[ozone] branch master updated: HDDS-6468. Set correct resource type for ACL checks in BucketAcl and KeyAcl requests (#3209)

Sun, 20 Mar 2022 07:11:41 -0700 

This is an automated email from the ASF dual-hosted git repository.

adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git


The following commit(s) were added to refs/heads/master by this push:
     new ea296fe  HDDS-6468. Set correct resource type for ACL checks in 
BucketAcl and KeyAcl requests (#3209)
ea296fe is described below

commit ea296fe7f82062cc115196be167ade9d24c6d232
Author: Symious <[email protected]>
AuthorDate: Sun Mar 20 22:11:12 2022 +0800

    HDDS-6468. Set correct resource type for ACL checks in BucketAcl and KeyAcl 
requests (#3209)
---
 .../org/apache/hadoop/ozone/om/TestOmAcls.java     | 75 ++++++++++++++++++----
 .../om/request/bucket/acl/OMBucketAclRequest.java  |  4 +-
 .../ozone/om/request/key/acl/OMKeyAclRequest.java  |  2 +-
 .../om/request/key/acl/OMKeyAclRequestWithFSO.java |  2 +-
 4 files changed, 68 insertions(+), 15 deletions(-)

diff --git 
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
 
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
index 5a96d68..3cac66a 100644
--- 
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
+++ 
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
@@ -16,18 +16,21 @@
  */
 package org.apache.hadoop.ozone.om;
 
+import java.util.ArrayList;
 import java.util.UUID;
 
 import org.apache.hadoop.hdds.conf.OzoneConfiguration;
 import org.apache.hadoop.ozone.MiniOzoneCluster;
 import org.apache.hadoop.ozone.OzoneTestUtils;
 import org.apache.hadoop.ozone.TestDataUtil;
+import org.apache.hadoop.ozone.client.BucketArgs;
 import org.apache.hadoop.ozone.client.OzoneBucket;
 import org.apache.hadoop.ozone.client.OzoneVolume;
 import org.apache.hadoop.ozone.client.VolumeArgs;
 import org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes;
 import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
 import org.apache.hadoop.ozone.security.acl.IOzoneObj;
+import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
 import org.apache.hadoop.ozone.security.acl.RequestContext;
 import org.apache.ozone.test.GenericTestUtils;
 
@@ -39,6 +42,8 @@ import static 
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_WILDC
 import static 
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_OPEN_KEY_EXPIRE_THRESHOLD_SECONDS;
 import org.junit.AfterClass;
 import static org.junit.Assert.assertTrue;
+
+import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
@@ -56,7 +61,10 @@ public class TestOmAcls {
   @Rule
   public Timeout timeout = Timeout.seconds(300);
 
-  private static boolean aclAllow = true;
+  private static boolean volumeAclAllow = true;
+  private static boolean bucketAclAllow = true;
+  private static boolean keyAclAllow = true;
+  private static boolean prefixAclAllow = true;
   private static MiniOzoneCluster cluster = null;
   private static OMMetrics omMetrics;
   private static OzoneConfiguration conf;
@@ -106,14 +114,19 @@ public class TestOmAcls {
   }
 
   /**
-   * Tests the OM Initialization.
+   * Reset ACL.
    */
+  @Before
+  public void resetAcl() {
+    TestOmAcls.volumeAclAllow = true;
+    TestOmAcls.bucketAclAllow = true;
+    TestOmAcls.keyAclAllow = true;
+    TestOmAcls.prefixAclAllow = true;
+  }
 
   @Test
   public void testBucketCreationPermissionDenied() throws Exception {
 
-    TestOmAcls.aclAllow = true;
-
     String volumeName = RandomStringUtils.randomAlphabetic(5).toLowerCase();
     String bucketName = RandomStringUtils.randomAlphabetic(5).toLowerCase();
 
@@ -127,28 +140,57 @@ public class TestOmAcls {
     OzoneVolume volume =
         cluster.getClient().getObjectStore().getVolume(volumeName);
 
-    TestOmAcls.aclAllow = false;
+    TestOmAcls.bucketAclAllow = false;
     OzoneTestUtils.expectOmException(ResultCodes.PERMISSION_DENIED,
         () -> volume.createBucket(bucketName));
 
     assertTrue(logCapturer.getOutput()
-        .contains("doesn't have READ permission to access volume"));
+        .contains("doesn't have CREATE permission to access bucket"));
   }
 
   @Test
   public void testFailureInKeyOp() throws Exception {
     final VolumeArgs createVolumeArgs;
 
-    TestOmAcls.aclAllow = true;
     OzoneBucket bucket = TestDataUtil.createVolumeAndBucket(cluster);
     logCapturer.clearOutput();
 
-    TestOmAcls.aclAllow = false;
+    TestOmAcls.keyAclAllow = false;
 
     OzoneTestUtils.expectOmException(ResultCodes.PERMISSION_DENIED,
         () -> TestDataUtil.createKey(bucket, "testKey", "testcontent"));
-    assertTrue(logCapturer.getOutput().contains("doesn't have READ " +
-        "permission to access volume"));
+    assertTrue(logCapturer.getOutput().contains("doesn't have CREATE " +
+        "permission to access key"));
+  }
+
+  @Test
+  public void testSetACLPermissionDenied() throws Exception {
+
+    String volumeName = RandomStringUtils.randomAlphabetic(5).toLowerCase();
+    String bucketName = RandomStringUtils.randomAlphabetic(5).toLowerCase();
+
+    VolumeArgs createVolumeArgs = VolumeArgs.newBuilder()
+        .setOwner("user" + RandomStringUtils.randomNumeric(5))
+        .setAdmin("admin" + RandomStringUtils.randomNumeric(5))
+        .build();
+    BucketArgs createBucketArgs = BucketArgs.newBuilder()
+        .setOwner("user" + RandomStringUtils.randomNumeric(5))
+        .build();
+
+    cluster.getClient().getObjectStore().createVolume(volumeName,
+        createVolumeArgs);
+    OzoneVolume volume =
+        cluster.getClient().getObjectStore().getVolume(volumeName);
+    volume.createBucket(bucketName, createBucketArgs);
+
+    OzoneBucket bucket = volume.getBucket(bucketName);
+
+    TestOmAcls.bucketAclAllow = false;
+    OzoneTestUtils.expectOmException(ResultCodes.PERMISSION_DENIED,
+        () -> bucket.setAcl(new ArrayList<>()));
+
+    assertTrue(logCapturer.getOutput()
+        .contains("doesn't have WRITE_ACL permission to access bucket"));
   }
 
   /**
@@ -158,7 +200,18 @@ public class TestOmAcls {
 
     @Override
     public boolean checkAccess(IOzoneObj ozoneObject, RequestContext context) {
-      return TestOmAcls.aclAllow;
+      switch (((OzoneObjInfo) ozoneObject).getResourceType()) {
+      case VOLUME:
+        return TestOmAcls.volumeAclAllow;
+      case BUCKET:
+        return TestOmAcls.bucketAclAllow;
+      case KEY:
+        return TestOmAcls.keyAclAllow;
+      case PREFIX:
+        return TestOmAcls.prefixAclAllow;
+      default:
+        return false;
+      }
     }
   }
 }
diff --git 
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java
 
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java
index 167d012..19c3ffb 100644
--- 
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java
+++ 
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java
@@ -95,9 +95,9 @@ public abstract class OMBucketAclRequest extends 
OMClientRequest {
 
       // check Acl
       if (ozoneManager.getAclsEnabled()) {
-        checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME,
+        checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET,
             OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL,
-            volume, null, null);
+            volume, bucket, null);
       }
       lockAcquired =
           omMetadataManager.getLock().acquireWriteLock(BUCKET_LOCK, volume,
diff --git 
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java
 
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java
index 0fe8925..bdefbb9 100644
--- 
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java
+++ 
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java
@@ -88,7 +88,7 @@ public abstract class OMKeyAclRequest extends OMClientRequest 
{
 
       // check Acl
       if (ozoneManager.getAclsEnabled()) {
-        checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME,
+        checkAcls(ozoneManager, OzoneObj.ResourceType.KEY,
             OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL,
             volume, bucket, key);
       }
diff --git 
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java
 
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java
index 5068f89..8bcfc98 100644
--- 
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java
+++ 
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java
@@ -81,7 +81,7 @@ public abstract class OMKeyAclRequestWithFSO extends 
OMKeyAclRequest {
 
       // check Acl
       if (ozoneManager.getAclsEnabled()) {
-        checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME,
+        checkAcls(ozoneManager, OzoneObj.ResourceType.KEY,
             OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL,
             volume, bucket, key);
       }

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to