[
https://issues.apache.org/jira/browse/HDDS-14207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18062376#comment-18062376
]
Gargi Jaiswal commented on HDDS-14207:
--------------------------------------
As Discussed,
1. Create a new property called
{color:#de350b}{{ozone.authorization.enabled}}{color}
* {{{color:#de350b}ozone.authorization.enabled{color}}} (NEW) - Master switch
for ALL authorization
* *Default: true*
* {*}Controls{*}: Admin checks + ACL checks
2. *{{ozone.security.enabled}}* is {*}false{*}, no kerberos authentication, no
authorization check.
- *{{ozone.security.enabled}}* is {*}true{*}, must enforce kerberos
authentication for OM, SCM, and DN.
- *{{ozone.security.enabled}}* is {*}true{*},
*{{ozone.authorization.enabled}}* default {*}true{*}(align with HDFS) -> admin
check, *{{ozone.acl.enabled}}* = *false* -> no volume/bucket/key permission
check
- *{{ozone.security.enabled}}* is *true,* *{{ozone.authorization.enabled}}*
default {*}true{*}(align with HDFS) -> admin check, {{ozone.acl.enabled}} true
-> enable volume/bucket/key permission check
So to sum up all discussion. Below will be the new flow with this
{{{color:#de350b}ozone.authorization.enabled{color}={*}true{*}}} (default)
{code:java}
Admin Operations (non-objects):
SCM decommission, OM upgrade, Recon endpoints, etc.
↓
Check: ozone.security.enabled && ozone.authorization.enabled
↓
Does NOT depend on ozone.acl.enabled
Object Operations (volumes/buckets/keys):
Create bucket, read key, delete volume, etc.
↓
Check: ozone.security.enabled && ozone.authorization.enabled &&
ozone.acl.enabled
↓
Depends on ALL three properties {code}
> Inconsistent Ozone admin check
> ------------------------------
>
> Key: HDDS-14207
> URL: https://issues.apache.org/jira/browse/HDDS-14207
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Sammi Chen
> Assignee: Gargi Jaiswal
> Priority: Major
> Labels: pull-request-available
>
> Ozone administrators have super privileges in Ozone system. Some actions are
> only allowed by Ozone administrators.
> While currently the ozone administrator check is not consistent. Some codes,
> check permission is enabled first, then check if user has the admin
> privilege. For example, OMFinalizeUpgradeRequest#validateAndUpdateCache
> {code:java}
> if (ozoneManager.getAclsEnabled()) {
> UserGroupInformation ugi = createUGIForApi();
> if (!ozoneManager.isAdmin(ugi)) {
> throw new OMException("Access denied for user " + ugi + ". "
> + "Superuser privilege is required to finalize upgrade.",
> OMException.ResultCodes.ACCESS_DENIED);
> }
> }
> {code}
> Some codes, check if user has the admin privilege directly, for example,
> OzoneManager#triggerSnapshotDefrag
> {code:java}
> final UserGroupInformation ugi = getRemoteUser();
> // Check Ozone admin privilege
> if (!isAdmin(ugi)) {
> throw new OMException("Only Ozone admins are allowed to trigger "
> + "snapshot defragmentation manually", PERMISSION_DENIED);
> }
> {code}
> The expected and consistent behavior is we should check whether the
> permission is enabled, if enabled then check whether user is an
> administrator.
> Appendix-1
> Ozone administrator property list, just for check reference,
> - ozone.administrators
> - ozone.administrators.groups
> - ozone.s3.administrators
> - ozone.s3.administrators.groups
> - ozone.readonly.administrators
> - ozone.readonly.administrators.groups
> - ozone.recon.administrators
> - ozone.recon.administrators.groups
> Ozone permission enable property
> - ozone.acl.enabled
> Appendix-2
> HDFS checks permission enabled first, then checks super user if permission
> check is enabled. And HDFS by default enables permission
> check(dfs.permissions.enabled), while Ozone ozone.acl.enabled by default is
> false.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
