Gargi-jais11 opened a new pull request, #9610:
URL: https://github.com/apache/ozone/pull/9610
## What changes were proposed in this pull request?
Ozone administrators have super privileges in Ozone system. Some actions are
only allowed by Ozone administrators.
While currently the ozone administrator check is not consistent. Some codes,
check permission is enabled first, then check if user has the admin privilege.
For example, **`OMFinalizeUpgradeRequest#validateAndUpdateCache`**
```
if (ozoneManager.getAclsEnabled()) {
UserGroupInformation ugi = createUGIForApi();
if (!ozoneManager.isAdmin(ugi)) {
throw new OMException("Access denied for user " + ugi + ". "
+ "Superuser privilege is required to finalize upgrade.",
OMException.ResultCodes.ACCESS_DENIED);
}
}
```
Some codes, check if user has the admin privilege directly, for example,
**OzoneManager#triggerSnapshotDefrag**
```
final UserGroupInformation ugi = getRemoteUser();
// Check Ozone admin privilege
if (!isAdmin(ugi)) {
throw new OMException("Only Ozone admins are allowed to trigger "
+ "snapshot defragmentation manually", PERMISSION_DENIED);
}
```
The expected and consistent behavior is we should check whether the
permission is enabled, if enabled then check whether user is an administrator.
## What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-14207
## How was this patch tested?
Updated the existing test cases to enable `ozone.acl.enabled=true` as all
have implementation for admin user verification.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
