Re: [PR] HDDS-13855. Move ACL check in Volume, Bucket and Keys requests to preexecute. [ozone]

[via GitHub]

sarvekshayr commented on code in PR #9297:
URL: https://github.com/apache/ozone/pull/9297#discussion_r2533653341


##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeysRenameRequest.java:
##########
@@ -77,6 +77,59 @@ public OMKeysRenameRequest(OMRequest omRequest, BucketLayout 
bucketLayout) {
     super(omRequest, bucketLayout);
   }
 
+  @Override
+  public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
+    super.preExecute(ozoneManager);
+
+    RenameKeysRequest renameKeysRequest = 
getOmRequest().getRenameKeysRequest();
+    RenameKeysArgs renameKeysArgs = renameKeysRequest.getRenameKeysArgs();
+    
+    String volumeName = renameKeysArgs.getVolumeName();
+    String bucketName = renameKeysArgs.getBucketName();
+
+    // Resolve bucket link
+    ResolvedBucket resolvedBucketObj = ozoneManager.resolveBucketLink(
+        Pair.of(volumeName, bucketName));
+    String resolvedVolume = resolvedBucketObj.realVolume();
+    String resolvedBucket = resolvedBucketObj.realBucket();
+
+    // ACL check during preExecute - check all key pairs
+    if (ozoneManager.getAclsEnabled()) {
+      for (RenameKeysMap renameKey : renameKeysArgs.getRenameKeysMapList()) {
+        String fromKeyName = renameKey.getFromKeyName();
+        String toKeyName = renameKey.getToKeyName();
+        
+        // Skip empty key names - they will be handled in 
validateAndUpdateCache
+        if (fromKeyName.isEmpty() || toKeyName.isEmpty()) {
+          continue;
+        }
+
+        try {
+          // Check ACLs: DELETE permission on source key, CREATE permission on 
destination key
+          checkKeyAcls(ozoneManager, resolvedVolume, resolvedBucket, 
fromKeyName,
+              IAccessAuthorizer.ACLType.DELETE, OzoneObj.ResourceType.KEY);
+          checkKeyAcls(ozoneManager, resolvedVolume, resolvedBucket, toKeyName,
+              IAccessAuthorizer.ACLType.CREATE, OzoneObj.ResourceType.KEY);
+        } catch (IOException ex) {
+          // Ensure audit log captures preExecute failures
+          Map<String, String> auditMap = new LinkedHashMap<>();
+          auditMap.put("volume", resolvedVolume);
+          auditMap.put("bucket", resolvedBucket);
+          auditMap.put("fromKey", fromKeyName);
+          auditMap.put("toKey", toKeyName);

Review Comment:
   To keep the audit map keys consistent across the codebase, can we avoid 
hardcoding here?
   We should either use the existing constants or add new ones if needed for 
consistency.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org
For additional commands, e-mail: issues-h...@ozone.apache.org