[
https://issues.apache.org/jira/browse/HDDS-11656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sammi Chen resolved HDDS-11656.
-------------------------------
Fix Version/s: 2.0.0
Resolution: Fixed
> Default native ACL limits to user and user's primary group
> ----------------------------------------------------------
>
> Key: HDDS-11656
> URL: https://issues.apache.org/jira/browse/HDDS-11656
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Wei-Chiu Chuang
> Assignee: Sammi Chen
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.0.0
>
> Attachments: Ozone Native ACL and FsPermission.pdf
>
>
> Related to HDDS-11655.
> We found a cluster where files are created with hundreds of ACLs.
> Here's the culprit:
> https://github.com/apache/ozone/blob/master/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OzoneAclUtil.java#L66
> When creating a file, Ozone client supplies the ACL by composing the current
> user's group. The problem is, if Ranger is enabled, these ACLs does not take
> effect, but they get saved into KeyInfo regardless.
> Potential problems and proposed solutions.
> (1) OM does not limit the number of ACLs. That could potentially lead to some
> kind of DDoS attack. We should update
> OMKeyCreateRequest(WithFSO)/OMFileCreateRequest(WithFSO), OMKeyAclRequest and
> its subclasses to add guardrails.
> (2) If Ranger is enabled, prune the ACLs provided by the client from KeyInfo
> in OMKeyCreateRequest(WithFSO)/OMFileCreateRequest(WithFSO).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
