sreejasahithi commented on code in PR #9735:
URL: https://github.com/apache/ozone/pull/9735#discussion_r2783502683
##########
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java:
##########
@@ -221,6 +221,8 @@ public final class ScmConfigKeys {
public static final int OZONE_SCM_HTTP_BIND_PORT_DEFAULT = 9876;
public static final int OZONE_SCM_HTTPS_BIND_PORT_DEFAULT = 9877;
public static final String HDDS_DATANODE_DIR_KEY = "hdds.datanode.dir";
+ public static final String HDDS_DATANODE_DATA_DIR_PERMISSIONS =
+ "hdds.datanode.data.dir.permissions";
Review Comment:
```suggestion
"hdds.datanode.data.dir.permissions";
public static final String HDDS_DATANODE_DATA_DIR_PERMISSIONS_DEFAULT
= "700";
```
I think it would be better to add the default value as well to be consistent
with other configs here.
##########
hadoop-hdds/common/src/main/resources/ozone-default.xml:
##########
@@ -705,7 +713,7 @@
</property>
<property>
<name>ozone.metadata.dirs.permissions</name>
Review Comment:
Could we add some test coverage for the permission change of metadata dir as
well ass for the db.
##########
hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/volume/StorageVolume.java:
##########
@@ -768,11 +781,30 @@ private static SpaceUsageCheckParams
getSpaceUsageCheckParams(Builder b, Supplie
throw new IOException("Unable to create the volume root dir at " + root);
}
+ // Set permissions on volume root directory immediately after
creation/check
+ // (for data volumes, we want to ensure the root has secure permissions,
+ // even if the directory already existed from a previous run)
+ // This follows the same pattern as metadata directories in
getDirectoryFromConfig()
+ if (b.conf != null && root.exists() &&
HDDS_VOLUME_DIR.equals(b.getStorageDirStr())) {
+ ServerUtils.setDataDirectoryPermissions(root, b.conf,
+ ScmConfigKeys.HDDS_DATANODE_DATA_DIR_PERMISSIONS);
+ }
+
SpaceUsageCheckFactory usageCheckFactory = b.usageCheckFactory;
if (usageCheckFactory == null) {
usageCheckFactory = SpaceUsageCheckFactory.create(b.conf);
}
return usageCheckFactory.paramsFor(root, exclusionProvider);
}
+
+ /**
+ * Sets permissions on the storage directory (e.g., hdds subdirectory).
+ */
+ private void setStorageDirPermissions() {
Review Comment:
This method is called by initializeImpl() for DbVolume (and HddsVolume), but
it always uses
HDDS_DATANODE_DATA_DIR_PERMISSIONS. This means DbVolume directories get data
directory permissions. is this intentional?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
