ss77892 opened a new pull request, #10329: URL: https://github.com/apache/ozone/pull/10329
## Summary - Move ACL authorization checks for **bucket** operations (`DeleteBucket`, `SetBucketOwner`, `SetBucketProperty`) from `validateAndUpdateCache` to `preExecute` - Move ACL checks for bucket ACL operations (`AddAcl`, `RemoveAcl`, `SetAcl`) from `validateAndUpdateCache` to `preExecute` - Add audit logging for preExecute ACL failures ## Motivation When ACL enforcement happens inside `validateAndUpdateCache`, the request has already been written to the Ratis log on all OM peers. Moving the check to `preExecute` (which runs only on the leader, before log submission) prevents unauthorized requests from polluting the log and ensures consistent ACL rejection across HA leader changes. ## Test plan - [ ] Unit tests pass for bucket request handlers - [ ] Integration test `TestOMHALeaderSpecificACLEnforcement` covers bucket operations (in a follow-up PR) ## Related Part of HDDS-13855. See also: - Volume requests (separate PR) - Key + Prefix requests (separate PR) Made with [Cursor](https://cursor.com) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
