This is an automated email from the ASF dual-hosted git repository.
siyao pushed a commit to branch HDDS-4944
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/HDDS-4944 by this push:
new 43deaa8 HDDS-6366. [Multi-Tenant] Disallow specifying custom accessId
in OzoneManager (#3166)
43deaa8 is described below
commit 43deaa84243a5b28c256b0a7938729560d58145c
Author: Siyao Meng <[email protected]>
AuthorDate: Tue Mar 8 05:25:09 2022 -0800
HDDS-6366. [Multi-Tenant] Disallow specifying custom accessId in
OzoneManager (#3166)
---
.../ozone/om/multitenant/TestMultiTenantVolume.java | 2 +-
.../hadoop/ozone/shell/TestOzoneTenantShell.java | 18 ++++++++++++++++--
.../apache/hadoop/ozone/om/OMMultiTenantManager.java | 8 ++++++++
.../hadoop/ozone/om/OMMultiTenantManagerImpl.java | 5 +++++
.../s3/tenant/OMTenantAssignUserAccessIdRequest.java | 10 ++++++++++
.../om/request/s3/security/TestS3GetSecretRequest.java | 6 ++++++
6 files changed, 46 insertions(+), 3 deletions(-)
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
index 0a068c8..a8aabc0 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
@@ -58,7 +58,7 @@ public class TestMultiTenantVolume {
private static final String TENANT_ID = "tenant";
private static final String USER_PRINCIPAL = "username";
private static final String BUCKET_NAME = "bucket";
- private static final String ACCESS_ID = UUID.randomUUID().toString();
+ private static final String ACCESS_ID = "tenant$username";
@BeforeClass
public static void initClusterProvider() throws Exception {
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
index 6aa868f..f3aa9f4 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
@@ -556,16 +556,30 @@ public class TestOzoneTenantShell {
checkOutput(err, "Assigned 'bob' to 'research' with accessId"
+ " 'research$bob'.\n", true);
- // Attempt to assign the user to the same tenant under another accessId,
- // should fail.
+ // Attempt to assign the user to the tenant again
+ executeHA(tenantShell, new String[] {
+ "user", "assign", "bob", "--tenant=research",
+ "--accessId=research$bob"});
+ checkOutput(out, "", false);
+ checkOutput(err, "Failed to assign 'bob' to 'research': "
+ + "accessId 'research$bob' already exists!\n", true);
+
+ // Attempt to assign the user to the tenant with a custom accessId
executeHA(tenantShell, new String[] {
"user", "assign", "bob", "--tenant=research",
"--accessId=research$bob42"});
checkOutput(out, "", false);
+ // HDDS-6366: Disallow specifying custom accessId.
+ checkOutput(err, "Failed to assign 'bob' to 'research': "
+ + "Invalid accessId 'research$bob42'. "
+ + "Specifying a custom access ID disallowed. "
+ + "Expected accessId to be assigned is 'research$bob'\n", true);
+ /* Once HDDS-6366 is lifted, the following check should be used instead
checkOutput(err, "Failed to assign 'bob' to 'research': "
+ "The same user is not allowed to be assigned to the same tenant "
+ "more than once. User 'bob' is already assigned to tenant 'research'
"
+ "with accessId 'research$bob'.\n", true);
+ */
executeHA(tenantShell, new String[] {"list"});
checkOutput(out, "dev\nfinance\nresearch\n", true);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
index bdd8ab7..5cade68 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
@@ -145,6 +145,14 @@ public interface OMMultiTenantManager {
String getUserNameGivenAccessId(String accessId);
/**
+ * Get the default Access ID string given tenant name and user name.
+ * @param tenantId tenant name
+ * @param userPrincipal user name
+ * @return access ID in the form of tenantName$username
+ */
+ String getDefaultAccessId(String tenantId, String userPrincipal);
+
+ /**
* Given a user, return their S3-Secret Key.
* @param accessID
* @return S3 secret Key
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
index fd2045e..e7ff438 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
@@ -17,6 +17,7 @@
*/
package org.apache.hadoop.ozone.om;
+import static org.apache.hadoop.ozone.OzoneConsts.TENANT_ID_USERNAME_DELIMITER;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_ACCESS_ID;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TENANT_AUTHORIZER_ERROR;
import static
org.apache.hadoop.ozone.om.multitenant.AccessPolicy.AccessGrantType.ALLOW;
@@ -355,6 +356,10 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
return null;
}
+ public String getDefaultAccessId(String tenantId, String userPrincipal) {
+ return tenantId + TENANT_ID_USERNAME_DELIMITER + userPrincipal;
+ }
+
@Override
public String getUserSecret(String accessID) throws IOException {
return "";
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
index 69c77ef..c96eedc 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
@@ -138,6 +138,16 @@ public class OMTenantAssignUserAccessIdRequest extends
OMClientRequest {
OMException.ResultCodes.INVALID_TENANT_ID);
}
+ // HDDS-6366: Disallow specifying custom accessId.
+ final String expectedAccessId = ozoneManager.getMultiTenantManager()
+ .getDefaultAccessId(tenantId, userPrincipal);
+ if (!accessId.equals(expectedAccessId)) {
+ throw new OMException("Invalid accessId '" + accessId + "'. "
+ + "Specifying a custom access ID disallowed. "
+ + "Expected accessId to be assigned is '" + expectedAccessId + "'",
+ OMException.ResultCodes.INVALID_ACCESS_ID);
+ }
+
// Check accessId validity.
if (accessId.contains(SERIALIZATION_SPLIT_KEY)) {
throw new OMException("Invalid accessId '" + accessId +
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
index c4f638f..4813254 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
@@ -359,6 +359,12 @@ public class TestS3GetSecretRequest {
// 2. AssignUserToTenantRequest: Assign "[email protected]" to "finance".
++txLogIndex;
+
+ // Additional mock setup needed for pass accessId check
+
when(ozoneManager.getMultiTenantManager()).thenReturn(omMultiTenantManager);
+ when(omMultiTenantManager.getDefaultAccessId(TENANT_ID, USER_BOB))
+ .thenReturn(ACCESS_ID_BOB);
+
// Run preExecute
OMTenantAssignUserAccessIdRequest omTenantAssignUserAccessIdRequest =
new OMTenantAssignUserAccessIdRequest(
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
