[GitHub] [ozone] ChenSammi commented on a diff in pull request #4439: HDDS-7697. Quotas should only be able to be set and cleared by Admin

Tue, 21 Mar 2023 21:18:10 -0700 


ChenSammi commented on code in PR #4439:
URL: https://github.com/apache/ozone/pull/4439#discussion_r1144212616


##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer.java:
##########
@@ -104,34 +106,45 @@ public boolean checkAccess(IOzoneObj ozObject, 
RequestContext context)
     // Refined the parent context
     // OP         |CHILD       |PARENT
 
-    // CREATE      NONE         WRITE     (parent:'CREATE' when 'create 
bucket')
-    // DELETE      DELETE       WRITE
-    // WRITE       WRITE        WRITE
-    // WRITE_ACL   WRITE_ACL    WRITE     (V1 WRITE_ACL=>WRITE)
+    // CREATE      NONE        WRITE     (parent:'CREATE' when 'create bucket')
+    // DELETE      DELETE      READ
+    // WRITE       WRITE       WRITE     (For key/prefix, volume is READ)
+    // WRITE_ACL   WRITE_ACL   READ      (V1 WRITE_ACL=>WRITE)
 
-    // READ        READ         READ
-    // LIST        LIST         READ      (V1 LIST=>READ)
-    // READ_ACL    READ_ACL     READ      (V1 READ_ACL=>READ)
+    // READ        READ        READ
+    // LIST        LIST        READ      (V1 LIST=>READ)
+    // READ_ACL    READ_ACL    READ      (V1 READ_ACL=>READ)
 
     ACLType aclRight = context.getAclRights();
     ACLType parentAclRight = aclRight;
 
-    if (aclRight == ACLType.CREATE || aclRight == ACLType.DELETE ||
-        aclRight == ACLType.WRITE_ACL) {
+    if (aclRight == ACLType.CREATE) {
       parentAclRight = ACLType.WRITE;
-    } else if (aclRight == ACLType.READ_ACL || aclRight == ACLType.LIST) {
+    } else if (aclRight == ACLType.READ_ACL || aclRight == ACLType.LIST
+        || aclRight == ACLType.WRITE_ACL || aclRight == ACLType.DELETE) {
       parentAclRight = ACLType.READ;
     }
     // To prevent ACL enlargement, parent should be 'CREATE'
     // when op is 'create bucket'. see HDDS-7461.
-    if (objInfo.getResourceType() == BUCKET && aclRight == ACLType.CREATE) {
-      parentAclRight = ACLType.CREATE;
+    if (objInfo.getResourceType() == BUCKET) {
+      if (aclRight == ACLType.CREATE) {
+        parentAclRight = ACLType.CREATE;
+      } else if (aclRight == ACLType.WRITE) {
+        parentAclRight = ACLType.READ;
+      }
     }
     parentContext = RequestContext.newBuilder()
         .setClientUgi(context.getClientUgi())
         .setIp(context.getIp())
         .setAclType(context.getAclType())
         .setAclRights(parentAclRight).build();
+    
+    // Volume will be always read in case of bucket,

Review Comment:
   Volume will be always read in case of KEY and PREFIX.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to