You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Zita Dombi (Jira)" <ji...@apache.org> on 2022/09/20 15:44:00 UTC
[jira] [Assigned] (HDDS-7240) List all volume operation should go through ACL check as well in order to trigger audit logging
[ https://issues.apache.org/jira/browse/HDDS-7240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zita Dombi reassigned HDDS-7240:
--------------------------------
Assignee: Zita Dombi
> List all volume operation should go through ACL check as well in order to trigger audit logging
> -----------------------------------------------------------------------------------------------
>
> Key: HDDS-7240
> URL: https://issues.apache.org/jira/browse/HDDS-7240
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Zita Dombi
> Assignee: Zita Dombi
> Priority: Major
>
> The list all volume operation at the moment only goes through the ACL check if the list all volume is not enabled ({{{}ozone.om.volume.listall.allowed{}}}).
> {code:java}
> if (!allowListAllVolumes) {
> // Only admin can list all volumes when disallowed in config
> if (isAclEnabled) {
> checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.LIST,
> OzoneConsts.OZONE_ROOT, null, null);
> }
> }
> return volumeManager.listVolumes(null, prefix, prevKey, maxKeys);{code}
> With this the audit logging is not triggered if the list all volumes is enabled. We can remove the [if condition|https://github.com/apache/ozone/blob/master/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L2712], so the ACL check gets called in every case and the audit logging will happen.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org