This is an automated email from the ASF dual-hosted git repository. elek pushed a commit to branch HDDS-2181 in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git
commit 076d05ca473100a3cb8247adcce42dd930231bcb Author: Vivek Ratnavel Subramanian <vivekratnave...@gmail.com> AuthorDate: Wed Oct 9 16:08:52 2019 -0700 Fix unit test failures --- .../main/java/org/apache/hadoop/ozone/OzoneConsts.java | 1 + .../hadoop/ozone/security/acl/IAccessAuthorizer.java | 2 +- .../org/apache/hadoop/ozone/security/acl/OzoneObj.java | 1 + .../ozone/security/acl/TestOzoneNativeAuthorizer.java | 5 ++++- .../java/org/apache/hadoop/ozone/om/KeyManagerImpl.java | 10 ++++++++-- .../ozone/om/request/file/OMDirectoryCreateRequest.java | 3 ++- .../hadoop/ozone/om/request/file/OMFileCreateRequest.java | 3 ++- .../ozone/om/request/key/OMAllocateBlockRequest.java | 15 +++++++++++---- .../hadoop/ozone/om/request/key/OMKeyCommitRequest.java | 15 +++++++++++---- .../hadoop/ozone/om/request/key/OMKeyCreateRequest.java | 3 ++- .../hadoop/ozone/om/request/key/OMKeyDeleteRequest.java | 3 ++- .../hadoop/ozone/om/request/key/OMKeyRenameRequest.java | 5 +++-- .../apache/hadoop/ozone/om/request/key/OMKeyRequest.java | 6 +++--- 13 files changed, 51 insertions(+), 21 deletions(-) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java index 9817d87..7c8eb69 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java @@ -237,6 +237,7 @@ public final class OzoneConsts { public static final String VOLUME = "volume"; public static final String BUCKET = "bucket"; public static final String KEY = "key"; + public static final String OPEN_KEY = "openKey"; public static final String QUOTA = "quota"; public static final String QUOTA_IN_BYTES = "quotaInBytes"; public static final String OBJECT_ID = "objectID"; diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java index d8a2660..939f2c1 100644 --- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java +++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java @@ -64,7 +64,7 @@ public interface IAccessAuthorizer { public static ACLType getAclTypeFromOrdinal(int ordinal) { if (ordinal > length - 1 && ordinal > -1) { - throw new IllegalArgumentException("Ordinal greater than array lentgh" + + throw new IllegalArgumentException("Ordinal greater than array length" + ". ordinal:" + ordinal); } return vals[ordinal]; diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneObj.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneObj.java index 4a95e55..1d05ede 100644 --- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneObj.java +++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneObj.java @@ -95,6 +95,7 @@ public abstract class OzoneObj implements IOzoneObj { VOLUME(OzoneConsts.VOLUME), BUCKET(OzoneConsts.BUCKET), KEY(OzoneConsts.KEY), + OPEN_KEY(OzoneConsts.OPEN_KEY), PREFIX(OzoneConsts.PREFIX); /** diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneNativeAuthorizer.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneNativeAuthorizer.java index 43ce679..bedd959 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneNativeAuthorizer.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneNativeAuthorizer.java @@ -69,6 +69,7 @@ import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentity import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER; import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.WORLD; import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL; +import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.CREATE; import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.NONE; import static org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET; import static org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY; @@ -362,6 +363,7 @@ public class TestOzoneNativeAuthorizer { aclsToBeAdded.remove(NONE); aclsToBeAdded.remove(ALL); + aclsToBeAdded.remove(CREATE); // Fetch acls again. for (ACLType a2 : aclsToBeAdded) { @@ -410,7 +412,7 @@ public class TestOzoneNativeAuthorizer { builder.setAclRights(a2).build())); aclsToBeValidated.remove(a2); for (ACLType a3 : aclsToBeValidated) { - if (!a3.equals(a1) && !a3.equals(a2)) { + if (!a3.equals(a1) && !a3.equals(a2) && !a3.equals(CREATE)) { assertFalse("User shouldn't have right " + a3 + ". " + "Current acl rights for user:" + a1 + "," + a2, nativeAuthorizer.checkAccess(obj, @@ -462,6 +464,7 @@ public class TestOzoneNativeAuthorizer { builder) throws OMException { List<ACLType> allAcls = new ArrayList<>(Arrays.asList(ACLType.values())); allAcls.remove(NONE); + allAcls.remove(CREATE); for (ACLType a : allAcls) { assertFalse("User shouldn't have right " + a + ".", nativeAuthorizer.checkAccess(obj, builder.setAclRights(a).build())); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java index f3ae9b1..faa65bb 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java @@ -123,6 +123,7 @@ import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.KEY_ import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.VOLUME_NOT_FOUND; import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.BUCKET_LOCK; import static org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY; +import static org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.OPEN_KEY; import static org.apache.hadoop.util.Time.monotonicNow; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -1656,8 +1657,13 @@ public class KeyManagerImpl implements KeyManager { validateBucket(volume, bucket); OmKeyInfo keyInfo = null; try { - OzoneFileStatus fileStatus = getFileStatus(args); - keyInfo = fileStatus.getKeyInfo(); + if (ozObject.getResourceType() == OPEN_KEY) { + keyInfo = metadataManager.getOpenKeyTable().get(objectKey); + } else { + OzoneFileStatus fileStatus = getFileStatus(args); + keyInfo = fileStatus.getKeyInfo(); + } + if (keyInfo == null) { // the key does not exist, but it is a parent "dir" of some key // let access be determined based on volume/bucket/prefix ACL diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java index 6e45171..aaac874 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java @@ -33,6 +33,7 @@ import org.apache.hadoop.ozone.om.helpers.OzoneAclUtil; import org.apache.hadoop.ozone.om.helpers.OzoneFSUtils; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -129,7 +130,7 @@ public class OMDirectoryCreateRequest extends OMKeyRequest { try { // check Acl checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, - IAccessAuthorizer.ACLType.CREATE); + IAccessAuthorizer.ACLType.CREATE, OzoneObj.ResourceType.KEY); // Check if this is the root of the filesystem. if (keyName.length() == 0) { diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java index 79500cc..52af0a3 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java @@ -32,6 +32,7 @@ import com.google.common.base.Optional; import com.google.common.base.Preconditions; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -179,7 +180,7 @@ public class OMFileCreateRequest extends OMKeyRequest { try { // check Acl checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, - IAccessAuthorizer.ACLType.CREATE); + IAccessAuthorizer.ACLType.CREATE, OzoneObj.ResourceType.KEY); // acquire lock acquiredLock = omMetadataManager.getLock().acquireWriteLock(BUCKET_LOCK, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java index a6702b3..ef2af6d 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java @@ -29,6 +29,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.ozone.OmUtils; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -176,12 +177,18 @@ public class OMAllocateBlockRequest extends OMKeyRequest { // write ACL on key. Add client id to key name if ozone native // authorizer is configured. Configuration config = ozoneManager.getConfiguration(); - String keyNameForAclCheck = keyName; if (OmUtils.isNativeAuthorizerEnabled(config)) { - keyNameForAclCheck = keyName + "/" + allocateBlockRequest.getClientID(); + String keyNameForAclCheck = + keyName + "/" + allocateBlockRequest.getClientID(); + // During allocate block request, it is possible that key is + // not present in the key table and hence setting the resource type + // to OPEN_KEY to check the openKeyTable. + checkKeyAcls(ozoneManager, volumeName, bucketName, keyNameForAclCheck, + IAccessAuthorizer.ACLType.WRITE, OzoneObj.ResourceType.OPEN_KEY); + } else { + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, + IAccessAuthorizer.ACLType.WRITE, OzoneObj.ResourceType.KEY); } - checkKeyAcls(ozoneManager, volumeName, bucketName, keyNameForAclCheck, - IAccessAuthorizer.ACLType.WRITE); OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager(); validateBucketAndVolume(omMetadataManager, volumeName, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java index 3fe5206..63ea5a0 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java @@ -29,6 +29,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.ozone.OmUtils; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -123,12 +124,18 @@ public class OMKeyCommitRequest extends OMKeyRequest { // write ACL on key. Add client id to key name if ozone native // authorizer is configured. Configuration config = ozoneManager.getConfiguration(); - String keyNameForAclCheck = keyName; if (OmUtils.isNativeAuthorizerEnabled(config)) { - keyNameForAclCheck = keyName + "/" + commitKeyRequest.getClientID(); + String keyNameForAclCheck = + keyName + "/" + commitKeyRequest.getClientID(); + // During key commit request, it is possible that key is + // not present in the key table and hence setting the resource type + // to OPEN_KEY to check the openKeyTable. + checkKeyAcls(ozoneManager, volumeName, bucketName, keyNameForAclCheck, + IAccessAuthorizer.ACLType.WRITE, OzoneObj.ResourceType.OPEN_KEY); + } else { + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, + IAccessAuthorizer.ACLType.WRITE, OzoneObj.ResourceType.KEY); } - checkKeyAcls(ozoneManager, volumeName, bucketName, keyNameForAclCheck, - IAccessAuthorizer.ACLType.WRITE); List<OmKeyLocationInfo> locationInfoList = commitKeyArgs .getKeyLocationsList().stream() diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java index 5229e81..9681b20 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java @@ -27,6 +27,7 @@ import com.google.common.base.Optional; import com.google.common.base.Preconditions; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -164,7 +165,7 @@ public class OMKeyCreateRequest extends OMKeyRequest { try { // check Acl checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, - IAccessAuthorizer.ACLType.CREATE); + IAccessAuthorizer.ACLType.CREATE, OzoneObj.ResourceType.KEY); acquireLock = omMetadataManager.getLock().acquireWriteLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java index 97c2554..28dfaa5 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java @@ -24,6 +24,7 @@ import java.util.Map; import com.google.common.base.Optional; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -111,7 +112,7 @@ public class OMKeyDeleteRequest extends OMKeyRequest { try { // check Acl checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, - IAccessAuthorizer.ACLType.DELETE); + IAccessAuthorizer.ACLType.DELETE, OzoneObj.ResourceType.KEY); String objectKey = omMetadataManager.getOzoneKey( volumeName, bucketName, keyName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java index c594120..6f7ff60 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java @@ -25,6 +25,7 @@ import com.google.common.base.Optional; import com.google.common.base.Preconditions; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -121,9 +122,9 @@ public class OMKeyRenameRequest extends OMKeyRequest { // check Acls to see if user has access to perform delete operation on // old key and create operation on new key checkKeyAcls(ozoneManager, volumeName, bucketName, fromKeyName, - IAccessAuthorizer.ACLType.DELETE); + IAccessAuthorizer.ACLType.DELETE, OzoneObj.ResourceType.KEY); checkKeyAcls(ozoneManager, volumeName, bucketName, toKeyName, - IAccessAuthorizer.ACLType.CREATE); + IAccessAuthorizer.ACLType.CREATE, OzoneObj.ResourceType.KEY); acquiredLock = omMetadataManager.getLock().acquireWriteLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java index 9520863..16e97e8 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java @@ -526,11 +526,11 @@ public abstract class OMKeyRequest extends OMClientRequest { * @throws IOException */ protected void checkKeyAcls(OzoneManager ozoneManager, String volume, - String bucket, String key, IAccessAuthorizer.ACLType aclType) + String bucket, String key, IAccessAuthorizer.ACLType aclType, + OzoneObj.ResourceType resourceType) throws IOException { if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, aclType, + checkAcls(ozoneManager, resourceType, OzoneObj.StoreType.OZONE, aclType, volume, bucket, key); } } --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-commits-h...@hadoop.apache.org