[
https://issues.apache.org/jira/browse/HDFS-12038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16190992#comment-16190992
]
Nandakumar commented on HDFS-12038:
-----------------------------------
Thanks [~anu] for the ping, and thanks [~ljain] for taking this up and working
on it.
As of KSM's current state we don't have any authorization mechanism in place,
i.e we don't do authorization on any client calls. Authorization of
createVolume calls are done in OzoneHandler's {{VolumeHandler}} (datanode REST
server), this is not an ideal place to do it as RPC clients will bypass this.
We have to authorize all the calls made to KSM in {{KeySpaceManager}}, which
can be done in another jira.
For this issue we should properly set {{client.setUserAuth(userName)}} which is
not happening in first place; If {{-root}} is not specified we are setting
UserAuth as null and HTTP header {{Authorization}} is not set in the HttpGet
request which is causing the issue.
As pointed out by [~cheersyang], we have to remove line 89
{code}
client.setUserAuth(rootName);
{code}
Additionally we can add logic in
{{VolumeProcessTemplate#getVolumeInfoResponse}} to check if the user is admin
or owner of the volume, with this we can make sure that unauthorized user
doesn't have access to InfoVolume calls. Still with RPC client anyone can make
any calls.
> Ozone: Non-admin user is unable to run InfoVolume to the volume owned by
> itself
> -------------------------------------------------------------------------------
>
> Key: HDFS-12038
> URL: https://issues.apache.org/jira/browse/HDFS-12038
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: ozone
> Reporter: Weiwei Yang
> Assignee: Lokesh Jain
> Labels: OzonePostMerge
> Attachments: HDFS-12038-HDFS-7240.001.patch
>
>
> Reproduce steps
> 1. Create a volume with a non-admin user
> {code}
> hdfs oz -createVolume http://ozone1.fyre.ibm.com:9864/volume-wwei-0 -user
> wwei -root -quota 2TB
> {code}
> 2. Run infoVolume command to get this volume info
> {noformat}
> hdfs oz -infoVolume http://ozone1.fyre.ibm.com:9864/volume-wwei-0 -user wwei
> Command Failed :
> {"httpCode":400,"shortMessage":"badAuthorization","resource":null,"message":"Missing
> authorization or authorization has to be
> unique.","requestID":"221efb47-72b9-498d-ac19-907257428573","hostName":"ozone1.fyre.ibm.com"}
> {noformat}
> add {{-root}} to run as admin user could bypass this issue
> {noformat}
> hdfs oz -infoVolume http://ozone1.fyre.ibm.com:9864/volume-wwei-0 -user wwei
> -root
> {
> "owner" : {
> "name" : "wwei"
> },
> "quota" : {
> "unit" : "TB",
> "size" : 2
> },
> "volumeName" : "volume-wwei-0",
> "createdOn" : null,
> "createdBy" : "hdfs"
> }
> {noformat}
> expecting: both volume owner and admin should be able to run infoVolume
> command.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
