You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by si...@apache.org on 2022/07/08 23:18:48 UTC
[ozone] branch master updated: HDDS-6968. Addendum: [Multi-Tenant] Fix USER_MISMATCH error even on correct user. (#3578)
This is an automated email from the ASF dual-hosted git repository.
siyao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new c48a7b09ae HDDS-6968. Addendum: [Multi-Tenant] Fix USER_MISMATCH error even on correct user. (#3578)
c48a7b09ae is described below
commit c48a7b09ae2f8c0cd75270853de368b479277d40
Author: Aswin Shakil Balasubramanian <as...@gmail.com>
AuthorDate: Fri Jul 8 16:18:42 2022 -0700
HDDS-6968. Addendum: [Multi-Tenant] Fix USER_MISMATCH error even on correct user. (#3578)
---
.../om/request/s3/security/S3SecretRequestHelper.java | 14 ++++++++------
.../om/request/s3/security/TestS3GetSecretRequest.java | 11 +++++------
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.java
index dec9cf1c12..385c057b67 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.java
@@ -49,8 +49,6 @@ public final class S3SecretRequestHelper {
OzoneManager ozoneManager, UserGroupInformation ugi, String accessId)
throws IOException {
- final String username = ugi.getShortUserName();
-
// Flag indicating whether the accessId is assigned to a tenant
// (under S3 Multi-Tenancy feature) or not.
boolean isAccessIdAssignedToTenant = false;
@@ -74,12 +72,15 @@ public final class S3SecretRequestHelper {
multiTenantManager.getUserNameGivenAccessId(accessId);
final String tenantId = optionalTenantId.get();
+ // Access ID owner is short name
+ final String shortName = ugi.getShortUserName();
+
// HDDS-6691: ugi should either own the access ID, or be an Ozone/tenant
// admin to pass the check.
- if (!username.equals(accessIdOwnerUsername) &&
+ if (!shortName.equals(accessIdOwnerUsername) &&
!multiTenantManager.isTenantAdmin(ugi, tenantId, false)) {
throw new OMException("Requested accessId '" + accessId + "' doesn't"
- + " belong to current user '" + username + "', nor does"
+ + " belong to current user '" + shortName + "', nor does"
+ " current user have Ozone or tenant administrator privilege",
ResultCodes.USER_MISMATCH);
// Note: A more fitting result code could be PERMISSION_DENIED,
@@ -95,11 +96,12 @@ public final class S3SecretRequestHelper {
// 2. If S3 multi-tenancy is disabled (or the access ID is not assigned
// to a tenant), fall back to the old permission check.
+ final String fullPrincipal = ugi.getUserName();
if (!isAccessIdAssignedToTenant &&
- !username.equals(accessId) && !ozoneManager.isAdmin(ugi)) {
+ !fullPrincipal.equals(accessId) && !ozoneManager.isAdmin(ugi)) {
throw new OMException("Requested accessId '" + accessId +
- "' doesn't match current user '" + username +
+ "' doesn't match current user '" + fullPrincipal +
"', nor does current user has administrator privilege.",
OMException.ResultCodes.USER_MISMATCH);
}
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
index 969f046e36..ad80c3b7da 100644
--- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
@@ -90,7 +90,6 @@ public class TestS3GetSecretRequest {
// Multi-tenant related vars
private static final String USER_ALICE = "alice@EXAMPLE.COM";
- private static final String USER_ALICE_SHORT = "alice";
private static final String TENANT_ID = "finance";
private static final String USER_BOB_SHORT = "bob";
private static final String ACCESS_ID_BOB =
@@ -247,7 +246,7 @@ public class TestS3GetSecretRequest {
S3GetSecretRequest s3GetSecretRequest1 =
new S3GetSecretRequest(
new S3GetSecretRequest(
- s3GetSecretRequest(USER_ALICE_SHORT)
+ s3GetSecretRequest(USER_ALICE)
).preExecute(ozoneManager)
);
@@ -263,7 +262,7 @@ public class TestS3GetSecretRequest {
// Check response
final S3SecretValue s3SecretValue = s3GetSecretResponse.getS3SecretValue();
- Assert.assertEquals(USER_ALICE_SHORT, s3SecretValue.getKerberosID());
+ Assert.assertEquals(USER_ALICE, s3SecretValue.getKerberosID());
final String awsSecret1 = s3SecretValue.getAwsSecret();
Assert.assertNotNull(awsSecret1);
@@ -271,7 +270,7 @@ public class TestS3GetSecretRequest {
s3GetSecretResponse.getOMResponse().getGetS3SecretResponse();
// The secret inside should be the same.
final S3Secret s3Secret1 = getS3SecretResponse.getS3Secret();
- Assert.assertEquals(USER_ALICE_SHORT, s3Secret1.getKerberosID());
+ Assert.assertEquals(USER_ALICE, s3Secret1.getKerberosID());
Assert.assertEquals(awsSecret1, s3Secret1.getAwsSecret());
@@ -282,7 +281,7 @@ public class TestS3GetSecretRequest {
S3GetSecretRequest s3GetSecretRequest2 =
new S3GetSecretRequest(
new S3GetSecretRequest(
- s3GetSecretRequest(USER_ALICE_SHORT)
+ s3GetSecretRequest(USER_ALICE)
).preExecute(ozoneManager)
);
@@ -303,7 +302,7 @@ public class TestS3GetSecretRequest {
s3GetSecretResponse2.getOMResponse().getGetS3SecretResponse();
// The secret inside should be the same.
final S3Secret s3Secret2 = getS3SecretResponse2.getS3Secret();
- Assert.assertEquals(USER_ALICE_SHORT, s3Secret2.getKerberosID());
+ Assert.assertEquals(USER_ALICE, s3Secret2.getKerberosID());
// Should get the same secret as the first request's.
Assert.assertEquals(awsSecret1, s3Secret2.getAwsSecret());
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org