[GitHub] [ozone] errose28 commented on a change in pull request #2217: HDDS-5138. Upgrade related RPC calls should be allowed only for admins.

Fri, 21 May 2021 17:54:05 -0700 


errose28 commented on a change in pull request #2217:
URL: https://github.com/apache/ozone/pull/2217#discussion_r637330969



##########
File path: 
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
##########
@@ -3617,9 +3618,11 @@ public OzoneDelegationTokenSecretManager 
getDelegationTokenMgr() {
     return ozAdmins;
   }
 
-  public boolean isAdmin(String username) {
+  public boolean isAdmin(String username) throws IOException {
     if (isAclEnabled) {
-      return accessAuthorizer != null && accessAuthorizer.isAdmin(username);

Review comment:
       The Ranger plugin is for OM only, not for SCM. Existing SCM admin 
operations only use the admins defined by the ozone administrators 
configuration. If we use the Ranger defined admins for command line operations 
on OM we have a divergence, because some admins may be able to run upgrade 
commands on OM, but not the corresponding upgrade commands on SCM, or any other 
existing SCM admin operations like decommission.
   
   The structure of the existing IAccessAuthorizer seems intended for admin 
related filesystem operations, like volume creation, that exist only on the OM, 
since it currently only exposes a `checkAccess` method corresponding to an 
`IOzoneObj`.
   
   This is the first command line admin operation we are adding to OM, so we 
have a choice fo implementation. Roles is readonly and does not require admin 
privileges currently. We have a choice whether or not to use Ranger admins on 
the OM, but in this case I think it would be best not to so that behavior is 
consistent across OM and SCM CLI. Let me know if you disagree, I have 
misunderstood something here, or if there is an easy way to check ranger admins 
for SCM as well that we could add.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to