[GitHub] [ozone] kerneltime commented on pull request #3553: HDDS-6942. Ozone Buckets/Objects created via S3 should not allow group access

Thu, 30 Jun 2022 02:32:30 -0700 


kerneltime commented on PR #3553:
URL: https://github.com/apache/ozone/pull/3553#issuecomment-1170988681

   I think I know why some tests pass and this one fails. 
   The config for default rights is invoked on the client-side `RpcClient.java`
   ```
     public RpcClient(ConfigurationSource conf, String omServiceId)
         throws IOException {
       Preconditions.checkNotNull(conf);
       this.conf = conf;
       this.ugi = UserGroupInformation.getCurrentUser();
       // Get default acl rights for user and group.
       OzoneAclConfig aclConfig = this.conf.getObject(OzoneAclConfig.class);
       this.userRights = aclConfig.getUserDefaultRights();
       this.groupRights = aclConfig.getGroupDefaultRights();
   ...
   ...
   ...
     private List<OzoneAcl> getAclList() {
       if (ozoneManagerClient.getThreadLocalS3Auth() != null) {
         UserGroupInformation aclUgi =
             UserGroupInformation.createRemoteUser(
                ozoneManagerClient.getThreadLocalS3Auth().getAccessID());
         OzoneAclConfig aclConfig = this.conf.getObject(OzoneAclConfig.class);
         return OzoneAclUtil.getAclList(
             aclUgi.getUserName(),
             aclUgi.getGroupNames(),
            userRights, groupRights);
       }
       return OzoneAclUtil.getAclList(ugi.getUserName(), ugi.getGroupNames(),
           userRights, groupRights);
   ```
   but the config is only applicable for OM `OzoneAclConfig.java`
   ```
     @Config(key = "group.rights",
         defaultValue = "ALL",
         type = ConfigType.STRING,
         tags = {ConfigTag.OM, ConfigTag.SECURITY},
         description = "Default group permissions set for an object in " +
             "OzoneManager."
     )
     private String groupDefaultRights;
   ```
    which seems an odd mismatch. If the user used does not have any groups when 
queried by OM it skips adding the group permissions. The robot tests for 
non-secure clusters default to a random user who has no groups and the test 
passes.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to