[jira] [Commented] (HDDS-10509) Allow running ratis shell commands in secure Ozone cluster.

Tue, 11 Feb 2025 08:33:27 -0800 


    [ 
https://issues.apache.org/jira/browse/HDDS-10509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17926056#comment-17926056
 ] 

István Fajth commented on HDDS-10509:
-------------------------------------

[~szetszwo], few question arise with this approach...
If we allow to send in a RatisShellCommandProto via let's say Ozone Manager, 
should Ozone Manager validate that command in any way, or Ratis will do that 
internally?
By validating I mean:
- who will authenticate the original sender? (I guess OM based on the kerberos 
principal)
- who will authorize the actual request? (I guess OM based on the kerberos 
principal, but if it has to be the ratis server, then what information and how 
should arrive to the ratis server to do the authorization?)
- who will verify that the request is valid, and well formatted with all the 
information needed? (Ideally the client side does this already, but this should 
also happen on the server side before posting the command to Ratis, this points 
towards OM side validation but I want to be sure we do not do the validation 2 
times on the server side once in OM than once in Ratis, but just at one place.)

Do we agree on these points? Are there anything ratis command specific special 
requirement that we might also think about to do this safely? Like denying 
certain requests in different states or the likes?

> Allow running ratis shell commands in secure Ozone cluster.
> -----------------------------------------------------------
>
>                 Key: HDDS-10509
>                 URL: https://issues.apache.org/jira/browse/HDDS-10509
>             Project: Apache Ozone
>          Issue Type: Sub-task
>          Components: Tools
>            Reporter: Tsz-wo Sze
>            Assignee: Rishabh Patel
>            Priority: Major
>
> When Ozone is in secure mode, running ratis shell directly cannot access 
> Ozone since ratis shell does not have Ozone UserGroupInformation.  We should 
> add a new Ozone command to run ratis shell.  The new Ozone command can get 
> the UserGroupInformation and then run the ratis commands.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to