[ https://issues.apache.org/jira/browse/HDFS-12038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16190992#comment-16190992 ]
Nandakumar commented on HDFS-12038: ----------------------------------- Thanks [~anu] for the ping, and thanks [~ljain] for taking this up and working on it. As of KSM's current state we don't have any authorization mechanism in place, i.e we don't do authorization on any client calls. Authorization of createVolume calls are done in OzoneHandler's {{VolumeHandler}} (datanode REST server), this is not an ideal place to do it as RPC clients will bypass this. We have to authorize all the calls made to KSM in {{KeySpaceManager}}, which can be done in another jira. For this issue we should properly set {{client.setUserAuth(userName)}} which is not happening in first place; If {{-root}} is not specified we are setting UserAuth as null and HTTP header {{Authorization}} is not set in the HttpGet request which is causing the issue. As pointed out by [~cheersyang], we have to remove line 89 {code} client.setUserAuth(rootName); {code} Additionally we can add logic in {{VolumeProcessTemplate#getVolumeInfoResponse}} to check if the user is admin or owner of the volume, with this we can make sure that unauthorized user doesn't have access to InfoVolume calls. Still with RPC client anyone can make any calls. > Ozone: Non-admin user is unable to run InfoVolume to the volume owned by > itself > ------------------------------------------------------------------------------- > > Key: HDFS-12038 > URL: https://issues.apache.org/jira/browse/HDFS-12038 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: ozone > Reporter: Weiwei Yang > Assignee: Lokesh Jain > Labels: OzonePostMerge > Attachments: HDFS-12038-HDFS-7240.001.patch > > > Reproduce steps > 1. Create a volume with a non-admin user > {code} > hdfs oz -createVolume http://ozone1.fyre.ibm.com:9864/volume-wwei-0 -user > wwei -root -quota 2TB > {code} > 2. Run infoVolume command to get this volume info > {noformat} > hdfs oz -infoVolume http://ozone1.fyre.ibm.com:9864/volume-wwei-0 -user wwei > Command Failed : > {"httpCode":400,"shortMessage":"badAuthorization","resource":null,"message":"Missing > authorization or authorization has to be > unique.","requestID":"221efb47-72b9-498d-ac19-907257428573","hostName":"ozone1.fyre.ibm.com"} > {noformat} > add {{-root}} to run as admin user could bypass this issue > {noformat} > hdfs oz -infoVolume http://ozone1.fyre.ibm.com:9864/volume-wwei-0 -user wwei > -root > { > "owner" : { > "name" : "wwei" > }, > "quota" : { > "unit" : "TB", > "size" : 2 > }, > "volumeName" : "volume-wwei-0", > "createdOn" : null, > "createdBy" : "hdfs" > } > {noformat} > expecting: both volume owner and admin should be able to run infoVolume > command. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org