You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by si...@apache.org on 2022/07/08 23:18:48 UTC

[ozone] branch master updated: HDDS-6968. Addendum: [Multi-Tenant] Fix USER_MISMATCH error even on correct user. (#3578)

This is an automated email from the ASF dual-hosted git repository.

siyao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git


The following commit(s) were added to refs/heads/master by this push:
     new c48a7b09ae HDDS-6968. Addendum: [Multi-Tenant] Fix USER_MISMATCH error even on correct user. (#3578)
c48a7b09ae is described below

commit c48a7b09ae2f8c0cd75270853de368b479277d40
Author: Aswin Shakil Balasubramanian <as...@gmail.com>
AuthorDate: Fri Jul 8 16:18:42 2022 -0700

    HDDS-6968. Addendum: [Multi-Tenant] Fix USER_MISMATCH error even on correct user. (#3578)
---
 .../om/request/s3/security/S3SecretRequestHelper.java      | 14 ++++++++------
 .../om/request/s3/security/TestS3GetSecretRequest.java     | 11 +++++------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.java
index dec9cf1c12..385c057b67 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.java
@@ -49,8 +49,6 @@ public final class S3SecretRequestHelper {
       OzoneManager ozoneManager, UserGroupInformation ugi, String accessId)
       throws IOException {
 
-    final String username = ugi.getShortUserName();
-
     // Flag indicating whether the accessId is assigned to a tenant
     // (under S3 Multi-Tenancy feature) or not.
     boolean isAccessIdAssignedToTenant = false;
@@ -74,12 +72,15 @@ public final class S3SecretRequestHelper {
             multiTenantManager.getUserNameGivenAccessId(accessId);
         final String tenantId = optionalTenantId.get();
 
+        // Access ID owner is short name
+        final String shortName = ugi.getShortUserName();
+
         // HDDS-6691: ugi should either own the access ID, or be an Ozone/tenant
         // admin to pass the check.
-        if (!username.equals(accessIdOwnerUsername) &&
+        if (!shortName.equals(accessIdOwnerUsername) &&
             !multiTenantManager.isTenantAdmin(ugi, tenantId, false)) {
           throw new OMException("Requested accessId '" + accessId + "' doesn't"
-              + " belong to current user '" + username + "', nor does"
+              + " belong to current user '" + shortName + "', nor does"
               + " current user have Ozone or tenant administrator privilege",
               ResultCodes.USER_MISMATCH);
           // Note: A more fitting result code could be PERMISSION_DENIED,
@@ -95,11 +96,12 @@ public final class S3SecretRequestHelper {
 
     // 2. If S3 multi-tenancy is disabled (or the access ID is not assigned
     // to a tenant), fall back to the old permission check.
+    final String fullPrincipal = ugi.getUserName();
     if (!isAccessIdAssignedToTenant &&
-        !username.equals(accessId) && !ozoneManager.isAdmin(ugi)) {
+        !fullPrincipal.equals(accessId) && !ozoneManager.isAdmin(ugi)) {
 
       throw new OMException("Requested accessId '" + accessId +
-          "' doesn't match current user '" + username +
+          "' doesn't match current user '" + fullPrincipal +
           "', nor does current user has administrator privilege.",
           OMException.ResultCodes.USER_MISMATCH);
     }
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
index 969f046e36..ad80c3b7da 100644
--- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
@@ -90,7 +90,6 @@ public class TestS3GetSecretRequest {
 
   // Multi-tenant related vars
   private static final String USER_ALICE = "alice@EXAMPLE.COM";
-  private static final String USER_ALICE_SHORT = "alice";
   private static final String TENANT_ID = "finance";
   private static final String USER_BOB_SHORT = "bob";
   private static final String ACCESS_ID_BOB =
@@ -247,7 +246,7 @@ public class TestS3GetSecretRequest {
     S3GetSecretRequest s3GetSecretRequest1 =
         new S3GetSecretRequest(
             new S3GetSecretRequest(
-                s3GetSecretRequest(USER_ALICE_SHORT)
+                s3GetSecretRequest(USER_ALICE)
             ).preExecute(ozoneManager)
         );
 
@@ -263,7 +262,7 @@ public class TestS3GetSecretRequest {
 
     // Check response
     final S3SecretValue s3SecretValue = s3GetSecretResponse.getS3SecretValue();
-    Assert.assertEquals(USER_ALICE_SHORT, s3SecretValue.getKerberosID());
+    Assert.assertEquals(USER_ALICE, s3SecretValue.getKerberosID());
     final String awsSecret1 = s3SecretValue.getAwsSecret();
     Assert.assertNotNull(awsSecret1);
 
@@ -271,7 +270,7 @@ public class TestS3GetSecretRequest {
         s3GetSecretResponse.getOMResponse().getGetS3SecretResponse();
     // The secret inside should be the same.
     final S3Secret s3Secret1 = getS3SecretResponse.getS3Secret();
-    Assert.assertEquals(USER_ALICE_SHORT, s3Secret1.getKerberosID());
+    Assert.assertEquals(USER_ALICE, s3Secret1.getKerberosID());
     Assert.assertEquals(awsSecret1, s3Secret1.getAwsSecret());
 
 
@@ -282,7 +281,7 @@ public class TestS3GetSecretRequest {
     S3GetSecretRequest s3GetSecretRequest2 =
         new S3GetSecretRequest(
             new S3GetSecretRequest(
-                s3GetSecretRequest(USER_ALICE_SHORT)
+                s3GetSecretRequest(USER_ALICE)
             ).preExecute(ozoneManager)
         );
 
@@ -303,7 +302,7 @@ public class TestS3GetSecretRequest {
         s3GetSecretResponse2.getOMResponse().getGetS3SecretResponse();
     // The secret inside should be the same.
     final S3Secret s3Secret2 = getS3SecretResponse2.getS3Secret();
-    Assert.assertEquals(USER_ALICE_SHORT, s3Secret2.getKerberosID());
+    Assert.assertEquals(USER_ALICE, s3Secret2.getKerberosID());
 
     // Should get the same secret as the first request's.
     Assert.assertEquals(awsSecret1, s3Secret2.getAwsSecret());


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org