rich7420 opened a new pull request, #10469:
URL: https://github.com/apache/ozone/pull/10469
## What changes were proposed in this pull request?
`OMClientRequest#getUserIfNotExists()` rebuilt the request `UserInfo` from
`UserGroupInformation.getCurrentUser()` — the OM starter/login user —
whenever
the derived `UserInfo` was missing a username or a remote address. Because
the
result feeds `createUGI()` and the ACL check, this is a *fail-open* to an
often-privileged identity: any request reaching `preExecute()` without
complete
user info would silently run as the OM service user. The escalation is latent
today (real RPC and gRPC clients always carry user info), but a future
change in
`getUserInfo()` that dropped the username or remote address for a client path
would silently grant the OM identity.
The only caller that relies on this fallback is the Trash emptier
(`TrashOzoneFileSystem`), and it already populates a complete `UserInfo`
(service user + OM address) on the request it builds. The fallback merely
re-derived the same values, because `getUserInfo()` did not carry the
caller-supplied host/address over when there was no RPC/gRPC context.
This PR:
* makes `getUserInfo()` preserve the host/address already present on the
request
when neither an RPC nor a gRPC client context is available (mirroring how
the
username is already carried over for gRPC s3g requests);
* removes the now-redundant `getUserIfNotExists()` and the
`getCurrentUser()`/admin fallback;
* points `preExecute()` and the `OMKeyDeleteRequest` / `OMKeyRenameRequest` /
`OMAllocateBlockRequest` callers at `getUserInfo()`.
Requests that genuinely have no identity now fail closed in `createUGI()`
(`UNAUTHORIZED`) instead of being granted the OM starter user. Real client
paths are unchanged (they always carry user info), and the Trash emptier
keeps
its explicit service identity.
## What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-15467
## How was this patch tested?
* New unit tests in `TestOMClientRequestUserInfoFallback`:
* `noFallbackToServerUserWhenUserInfoMissing` — with no RPC/gRPC context
and no
`UserInfo`, `getUserInfo()` returns an empty identity and `createUGI()`
fails
closed (no escalation to the starter user).
* `internalServiceUserInfoIsPreserved` — a request that carries its own
`UserInfo` (as the Trash emptier does) keeps that user and address.
* Existing `TestOMClientRequestWithUserInfo` (RPC and gRPC transport) and the
`OMKeyDeleteRequest` / `OMKeyRenameRequest` / `OMAllocateBlockRequest`
request
tests pass with no regression.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
