[GitHub] [ozone] smengcl commented on a change in pull request #1801: HDDS-4704. Add permission check in OMDBCheckpointServlet

[GitBox <gi...@apache.org>]

smengcl commented on a change in pull request #1801:
URL: https://github.com/apache/ozone/pull/1801#discussion_r565252149



##########
File path: hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
##########
@@ -106,6 +132,37 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {
       return;
     }
 
+    // Check ACL for dbCheckpoint only when global Ozone ACL is enable
+    if (om.getAclsEnabled()) {
+      final String remoteUser = request.getRemoteUser();
+      final java.security.Principal userPrincipal = request.getUserPrincipal();
+      if (userPrincipal == null) {
+        // Fallback to checking login user if userPrincipal is null.
+        // Note: In prod, a secure cluster would deploy Kerberos so this case

Review comment:
       Hmm, when Kerberos is enabled, if `request.getUserPrincipal()` is null, I don't see a way to get the principal name (`request.getUserPrincipal().getName()`) to that I can check against. Therefore, I assumed when Kerberos is enabled, `request.getUserPrincipal()` should not be null. And when I test this chunk of code manually locally (unsecured), `request.getUserPrincipal()` is indeed null.
   
   When Kerberos is not in use, the code just check with `request.getRemoteUser()`.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org