smengcl commented on a change in pull request #1801:
URL: https://github.com/apache/ozone/pull/1801#discussion_r565254216
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
##########
@@ -106,6 +132,37 @@ public void doGet(HttpServletRequest request,
HttpServletResponse response) {
return;
}
+ // Check ACL for dbCheckpoint only when global Ozone ACL is enable
+ if (om.getAclsEnabled()) {
+ final String remoteUser = request.getRemoteUser();
+ final java.security.Principal userPrincipal = request.getUserPrincipal();
+ if (userPrincipal == null) {
+ // Fallback to checking login user if userPrincipal is null.
+ // Note: In prod, a secure cluster would deploy Kerberos so this case
+ // shouldn't be hit. This is here for UT and dev testing.
+ if (!checkAcls(remoteUser)) {
+ LOG.error("Permission denied: Current login user '{}' has not been "
+ + "authenticated to access /dbCheckpoint.", remoteUser);
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ } else {
+ LOG.info("Granted login user '{}' access to /dbCheckpoint.",
+ remoteUser);
+ }
+ } else {
+ final String userPrincipalName = userPrincipal.getName();
+ if (!checkAcls(userPrincipalName)) {
+ LOG.error("Permission denied: User principal '{}' doesn't have the "
+ + "permission to access /dbCheckpoint.", userPrincipalName);
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ } else {
+ LOG.info("Granted user principal '{}' access to /dbCheckpoint.",
Review comment:
Yep I will set it to debug level then
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
