You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2020/04/16 20:37:19 UTC
[GitHub] [hadoop-ozone] xiaoyuyao commented on a change in pull request #696: HDDS-3056. Allow users to list volumes they have access to, and optionally allow all users to list all volumes

xiaoyuyao commented on a change in pull request #696: HDDS-3056. Allow users to list volumes they have access to, and optionally allow all users to list all volumes
URL: https://github.com/apache/hadoop-ozone/pull/696#discussion_r409833261
 
 

 ##########
 File path: hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOzoneManagerListVolumes.java
 ##########
 @@ -0,0 +1,238 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.om;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import java.util.UUID;
+
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.ozone.MiniOzoneCluster;
+import org.apache.hadoop.ozone.OzoneAcl;
+import org.apache.hadoop.ozone.client.ObjectStore;
+import org.apache.hadoop.ozone.client.OzoneClient;
+import org.apache.hadoop.ozone.client.OzoneVolume;
+import org.apache.hadoop.ozone.client.protocol.ClientProtocol;
+import org.apache.hadoop.ozone.om.exceptions.OMException;
+import org.apache.hadoop.ozone.security.acl.OzoneObj;
+import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_RATIS_PIPELINE_LIMIT;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_OPEN_KEY_EXPIRE_THRESHOLD_SECONDS;
+import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_VOLUME_LISTALL_ALLOWED;
+import static org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.Timeout;
+
+/**
+ * Test OzoneManager list volume operation under combinations of configs.
+ */
+public class TestOzoneManagerListVolumes {
+
+  @Rule
+  public Timeout timeout = new Timeout(120_000);
+
+  private UserGroupInformation loginUser;
+  private UserGroupInformation user1 =
+      UserGroupInformation.createRemoteUser("user1");  // Admin user
+  private UserGroupInformation user2 =
+      UserGroupInformation.createRemoteUser("user2");  // Non-admin user
+
+  @Before
+  public void init() throws Exception {
+    loginUser = UserGroupInformation.getLoginUser();
+  }
+
+  /**
+   * Create a MiniDFSCluster for testing.
+   */
+  private MiniOzoneCluster startCluster(boolean aclEnabled,
+      boolean volListAllAllowed) throws Exception {
+
+    OzoneConfiguration conf = new OzoneConfiguration();
+    String clusterId = UUID.randomUUID().toString();
+    String scmId = UUID.randomUUID().toString();
+    String omId = UUID.randomUUID().toString();
+    conf.setInt(OZONE_OPEN_KEY_EXPIRE_THRESHOLD_SECONDS, 2);
+    conf.set(OZONE_ADMINISTRATORS, "user1");
+    conf.setInt(OZONE_SCM_RATIS_PIPELINE_LIMIT, 10);
+
+    // Use native impl here, default impl doesn't do actual checks
+    conf.set(OZONE_ACL_AUTHORIZER_CLASS, OZONE_ACL_AUTHORIZER_CLASS_NATIVE);
+    // Note: OM doesn't support live config reloading
+    conf.setBoolean(OZONE_ACL_ENABLED, aclEnabled);
+    conf.setBoolean(OZONE_OM_VOLUME_LISTALL_ALLOWED, volListAllAllowed);
+
+    MiniOzoneCluster cluster = MiniOzoneCluster.newBuilder(conf)
+        .setClusterId(clusterId).setScmId(scmId).setOmId(omId).build();
+    cluster.waitForClusterToBeReady();
+
+    // loginUser is the user running this test.
+    // Implication: loginUser is automatically added to the OM admin list.
+    UserGroupInformation.setLoginUser(loginUser);
+    // Create volumes with non-default owners and ACLs
+    OzoneClient client = cluster.getClient();
+    ObjectStore objectStore = client.getObjectStore();
+
+    /* r = READ, w = WRITE, c = CREATE, d = DELETE
+       l = LIST, a = ALL, n = NONE, x = READ_ACL, y = WRITE_ACL */
+    String aclUser1All = "user:user1:a";
+    String aclUser2All = "user:user2:a";
+    String aclWorldAll = "world::a";
+    createVolumeWithOwnerAndAcl(objectStore, "volume1", "user1", aclUser1All);
+    createVolumeWithOwnerAndAcl(objectStore, "volume2", "user2", aclUser2All);
+    createVolumeWithOwnerAndAcl(objectStore, "volume3", "user1", aclUser2All);
+    createVolumeWithOwnerAndAcl(objectStore, "volume4", "user2", aclUser1All);
+    createVolumeWithOwnerAndAcl(objectStore, "volume5", "user1", aclWorldAll);
+
+    return cluster;
+  }
+
+  private void stopCluster(MiniOzoneCluster cluster) {
+    if (cluster != null) {
+      cluster.shutdown();
+    }
+  }
+
+  private void createVolumeWithOwnerAndAcl(ObjectStore objectStore,
+      String volumeName, String ownerName, String aclString)
+      throws IOException {
+    ClientProtocol proxy = objectStore.getClientProxy();
+    objectStore.createVolume(volumeName);
+    proxy.setVolumeOwner(volumeName, ownerName);
+    setVolumeAcl(objectStore, volumeName, aclString);
+  }
+
+  /**
+   * Helper function to set volume ACL.
+   */
+  private void setVolumeAcl(ObjectStore objectStore, String volumeName,
+      String aclString) throws IOException {
+    OzoneObj obj = OzoneObjInfo.Builder.newBuilder().setVolumeName(volumeName)
+        .setResType(OzoneObj.ResourceType.VOLUME).setStoreType(OZONE).build();
+    Assert.assertTrue(objectStore.setAcl(obj, OzoneAcl.parseAcls(aclString)));
+  }
+
+  /**
+   * Helper function to reduce code redundancy for test checks with each user
+   * under different config combination.
+   */
+  private void checkUser(MiniOzoneCluster cluster, UserGroupInformation user,
+      List<String> expectVol, boolean expectListAllSuccess) throws IOException {
+
+    UserGroupInformation.setLoginUser(user);
+    OzoneClient client = cluster.getClient();
+    ObjectStore objectStore = client.getObjectStore();
+
+    // `ozone sh volume list` shall return volumes with LIST permission of user.
+    Iterator<? extends OzoneVolume> it = objectStore.listVolumesByUser(
+        null, "", "");
+    Set<String> accessibleVolumes = new HashSet<>();
+    while (it.hasNext()) {
+      OzoneVolume vol = it.next();
+      String volumeName = vol.getName();
+      accessibleVolumes.add(volumeName);
+    }
+    Assert.assertEquals(new HashSet<>(expectVol), accessibleVolumes);
+
+    // `ozone sh volume list --all` returns all volumes,
+    //  or throws exception (for non-admin if acl enabled & listall disallowed).
+    if (expectListAllSuccess) {
+      it = objectStore.listVolumes("volume");
+      int count = 0;
+      while (it.hasNext()) {
+        it.next();
+        count++;
+      }
+      Assert.assertEquals(5, count);
+    } else {
+      try {
+        objectStore.listVolumes("volume");
+        Assert.fail("listAllVolumes should fail for " + user.getUserName());
+      } catch (RuntimeException ex) {
+        // Current listAllVolumes throws RuntimeException
+        if (ex.getCause() instanceof OMException) {
+          // Expect PERMISSION_DENIED
+          if (((OMException) ex.getCause()).getResult() !=
+              OMException.ResultCodes.PERMISSION_DENIED) {
+            throw ex;
+          }
+        } else {
+          throw ex;
+        }
+      }
+    }
+  }
+
+  @Test
+  public void testAclEnabledListAllAllowed() throws Exception {
+    // ozone.acl.enabled = true, ozone.om.volume.listall.allowed = true
+    MiniOzoneCluster cluster = startCluster(true, true);
+    checkUser(cluster, user1, Arrays.asList("volume1", "volume4", "volume5"),
+        true);
+    checkUser(cluster, user2, Arrays.asList("volume2", "volume3", "volume5"),
+        true);
+    stopCluster(cluster);
 
 Review comment:
   can we wrap the stopCluster inside the try/final block in case the check failure the cluster will be stopped properly. 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org