smengcl commented on a change in pull request #1801:
URL: https://github.com/apache/ozone/pull/1801#discussion_r565253322
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
##########
@@ -106,6 +132,37 @@ public void doGet(HttpServletRequest request,
HttpServletResponse response) {
return;
}
+ // Check ACL for dbCheckpoint only when global Ozone ACL is enable
+ if (om.getAclsEnabled()) {
+ final String remoteUser = request.getRemoteUser();
+ final java.security.Principal userPrincipal = request.getUserPrincipal();
+ if (userPrincipal == null) {
+ // Fallback to checking login user if userPrincipal is null.
+ // Note: In prod, a secure cluster would deploy Kerberos so this case
Review comment:
> Is there any unit test which require this branch?
Yes. `TestOMDbCheckpointServlet#testDoGet`, which doesn't have Kerberos but
have ACL enabled.
> Wouldn't be more safe to update the unit test instead of doing this check
in the production code?
I agree. But since you mentioned Kerberos might not be in-use on a secure
cluster, we would still need some sort of user name verification, no? If that's
the case I can adjust the comment.
Also, just curious, if a secure cluster doesn't use Kerberos to
authenticate, what would they use to authenticate users? Or you mean just
HTTPS/SSL.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
