xiaoyuyao commented on a change in pull request #2217:
URL: https://github.com/apache/ozone/pull/2217#discussion_r638130370
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
##########
@@ -3617,9 +3618,11 @@ public OzoneDelegationTokenSecretManager
getDelegationTokenMgr() {
return ozAdmins;
}
- public boolean isAdmin(String username) {
+ public boolean isAdmin(String username) throws IOException {
if (isAclEnabled) {
- return accessAuthorizer != null && accessAuthorizer.isAdmin(username);
Review comment:
We don't expose isAdmin to the IAccessAuthorizer but remove all the
isAdmin call from the namespace access check. This way checkAccess will include
the admin check inside it. The s3 secret revoke brings back the isAdmin check
to ozone manager with a similar assumption that the operation is not directly
mapped into namespace check. I would suggest add additional comments to the
isAdmin check in OzoneManager for only non-namespace related admin operations.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
