[
https://issues.apache.org/jira/browse/HDDS-8864?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siyao Meng updated HDDS-8864:
-----------------------------
Description:
It is unnecessary to call checkAcls() twice when caller is volume owner in
{{OzoneAclUtils#checkAllAcls}}.
Because the reason we had to split that into two calls in HDDS-5903 is because
Ranger only has one OWNER tag, and that we want OWNER tag on bucket/key level
policies to be filled in with the *bucket* owner during ACL check if the caller
is NOT the volume owner.
In the case where the caller is *volume* owner, this hierarchy is already
enforced by the authorizer (OzoneNativeAuthorizer or RangerOzoneAuthorizer)
internally. Thus it is unnecessary.
was:
It is unnecessary to call checkAcls() twice when caller is volume owner in
{{OzoneAclUtils#checkAllAcls}}.
Because the reason we had to split that into two calls in HDDS-5903 is because
Ranger only has one `{OWNER}` tag, and that we want `{OWNER}` tag on bucket/key
level policies to be filled in with the *bucket* owner during ACL check if the
caller is NOT the volume owner.
In the case where the caller is *volume* owner, this hierarchy is already
enforced by the authorizer (OzoneNativeAuthorizer or RangerOzoneAuthorizer)
internally. Thus it is unnecessary.
> Remove redundant checkAcls() when caller is volume owner during key or prefix
> access
> ------------------------------------------------------------------------------------
>
> Key: HDDS-8864
> URL: https://issues.apache.org/jira/browse/HDDS-8864
> Project: Apache Ozone
> Issue Type: Task
> Reporter: Siyao Meng
> Assignee: Siyao Meng
> Priority: Major
>
> It is unnecessary to call checkAcls() twice when caller is volume owner in
> {{OzoneAclUtils#checkAllAcls}}.
> Because the reason we had to split that into two calls in HDDS-5903 is
> because Ranger only has one OWNER tag, and that we want OWNER tag on
> bucket/key level policies to be filled in with the *bucket* owner during ACL
> check if the caller is NOT the volume owner.
> In the case where the caller is *volume* owner, this hierarchy is already
> enforced by the authorizer (OzoneNativeAuthorizer or RangerOzoneAuthorizer)
> internally. Thus it is unnecessary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
