This is an automated email from the ASF dual-hosted git repository.
sodonnell pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new be8567ed916 HDDS-13858. Add permission check and test in getFileStatus
(#9237)
be8567ed916 is described below
commit be8567ed916c008287f8d4646d0515000acb304b
Author: rich7420 <[email protected]>
AuthorDate: Tue Nov 4 23:37:30 2025 +0800
HDDS-13858. Add permission check and test in getFileStatus (#9237)
---
.../test/java/org/apache/hadoop/ozone/om/TestOmAcls.java | 15 +++++++++++++++
.../java/org/apache/hadoop/ozone/om/OmMetadataReader.java | 6 +++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
index e508e585201..01e8463f6a9 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
@@ -194,6 +194,21 @@ public void testReadKeyPermissionDenied() throws Exception
{
verifyAuditLog(OMAction.READ_KEY, AuditEventStatus.FAILURE);
}
+ @Test
+ public void testGetFileStatusPermissionDenied() throws Exception {
+ OzoneBucket bucket = TestDataUtil.createVolumeAndBucket(client);
+ TestDataUtil.createKey(bucket, "testKey",
"testcontent".getBytes(StandardCharsets.UTF_8));
+
+ authorizer.keyAclAllow = false;
+ OMException exception = assertThrows(OMException.class,
+ () -> bucket.getFileStatus("testKey"));
+
+ assertEquals(ResultCodes.PERMISSION_DENIED, exception.getResult());
+ assertThat(logCapturer.getOutput()).contains("doesn't have READ " +
+ "permission to access key");
+ verifyAuditLog(OMAction.GET_FILE_STATUS, AuditEventStatus.FAILURE);
+ }
+
@Test
public void testSetACLPermissionDenied() throws Exception {
OzoneBucket bucket = TestDataUtil.createVolumeAndBucket(client);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java
index cbcb7e2dc06..c413c96956f 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java
@@ -275,9 +275,13 @@ public OzoneFileStatus getFileStatus(OmKeyArgs args)
throws IOException {
args = bucket.update(args);
try {
+ if (isAclEnabled) {
+ checkAcls(getResourceType(args), StoreType.OZONE, ACLType.READ,
+ bucket, args.getKeyName());
+ }
metrics.incNumGetFileStatus();
return keyManager.getFileStatus(args, getClientAddress());
- } catch (IOException ex) {
+ } catch (Exception ex) {
metrics.incNumGetFileStatusFails();
auditSuccess = false;
audit.logReadFailure(
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
