This is an automated email from the ASF dual-hosted git repository. msingh pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ozone.git
commit 13204237b0b301d324e809519758836ad51d7334 Author: Sammi Chen <[email protected]> AuthorDate: Wed Mar 17 01:50:40 2021 +0800 HDDS-4916. No ACL check when uploading object through multi-upload. (#2009) --- .../ozone/client/rpc/TestOzoneRpcClient.java | 4 ++ .../client/rpc/TestOzoneRpcClientAbstract.java | 74 +++++++++++++++++++++- .../client/rpc/TestOzoneRpcClientWithRatis.java | 3 + .../ozone/client/rpc/TestSecureOzoneRpcClient.java | 4 ++ .../S3InitiateMultipartUploadRequest.java | 7 +- .../multipart/S3MultipartUploadAbortRequest.java | 7 +- .../S3MultipartUploadCommitPartRequest.java | 7 +- .../S3MultipartUploadCompleteRequest.java | 6 +- 8 files changed, 107 insertions(+), 5 deletions(-) diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java index f10d5fc..3e7782d 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java @@ -23,6 +23,7 @@ import java.io.IOException; import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.scm.ScmConfigKeys; +import org.apache.hadoop.ozone.OzoneConfigKeys; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Rule; @@ -51,6 +52,9 @@ public class TestOzoneRpcClient extends TestOzoneRpcClientAbstract { public static void init() throws Exception { OzoneConfiguration conf = new OzoneConfiguration(); conf.setInt(ScmConfigKeys.OZONE_SCM_PIPELINE_OWNER_CONTAINER_COUNT, 1); + conf.setBoolean(OzoneConfigKeys.OZONE_ACL_ENABLED, true); + conf.set(OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS, + OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE); startCluster(conf); } diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientAbstract.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientAbstract.java index 5b0ff64..89b588f 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientAbstract.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientAbstract.java @@ -19,6 +19,7 @@ package org.apache.hadoop.ozone.client.rpc; import java.io.File; import java.io.IOException; +import java.security.PrivilegedExceptionAction; import java.time.Instant; import java.util.ArrayList; import java.util.Arrays; @@ -2243,7 +2244,7 @@ public abstract class TestOzoneRpcClientAbstract { } @Test - public void testMultipartUpload() throws Exception { + public void testMultipartUploadWithACL() throws Exception { String volumeName = UUID.randomUUID().toString(); String bucketName = UUID.randomUUID().toString(); String keyName = UUID.randomUUID().toString(); @@ -2281,6 +2282,77 @@ public abstract class TestOzoneRpcClientAbstract { acl -> acl.getName().equals(acl3.getName()))); Assert.assertFalse(aclList.stream().anyMatch( acl -> acl.getName().equals(acl4.getName()))); + + // User without permission should fail to upload the object + String userName = "test-user"; + UserGroupInformation remoteUser = + UserGroupInformation.createRemoteUser(userName); + OzoneClient client = + remoteUser.doAs((PrivilegedExceptionAction<OzoneClient>)() -> { + return OzoneClientFactory.getRpcClient(cluster.getConf()); + }); + OzoneAcl acl5 = new OzoneAcl(USER, userName, ACLType.READ, DEFAULT); + OzoneAcl acl6 = new OzoneAcl(USER, userName, ACLType.READ, ACCESS); + OzoneObj volumeObj = OzoneObjInfo.Builder.newBuilder() + .setVolumeName(volumeName).setStoreType(OzoneObj.StoreType.OZONE) + .setResType(OzoneObj.ResourceType.VOLUME).build(); + OzoneObj bucketObj = OzoneObjInfo.Builder.newBuilder() + .setVolumeName(volumeName).setBucketName(bucketName) + .setStoreType(OzoneObj.StoreType.OZONE) + .setResType(OzoneObj.ResourceType.BUCKET).build(); + store.addAcl(volumeObj, acl5); + store.addAcl(volumeObj, acl6); + store.addAcl(bucketObj, acl5); + store.addAcl(bucketObj, acl6); + + // User without permission cannot start multi-upload + String keyName2 = UUID.randomUUID().toString(); + OzoneBucket bucket2 = client.getObjectStore().getVolume(volumeName) + .getBucket(bucketName); + try { + initiateMultipartUpload(bucket2, keyName2, ReplicationType.RATIS, THREE); + fail("User without permission should fail"); + } catch (Exception e) { + assertTrue(e instanceof OMException); + assertEquals(ResultCodes.PERMISSION_DENIED, + ((OMException) e).getResult()); + } + + // Add create permission for user, and try multi-upload init again + OzoneAcl acl7 = new OzoneAcl(USER, userName, ACLType.CREATE, DEFAULT); + OzoneAcl acl8 = new OzoneAcl(USER, userName, ACLType.CREATE, ACCESS); + OzoneAcl acl9 = new OzoneAcl(USER, userName, WRITE, DEFAULT); + OzoneAcl acl10 = new OzoneAcl(USER, userName, WRITE, ACCESS); + store.addAcl(volumeObj, acl7); + store.addAcl(volumeObj, acl8); + store.addAcl(volumeObj, acl9); + store.addAcl(volumeObj, acl10); + + store.addAcl(bucketObj, acl7); + store.addAcl(bucketObj, acl8); + store.addAcl(bucketObj, acl9); + store.addAcl(bucketObj, acl10); + String uploadId = initiateMultipartUpload(bucket2, keyName2, + ReplicationType.RATIS, THREE); + + // Upload part + byte[] data = generateData(OzoneConsts.OM_MULTIPART_MIN_SIZE, (byte)1); + String partName = uploadPart(bucket, keyName2, uploadId, 1, data); + Map<Integer, String> partsMap = new TreeMap<>(); + partsMap.put(1, partName); + + // Complete multipart upload request + completeMultipartUpload(bucket2, keyName2, uploadId, partsMap); + + // User without permission cannot read multi-uploaded object + try { + OzoneInputStream inputStream = bucket2.readKey(keyName); + fail("User without permission should fail"); + } catch (Exception e) { + assertTrue(e instanceof OMException); + assertEquals(ResultCodes.PERMISSION_DENIED, + ((OMException) e).getResult()); + } } @Test diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientWithRatis.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientWithRatis.java index 466414a..d44c4d0 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientWithRatis.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientWithRatis.java @@ -69,6 +69,9 @@ public class TestOzoneRpcClientWithRatis extends TestOzoneRpcClientAbstract { conf.setBoolean(OMConfigKeys.OZONE_OM_RATIS_ENABLE_KEY, true); conf.setBoolean(OzoneConfigKeys.OZONE_NETWORK_TOPOLOGY_AWARE_READ_KEY, true); + conf.setBoolean(OzoneConfigKeys.OZONE_ACL_ENABLED, true); + conf.set(OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS, + OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE); startCluster(conf); } diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java index f3ff90a..f2e7b46 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java @@ -31,6 +31,7 @@ import org.apache.hadoop.hdds.security.token.BlockTokenVerifier; import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier; import org.apache.hadoop.hdds.security.x509.SecurityConfig; import org.apache.hadoop.ozone.MiniOzoneCluster; +import org.apache.hadoop.ozone.OzoneConfigKeys; import org.apache.hadoop.ozone.client.CertificateClientTestImpl; import org.apache.hadoop.ozone.client.ObjectStore; import org.apache.hadoop.ozone.client.OzoneBucket; @@ -99,6 +100,9 @@ public class TestSecureOzoneRpcClient extends TestOzoneRpcClient { conf.setInt(ScmConfigKeys.OZONE_SCM_PIPELINE_OWNER_CONTAINER_COUNT, 1); conf.setBoolean(HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED, true); conf.set(OZONE_METADATA_DIRS, testDir.getAbsolutePath()); + conf.setBoolean(OzoneConfigKeys.OZONE_ACL_ENABLED, true); + conf.set(OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS, + OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE); CertificateClientTestImpl certificateClientTest = new CertificateClientTestImpl(conf); cluster = MiniOzoneCluster.newBuilder(conf) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java index f2df401..4a42f5f 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java @@ -38,6 +38,8 @@ import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Multipa import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse; import org.apache.hadoop.ozone.protocolPB.OMPBHelper; +import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.hdds.utils.UniqueId; import org.apache.hadoop.hdds.utils.db.cache.CacheKey; @@ -127,7 +129,10 @@ public class S3InitiateMultipartUploadRequest extends OMKeyRequest { volumeName = keyArgs.getVolumeName(); bucketName = keyArgs.getBucketName(); - // TODO to support S3 ACL later. + // check Acl + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, + IAccessAuthorizer.ACLType.CREATE, OzoneObj.ResourceType.KEY); + acquiredBucketLock = omMetadataManager.getLock().acquireWriteLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java index e7773cf..650133b 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java @@ -26,6 +26,8 @@ import com.google.common.base.Optional; import org.apache.hadoop.ozone.om.helpers.OmBucketInfo; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.om.request.util.OmResponseUtil; +import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -111,7 +113,10 @@ public class S3MultipartUploadAbortRequest extends OMKeyRequest { volumeName = keyArgs.getVolumeName(); bucketName = keyArgs.getBucketName(); - // TODO to support S3 ACL later. + // check acl + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, + IAccessAuthorizer.ACLType.WRITE, OzoneObj.ResourceType.KEY); + acquiredLock = omMetadataManager.getLock().acquireWriteLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java index d529f92..e00cff6 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java @@ -45,6 +45,8 @@ import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMResponse; +import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.hdds.utils.db.cache.CacheKey; import org.apache.hadoop.hdds.utils.db.cache.CacheValue; @@ -122,7 +124,10 @@ public class S3MultipartUploadCommitPartRequest extends OMKeyRequest { volumeName = keyArgs.getVolumeName(); bucketName = keyArgs.getBucketName(); - // TODO to support S3 ACL later. + // check acl + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, + IAccessAuthorizer.ACLType.WRITE, OzoneObj.ResourceType.KEY); + acquiredLock = omMetadataManager.getLock().acquireWriteLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java index 62ba930..f1336fc 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java @@ -47,6 +47,8 @@ import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Multipa import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.PartKeyInfo; +import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.hdds.utils.db.cache.CacheKey; import org.apache.hadoop.hdds.utils.db.cache.CacheValue; @@ -126,7 +128,9 @@ public class S3MultipartUploadCompleteRequest extends OMKeyRequest { multipartKey = omMetadataManager.getMultipartKey(volumeName, bucketName, keyName, uploadID); - // TODO to support S3 ACL later. + // check Acl + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, + IAccessAuthorizer.ACLType.WRITE, OzoneObj.ResourceType.KEY); acquiredLock = omMetadataManager.getLock().acquireWriteLock(BUCKET_LOCK, volumeName, bucketName); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
