[jira] [Created] (HDDS-14207) Inconsistent Ozone admin check

Thu, 18 Dec 2025 04:08:05 -0800 

Sammi Chen created HDDS-14207:
---------------------------------

             Summary: Inconsistent Ozone admin check
                 Key: HDDS-14207
                 URL: https://issues.apache.org/jira/browse/HDDS-14207
             Project: Apache Ozone
          Issue Type: Bug
            Reporter: Sammi Chen


Ozone administrators have super privileges in Ozone system. Some actions are 
only allowed by Ozone administrators. 
While currently the ozone administrator check is not consistent. Some codes, 
check permission is enabled first, then check if user has the admin privilege.  
For example, OMFinalizeUpgradeRequest#validateAndUpdateCache

{code:java}
if (ozoneManager.getAclsEnabled()) {
        UserGroupInformation ugi = createUGIForApi();
        if (!ozoneManager.isAdmin(ugi)) {
          throw new OMException("Access denied for user " + ugi + ". "
              + "Superuser privilege is required to finalize upgrade.",
              OMException.ResultCodes.ACCESS_DENIED);
        }
      }
{code}

Some codes, check if user has the admin privilege directly, for example, 
OzoneManager#triggerSnapshotDefrag

{code:java}
    final UserGroupInformation ugi = getRemoteUser();
    // Check Ozone admin privilege
    if (!isAdmin(ugi)) {
      throw new OMException("Only Ozone admins are allowed to trigger "
          + "snapshot defragmentation manually", PERMISSION_DENIED);
    }
{code}

The expected and consistent behavior is we should check whether the permission 
is enabled, if enabled then check whether user is an administrator. 

Appendix-1
Ozone administrator property list, just for check reference, 
- ozone.administrators
- ozone.administrators.groups
- ozone.s3.administrators
- ozone.s3.administrators.groups
- ozone.readonly.administrators
- ozone.readonly.administrators.groups
- ozone.recon.administrators
- ozone.recon.administrators.groups

Ozone permission enable property
- ozone.acl.enabled

Appendix-2
HDFS checks permission enabled first, then checks super user if permission 
check is enabled.  And HDFS by default enables permission 
check(dfs.permissions.enabled), while Ozone ozone.acl.enabled by default is 
false. 






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to