ivandika3 commented on PR #4439:
URL: https://github.com/apache/ozone/pull/4439#issuecomment-1805228457
Hi @ChenSammi @sumitagrawl, may I ask what is the intent of the initial
volume access check `OzoneAclUtils`?
```java
//OzoneNativeAuthorizer differs from Ranger Authorizer as Ranger
requires
// only READ access on parent level access. OzoneNativeAuthorizer has
// different parent level access based on the child level access type
IAccessAuthorizer.ACLType parentAclRight =
IAccessAuthorizer.ACLType.READ;
if (omMetadataReader.isNativeAuthorizerEnabled() && resType == BUCKET)
{
parentAclRight = getParentNativeAcl(aclType, resType);
}
omMetadataReader.checkAcls(OzoneObj.ResourceType.VOLUME, storeType,
parentAclRight, vol, bucket, key, user,
remoteAddress, hostName, true,
volOwner);
```
From my understanding, this volume check should be done in the respective
authorizers (either `OzoneNativeAuthorizer` or `RangerOzoneAuthorizer`) and not
leaked to the general ACL flow (e.g. getParentNativeAcl should be moved the
`OzoneNativeAuthorizer` instead).
I tried removing this and it seems like there are no regressions:
https://github.com/ivandika3/ozone/actions/runs/6819854871
Any feedback is appreciated.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
