You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Siyao Meng (Jira)" <ji...@apache.org> on 2020/03/24 08:47:00 UTC
[jira] [Created] (HDDS-3255) Any user can delete volumes when ACL
is disabled
Siyao Meng created HDDS-3255:
--------------------------------
Summary: Any user can delete volumes when ACL is disabled
Key: HDDS-3255
URL: https://issues.apache.org/jira/browse/HDDS-3255
Project: Hadoop Distributed Data Store
Issue Type: Bug
Reporter: Siyao Meng
Assignee: Siyao Meng
I just discovered that when ACL is disabled (ozone.acl.enabled=false), any non-admin user can delete volumes even when that user is not the owner of the volume.
Base branch: c0b18c338
{code:Environment}
mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade -DskipRecon -pl \!:hadoop-ozone-integration-test
cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure
vim docker-config
# Search for OZONE-SITE.XML_ozone.acl.enabled=true
# Change it to OZONE-SITE.XML_ozone.acl.enabled=false
# Save and quit vim
docc up -d --scale datanode=3
docc exec scm /bin/bash
# Wait for ~20s for the cluster to start up
{code}
Proof:
{code:title=Prep with admin testuser}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab testuser/scm@EXAMPLE.COM
bash-4.2$ ozone sh volume create vol1
bash-4.2$ ozone sh volume create vol2
bash-4.2$ ozone sh volume setacl vol1 -al world::a
ACL(s) set successfully.
bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a
ACL removed successfully.
bash-4.2$ ozone sh volume list
{
"metadata" : { },
"name" : "vol1",
"admin" : "root",
"owner" : "testuser/scm@EXAMPLE.COM",
"creationTime" : "2020-03-24T08:29:32.167Z",
"acls" : [ {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
{
"metadata" : { },
"name" : "vol2",
"admin" : "root",
"owner" : "testuser/scm@EXAMPLE.COM",
"creationTime" : "2020-03-24T08:29:37.727Z",
"acls" : [ {
"type" : "USER",
"name" : "testuser/scm@EXAMPLE.COM",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
bash-4.2$ kdestroy
{code}
Note below uses a uncommitted feature {{ozone sh volume list --all}} in HDDS-3056. It lists all volumes on OM.
{code:title=Delete volume with non-admin user testuser2}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab testuser2/scm@EXAMPLE.COM
bash-4.2$ ozone sh volume list --all
{
"metadata" : { },
"name" : "vol1",
"admin" : "root",
"owner" : "testuser/scm@EXAMPLE.COM",
"creationTime" : "2020-03-24T08:29:32.167Z",
"acls" : [ {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
{
"metadata" : { },
"name" : "vol2",
"admin" : "root",
"owner" : "testuser/scm@EXAMPLE.COM",
"creationTime" : "2020-03-24T08:29:37.727Z",
"acls" : [ {
"type" : "USER",
"name" : "testuser/scm@EXAMPLE.COM",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume delete vol2
Volume vol2 is deleted
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume list --all
{
"metadata" : { },
"name" : "vol1",
"admin" : "root",
"owner" : "testuser/scm@EXAMPLE.COM",
"creationTime" : "2020-03-24T08:29:32.167Z",
"acls" : [ {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
{code}
Question:
1. Is this because "admin" : "root", therefore the delete command can be issued? From the [code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779] it seems it doesn't really have any owner/admin checks when ACL is disabled.
2. Is this by design?
CC [~xyao]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org