[ozone] branch master updated: HDDS-1796. Add admin access check for write opertaions in SCMClientProtocolServer and SCMBlockProtocolServer. (#5203)

Thu, 07 Sep 2023 06:58:28 -0700 

This is an automated email from the ASF dual-hosted git repository.

sammichen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git


The following commit(s) were added to refs/heads/master by this push:
     new a31e438a0a HDDS-1796. Add admin access check for write opertaions in 
SCMClientProtocolServer and SCMBlockProtocolServer. (#5203)
a31e438a0a is described below

commit a31e438a0a59b9b2df89c5797c2bcbea842217bd
Author: devmadhuu <[email protected]>
AuthorDate: Thu Sep 7 19:27:28 2023 +0530

    HDDS-1796. Add admin access check for write opertaions in 
SCMClientProtocolServer and SCMBlockProtocolServer. (#5203)
---
 .../hadoop/hdds/scm/server/SCMBlockProtocolServer.java    |  7 ++++++-
 .../hadoop/hdds/scm/server/SCMClientProtocolServer.java   | 15 ++++++---------
 .../dist/src/main/compose/ozonesecure/docker-config       |  3 ++-
 .../dist/src/main/smoketest/admincli/container.robot      |  3 +++
 4 files changed, 17 insertions(+), 11 deletions(-)

diff --git 
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMBlockProtocolServer.java
 
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMBlockProtocolServer.java
index 142ceb98fe..d10c3824bb 100644
--- 
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMBlockProtocolServer.java
+++ 
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMBlockProtocolServer.java
@@ -70,6 +70,8 @@ import static 
org.apache.hadoop.hdds.scm.exceptions.SCMException.ResultCodes.IO_
 import static 
org.apache.hadoop.hdds.scm.server.StorageContainerManager.startRpcServer;
 import static org.apache.hadoop.hdds.server.ServerUtils.getRemoteUserName;
 import static org.apache.hadoop.hdds.server.ServerUtils.updateRPCListenAddress;
+import static org.apache.hadoop.hdds.utils.HddsServerUtil.getRemoteUser;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -177,6 +179,7 @@ public class SCMBlockProtocolServer implements
       ReplicationConfig replicationConfig,
       String owner, ExcludeList excludeList
   ) throws IOException {
+    scm.checkAdminAccess(getRemoteUser(), false);
     Map<String, String> auditMap = Maps.newHashMap();
     auditMap.put("size", String.valueOf(size));
     auditMap.put("num", String.valueOf(num));
@@ -229,6 +232,7 @@ public class SCMBlockProtocolServer implements
   @Override
   public List<DeleteBlockGroupResult> deleteKeyBlocks(
       List<BlockGroup> keyBlocksInfoList) throws IOException {
+    scm.checkAdminAccess(getRemoteUser(), false);
     if (LOG.isDebugEnabled()) {
       LOG.debug("SCM is informed by OM to delete {} blocks",
           keyBlocksInfoList.size());
@@ -305,6 +309,7 @@ public class SCMBlockProtocolServer implements
 
   @Override
   public boolean addSCM(AddSCMRequest request) throws IOException {
+    scm.checkAdminAccess(getRemoteUser(), false);
     LOG.debug("Adding SCM {} addr {} cluster id {}",
         request.getScmId(), request.getRatisAddr(), request.getClusterId());
 
@@ -332,7 +337,7 @@ public class SCMBlockProtocolServer implements
 
   @Override
   public List<DatanodeDetails> sortDatanodes(List<String> nodes,
-      String clientMachine) throws IOException {
+      String clientMachine) {
     boolean auditSuccess = true;
     try {
       NodeManager nodeManager = scm.getScmNodeManager();
diff --git 
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java
 
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java
index b0dc392ad4..21ab8a2501 100644
--- 
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java
+++ 
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java
@@ -300,8 +300,6 @@ public class SCMClientProtocolServer implements
   @Override
   public ContainerWithPipeline getContainerWithPipeline(long containerID)
       throws IOException {
-    getScm().checkAdminAccess(null, true);
-
     try {
       ContainerWithPipeline cp = getContainerWithPipelineCommon(containerID);
       AUDIT.logReadSuccess(buildAuditMessageForSuccess(
@@ -344,8 +342,6 @@ public class SCMClientProtocolServer implements
   @Override
   public List<ContainerWithPipeline> getContainerWithPipelineBatch(
       Iterable<? extends Long> containerIDs) throws IOException {
-    getScm().checkAdminAccess(null, true);
-
     List<ContainerWithPipeline> cpList = new ArrayList<>();
 
     StringBuilder strContainerIDs = new StringBuilder();
@@ -364,7 +360,6 @@ public class SCMClientProtocolServer implements
       }
     }
 
-
     AUDIT.logReadSuccess(buildAuditMessageForSuccess(
         SCMAction.GET_CONTAINER_WITH_PIPELINE_BATCH,
         Collections.singletonMap("containerIDs", strContainerIDs.toString())));
@@ -382,6 +377,7 @@ public class SCMClientProtocolServer implements
         cpList.add(cp);
       } catch (IOException ex) {
         //not found , just go ahead
+        LOG.error("Container with common pipeline not found: {}", ex);
       }
     }
     return cpList;
@@ -595,7 +591,6 @@ public class SCMClientProtocolServer implements
       HddsProtos.NodeOperationalState opState, HddsProtos.NodeState state,
       HddsProtos.QueryScope queryScope, String poolName, int clientVersion)
       throws IOException {
-
     if (queryScope == HddsProtos.QueryScope.POOL) {
       throw new IllegalArgumentException("Not Supported yet");
     }
@@ -656,6 +651,7 @@ public class SCMClientProtocolServer implements
 
   @Override
   public void closeContainer(long containerID) throws IOException {
+    getScm().checkAdminAccess(getRemoteUser(), false);
     final UserGroupInformation remoteUser = getRemoteUser();
     final Map<String, String> auditMap = Maps.newHashMap();
     auditMap.put("containerID", String.valueOf(containerID));
@@ -684,6 +680,7 @@ public class SCMClientProtocolServer implements
   public Pipeline createReplicationPipeline(HddsProtos.ReplicationType type,
       HddsProtos.ReplicationFactor factor, HddsProtos.NodePool nodePool)
       throws IOException {
+    getScm().checkAdminAccess(getRemoteUser(), false);
     Map<String, String> auditMap = Maps.newHashMap();
     if (type != null) {
       auditMap.put("replicationType", type.toString());
@@ -731,6 +728,7 @@ public class SCMClientProtocolServer implements
     Map<String, String> auditMap = Maps.newHashMap();
     auditMap.put("pipelineID", pipelineID.getId());
     try {
+      getScm().checkAdminAccess(getRemoteUser(), false);
       scm.getPipelineManager().activatePipeline(
           PipelineID.getFromProtobuf(pipelineID));
       AUDIT.logWriteSuccess(buildAuditMessageForSuccess(
@@ -963,9 +961,7 @@ public class SCMClientProtocolServer implements
   }
 
   @Override
-  public ReplicationManagerReport getReplicationManagerReport()
-      throws IOException {
-    getScm().checkAdminAccess(getRemoteUser(), true);
+  public ReplicationManagerReport getReplicationManagerReport() {
     AUDIT.logReadSuccess(buildAuditMessageForSuccess(
         SCMAction.GET_REPLICATION_MANAGER_REPORT, null));
     return scm.getReplicationManager().getContainerReport();
@@ -1328,6 +1324,7 @@ public class SCMClientProtocolServer implements
         DecommissionScmResponseProto.newBuilder();
 
     try {
+      getScm().checkAdminAccess(getRemoteUser(), false);
       decommissionScmResponseBuilder
           .setSuccess(scm.removePeerFromHARing(scmId));
     } catch (IOException ex) {
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config 
b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
index 2cef12f802..99f35bb112 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
@@ -47,7 +47,8 @@ OZONE-SITE.XML_ozone.recon.address=recon:9891
 OZONE-SITE.XML_ozone.security.enabled=true
 OZONE-SITE.XML_ozone.acl.enabled=true
 
OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer
-OZONE-SITE.XML_ozone.administrators="testuser,recon"
+OZONE-SITE.XML_ozone.administrators="testuser,recon,om"
+OZONE-SITE.XML_ozone.s3.administrators="testuser,recon,om"
 OZONE-SITE.XML_ozone.recon.administrators="testuser2"
 OZONE-SITE.XML_ozone.s3.administrators="testuser,s3g"
 
diff --git a/hadoop-ozone/dist/src/main/smoketest/admincli/container.robot 
b/hadoop-ozone/dist/src/main/smoketest/admincli/container.robot
index f0d8fa8e29..ea10fb98d8 100644
--- a/hadoop-ozone/dist/src/main/smoketest/admincli/container.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/admincli/container.robot
@@ -95,3 +95,6 @@ Cannot close container without admin privilege
 
 Cannot create container without admin privilege
     Requires admin privilege    ozone admin container create
+
+Reset user
+    Run Keyword if      '${SECURITY_ENABLED}' == 'true'     Kinit test user    
 testuser     testuser.keytab


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to