[jira] [Commented] (HDDS-6868) Uploading file got permission denied

Wed, 22 Jun 2022 14:13:04 -0700 


    [ 
https://issues.apache.org/jira/browse/HDDS-6868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557706#comment-17557706
 ] 

Ritesh H Shukla commented on HDDS-6868:
---------------------------------------

{quote}For the record, this was not broken by EC branch merge, rather missing 
from the original implementation in HDDS-5884.
{quote}
Setting the thread-local S3 Auth for all requests is definitely a better way to 
go forward but the tests pre/post-EC branch merges clearly missed this basic 
use case and did not address the lack of correct principals for reading bucket 
information as part of key create.

The smoke tests need to be fixed and should be a PR shortly. 

> Uploading file got permission denied
> ------------------------------------
>
>                 Key: HDDS-6868
>                 URL: https://issues.apache.org/jira/browse/HDDS-6868
>             Project: Apache Ozone
>          Issue Type: Bug
>    Affects Versions: 1.3.0
>            Reporter: Shawn
>            Assignee: Ritesh H Shukla
>            Priority: Blocker
>              Labels: pull-request-available
>
> I am testing the tip of the master (at this history point: 
> https://github.com/apache/ozone/tree/34eb378399368dd17e8850282a0dea02abe28373),
>  and found ozone has a major bug for unable to uploading file through s3g. 
> The configuration for the ozone is that the authentication is on with 
> Kerberos, ACL is on, SCM HA and OM HA are on as well, and is deployed to k8s. 
> The reproduce steps are as below:
> 1. create a new kerberos user: test1/test1@XXX
> 2. give this users the full ACL to s3v volume. In one of the om, log in 
> kerberos with user om/om@XXX, and do the following command.
> {code}
> ozone sh vol setacl -a user:test1/test1@XXX:a s3v
> {code}
> 3. generate the s3 secret for this user
> 4. use aws s3 cli and this user's credential to create a new bucket 
> s3://test. This step has no issue.
> 5. then upload a file to this bucket. Then you will see below errors in OM 
> leader:
> {code}
> 2022-06-09 00:45:23 WARN  IPC Server handler 10 on default port 9862 
> ShellBasedUnixGroupsMapping:210 - unable to return groups for user s3g
> PartialGroupNameException The user name 's3g' is not found. id: s3g: no such 
> user
> id: s3g: no such user
>         at 
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.resolvePartialGroupNames(ShellBasedUnixGroupsMapping.java:294)
>         at 
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:207)
>         at 
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:97)
>         at 
> org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback.getGroups(JniBasedUnixGroupsMappingWithFallback.java:51)
>         at 
> org.apache.hadoop.security.Groups$GroupCacheLoader.fetchGroupList(Groups.java:387)
>         at 
> org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:321)
>         at 
> org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:270)
>         at 
> org.apache.hadoop.thirdparty.com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3529)
>         at 
> org.apache.hadoop.thirdparty.com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2278)
>         at 
> org.apache.hadoop.thirdparty.com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2155)
>         at 
> org.apache.hadoop.thirdparty.com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2045)
>         at 
> org.apache.hadoop.thirdparty.com.google.common.cache.LocalCache.get(LocalCache.java:3962)
>         at 
> org.apache.hadoop.thirdparty.com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3985)
>         at 
> org.apache.hadoop.thirdparty.com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4946)
>         at org.apache.hadoop.security.Groups.getGroups(Groups.java:228)
>         at 
> org.apache.hadoop.security.UserGroupInformation.getGroups(UserGroupInformation.java:1734)
>         at 
> org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1722)
>         at 
> org.apache.hadoop.ozone.om.helpers.OzoneAclUtil.checkAclRights(OzoneAclUtil.java:128)
>         at 
> org.apache.hadoop.ozone.om.VolumeManagerImpl.checkAccess(VolumeManagerImpl.java:304)
>         at 
> org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer.checkAccess(OzoneNativeAuthorizer.java:140)
>         at 
> org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:2539)
>         at 
> org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:2525)
>         at 
> org.apache.hadoop.ozone.om.OzoneAclUtils.checkAllAcls(OzoneAclUtils.java:119)
>         at 
> org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:2379)
>         at 
> org.apache.hadoop.ozone.om.OzoneManager.getBucketInfo(OzoneManager.java:2766)
>         at 
> org.apache.hadoop.ozone.om.request.key.OMKeyCreateRequest.preExecute(OMKeyCreateRequest.java:135)
>         at 
> org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.processRequest(OzoneManagerProtocolServerSideTranslatorPB.java:192)
>         at 
> org.apache.hadoop.hdds.server.OzoneProtocolMessageDispatcher.processRequest(OzoneProtocolMessageDispatcher.java:87)
>         at 
> org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequest(OzoneManagerProtocolServerSideTranslatorPB.java:147)
>         at 
> org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OzoneManagerService$2.callBlockingMethod(OzoneManagerProtocolProtos.java)
>         at 
> org.apache.hadoop.ipc.ProtobufRpcEngine$Server.processCall(ProtobufRpcEngine.java:466)
>         at 
> org.apache.hadoop.ipc.ProtobufRpcEngine2$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine2.java:574)
>         at 
> org.apache.hadoop.ipc.ProtobufRpcEngine2$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine2.java:552)
>         at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1093)
>         at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:1035)
>         at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:963)
>         at java.base/java.security.AccessController.doPrivileged(Native 
> Method)
>         at java.base/javax.security.auth.Subject.doAs(Subject.java:423)
>         at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1878)
>         at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2966)
> {code}
> {code}
> 2022-06-09 00:45:23 WARN  IPC Server handler 10 on default port 9862 
> OzoneManager:2547 - User s3g/[email protected] doesn't have 
> READ permission to access volume Volume:s3v Bucket:shawn-test
> {code}



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to