[ozone] branch master updated: HDDS-7920. User cannot list their own volumes without access to root volume (#4254)

Thu, 09 Feb 2023 17:59:23 -0800 

This is an automated email from the ASF dual-hosted git repository.

weichiu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git


The following commit(s) were added to refs/heads/master by this push:
     new b3aac19f6b HDDS-7920. User cannot list their own volumes without 
access to root volume (#4254)
b3aac19f6b is described below

commit b3aac19f6b81ca72aaf54991e95fe395fd80a5a0
Author: Duong Nguyen <[email protected]>
AuthorDate: Thu Feb 9 17:59:10 2023 -0800

    HDDS-7920. User cannot list their own volumes without access to root volume 
(#4254)
---
 .../ozone/om/TestOzoneManagerListVolumes.java      | 26 ++++++++++++++++------
 .../org/apache/hadoop/ozone/om/OzoneManager.java   |  7 +++++-
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git 
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOzoneManagerListVolumes.java
 
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOzoneManagerListVolumes.java
index 7fdd7cd70a..15f8c6dc7c 100644
--- 
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOzoneManagerListVolumes.java
+++ 
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOzoneManagerListVolumes.java
@@ -20,6 +20,7 @@ package org.apache.hadoop.ozone.om;
 
 import java.io.IOException;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
@@ -72,6 +73,11 @@ public class TestOzoneManagerListVolumes {
   private static UserGroupInformation user2 =
       UserGroupInformation.createUserForTesting("user2", new String[]{"test"});
 
+  // Typycal kerberos user, with shortname different from username.
+  private static UserGroupInformation user3 =
+      UserGroupInformation.createUserForTesting("[email protected]",
+          new String[]{"test"});
+
   @Before
   public void init() throws Exception {
     // loginUser is the user running this test.
@@ -156,22 +162,22 @@ public class TestOzoneManagerListVolumes {
     setVolumeAcl(objectStore, volumeName, aclString);
   }
 
+  private void checkUser(UserGroupInformation user,
+                         List<String> expectVol, boolean expectListAllSuccess)
+          throws IOException {
+    checkUser(user, expectVol, expectListAllSuccess, true);
+  }
+
   /**
    * Helper function to set volume ACL.
    */
   private static void setVolumeAcl(ObjectStore objectStore, String volumeName,
-      String aclString) throws IOException {
+                                   String aclString) throws IOException {
     OzoneObj obj = OzoneObjInfo.Builder.newBuilder().setVolumeName(volumeName)
         .setResType(OzoneObj.ResourceType.VOLUME).setStoreType(OZONE).build();
     Assert.assertTrue(objectStore.setAcl(obj, OzoneAcl.parseAcls(aclString)));
   }
 
-  private void checkUser(UserGroupInformation user,
-                         List<String> expectVol, boolean expectListAllSuccess)
-          throws IOException {
-    checkUser(user, expectVol, expectListAllSuccess, true);
-  }
-
   /**
    * Helper function to reduce code redundancy for test checks with each user
    * under different config combination.
@@ -240,6 +246,7 @@ public class TestOzoneManagerListVolumes {
     }
   }
 
+
   /**
    * Check if listVolume of other users than the login user works as expected.
    * ozone.om.volume.listall.allowed = true
@@ -264,6 +271,11 @@ public class TestOzoneManagerListVolumes {
         "volume5"), true);
     checkUser(adminUser, Arrays.asList("volume1", "volume2", "volume3",
         "volume4", "volume5", "s3v"), true);
+
+    // list volumes should success for user with shortname different from
+    // full name.
+    UserGroupInformation.setLoginUser(user3);
+    checkUser(user3, Collections.singletonList("volume5"), true, true);
   }
 
   /**
diff --git 
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
 
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 123c550aca..9326475e12 100644
--- 
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++ 
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -196,6 +196,7 @@ import 
org.apache.hadoop.ozone.upgrade.UpgradeFinalizer.StatusAndMessages;
 import org.apache.hadoop.hdds.ExitManager;
 import org.apache.hadoop.ozone.util.OzoneVersionInfo;
 import org.apache.hadoop.ozone.util.ShutdownHookManager;
+import org.apache.hadoop.security.HadoopKerberosName;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
@@ -2601,8 +2602,12 @@ public final class OzoneManager extends 
ServiceRuntimeInfoImpl
       metrics.incNumVolumeLists();
       if (isAclEnabled) {
         String remoteUserName = remoteUserUgi.getShortUserName();
+        // Convert userName to short username
+        String userParamShortName = new HadoopKerberosName(userName)
+            .getShortName();
         // if not admin nor list my own volumes, check ACL.
-        if (!remoteUserName.equals(userName) && !isAdmin(remoteUserUgi)) {
+        if (!remoteUserName.equals(userParamShortName)
+            && !isAdmin(remoteUserUgi)) {
           omMetadataReader.checkAcls(ResourceType.VOLUME,
               StoreType.OZONE, ACLType.LIST,
               OzoneConsts.OZONE_ROOT, null, null);


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to