws OMException {
* @return listOfAcls
* */
private List<OzoneAcl> getAclList() {
- return OzoneAclUtil.getAclList(ugi.getUserName(), ugi.getGroupNames(),
+ return OzoneAclUtil.getAclList(ugi.getShortUserName(), ugi.getGroupNames(),
Review comment:
Hi @xiaoyuyao as i checked the ACLs assignment was happened [here](https://github.com/apache/ozone/blob/master/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java#L249) and where ACLs was given from the client side so just wanna confirm with you first that we ignore this and build a new one from `userInfo`?
[Request payload.txt](https://github.com/apache/ozone/files/6782127/Request.payload.txt)
Another question is where should I call the `getRemoteUser()`?, I try to called it in [here](https://github.com/apache/ozone/blob/master/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java#L249) but it failed tho.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] pakapoj-tul commented on a change in pull request #2343: HDDS-5193. change to use getShortUserName instead of getUsername
Posted by GitBox <gi...@apache.org>.
pakapoj-tul commented on a change in pull request #2343:
URL: https://github.com/apache/ozone/pull/2343#discussion_r666684427
##########
File path: hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
##########
@@ -541,7 +541,7 @@ private static void verifySpaceQuota(long quota) throws OMException {
* @return listOfAcls
* */
private List<OzoneAcl> getAclList() {
- return OzoneAclUtil.getAclList(ugi.getUserName(), ugi.getGroupNames(),
+ return OzoneAclUtil.getAclList(ugi.getShortUserName(), ugi.getGroupNames(),
Review comment:
Hi, seem to be very odd if the ACL was set using authenticated user ugi.
<img width="1550" alt="Screen Shot 2564-07-09 at 11 21 00" src="https://user-images.githubusercontent.com/71322162/125028591-84198e80-e0b2-11eb-996b-4685c6835b66.png">
My thoughts was if we have `data_pipeline` user as a writer who write data to `/vol1/bucket1/mykey` and `data_sci` as a reader who read data at `/vol1/bucket1/mykey` , we have to reassign `/vol1/bucket1/mykey` acl = `/vol1/bucket1/` anyway…
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] pakapoj-tul commented on a change in pull request #2343: HDDS-5193. change to use getShortUserName instead of getUsername
Posted by GitBox <gi...@apache.org>.
pakapoj-tul commented on a change in pull request #2343:
URL: https://github.com/apache/ozone/pull/2343#discussion_r666694784
##########
File path: hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
##########
@@ -541,7 +541,7 @@ private static void verifySpaceQuota(long quota) throws OMException {
* @return listOfAcls
* */
private List<OzoneAcl> getAclList() {
- return OzoneAclUtil.getAclList(ugi.getUserName(), ugi.getGroupNames(),
+ return OzoneAclUtil.getAclList(ugi.getShortUserName(), ugi.getGroupNames(),
Review comment:
Ref to the case above, user can't to inherit the acl to the children so I think we should inherit the acl
What’s the meaning of `aclscope` `ACCESS` and `DEFAULT` tho?
```
enum OzoneAclScope {
ACCESS = 0;
DEFAULT = 1;
}
```
b/c it filter only `DEFAULT` acl from what I see [here](https://github.com/apache/ozone/blob/master/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OzoneAclUtil.java#L171)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] pakapoj-tul commented on a change in pull request #2343: HDDS-5193. change to use getShortUserName instead of getUsername
Posted by GitBox <gi...@apache.org>.
pakapoj-tul commented on a change in pull request #2343:
URL: https://github.com/apache/ozone/pull/2343#discussion_r659483268
##########
File path: hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OzoneAclUtil.java
##########
@@ -126,7 +126,7 @@ private static boolean checkAccessInAcl(OzoneAcl a, String[] groups,
public static boolean checkAclRights(List<OzoneAcl> acls,
RequestContext context) throws OMException {
String[] userGroups = context.getClientUgi().getGroupNames();
- String userName = context.getClientUgi().getUserName();
+ String userName = context.getClientUgi().getShortUserName();
Review comment:
note for reproduce the test case
```
cd compose/ozonesecure
docker-compose up -d
docker-compose --scale datanode=3
docker-compose exec scm bash
robot smoketest/basic/links.robot
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org