[jira] [Updated] (HDDS-14207) Inconsistent Ozone admin check

Thu, 08 Jan 2026 22:09:10 -0800 


     [ 
https://issues.apache.org/jira/browse/HDDS-14207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated HDDS-14207:
----------------------------------
    Labels: pull-request-available  (was: )

> Inconsistent Ozone admin check
> ------------------------------
>
>                 Key: HDDS-14207
>                 URL: https://issues.apache.org/jira/browse/HDDS-14207
>             Project: Apache Ozone
>          Issue Type: Bug
>            Reporter: Sammi Chen
>            Assignee: Gargi Jaiswal
>            Priority: Major
>              Labels: pull-request-available
>
> Ozone administrators have super privileges in Ozone system. Some actions are 
> only allowed by Ozone administrators. 
> While currently the ozone administrator check is not consistent. Some codes, 
> check permission is enabled first, then check if user has the admin 
> privilege.  For example, OMFinalizeUpgradeRequest#validateAndUpdateCache
> {code:java}
> if (ozoneManager.getAclsEnabled()) {
>         UserGroupInformation ugi = createUGIForApi();
>         if (!ozoneManager.isAdmin(ugi)) {
>           throw new OMException("Access denied for user " + ugi + ". "
>               + "Superuser privilege is required to finalize upgrade.",
>               OMException.ResultCodes.ACCESS_DENIED);
>         }
>       }
> {code}
> Some codes, check if user has the admin privilege directly, for example, 
> OzoneManager#triggerSnapshotDefrag
> {code:java}
>     final UserGroupInformation ugi = getRemoteUser();
>     // Check Ozone admin privilege
>     if (!isAdmin(ugi)) {
>       throw new OMException("Only Ozone admins are allowed to trigger "
>           + "snapshot defragmentation manually", PERMISSION_DENIED);
>     }
> {code}
> The expected and consistent behavior is we should check whether the 
> permission is enabled, if enabled then check whether user is an 
> administrator. 
> Appendix-1
> Ozone administrator property list, just for check reference, 
> - ozone.administrators
> - ozone.administrators.groups
> - ozone.s3.administrators
> - ozone.s3.administrators.groups
> - ozone.readonly.administrators
> - ozone.readonly.administrators.groups
> - ozone.recon.administrators
> - ozone.recon.administrators.groups
> Ozone permission enable property
> - ozone.acl.enabled
> Appendix-2
> HDFS checks permission enabled first, then checks super user if permission 
> check is enabled.  And HDFS by default enables permission 
> check(dfs.permissions.enabled), while Ozone ozone.acl.enabled by default is 
> false. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to