[ 
https://issues.apache.org/jira/browse/HDDS-9669?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ivan Andika resolved HDDS-9669.
-------------------------------
    Resolution: Not A Problem

> Remove unnecessary parent volume access check in OzoneAclUtils
> --------------------------------------------------------------
>
>                 Key: HDDS-9669
>                 URL: https://issues.apache.org/jira/browse/HDDS-9669
>             Project: Apache Ozone
>          Issue Type: Improvement
>            Reporter: Ivan Andika
>            Assignee: Ivan Andika
>            Priority: Minor
>              Labels: pull-request-available
>
> In `OzoneAclUtils` we have this volume check access when the object to access 
> is not volume
> {code:java}
>       //OzoneNativeAuthorizer differs from Ranger Authorizer as Ranger 
> requires
>       // only READ access on parent level access. OzoneNativeAuthorizer has
>       // different parent level access based on the child level access type
>       IAccessAuthorizer.ACLType parentAclRight = 
> IAccessAuthorizer.ACLType.READ;
>       if (omMetadataReader.isNativeAuthorizerEnabled() && resType == BUCKET) {
>         parentAclRight = getParentNativeAcl(aclType, resType);
>       }
>       omMetadataReader.checkAcls(OzoneObj.ResourceType.VOLUME, storeType,
>           parentAclRight, vol, bucket, key, user,
>           remoteAddress, hostName, true,
>           volOwner); {code}
> From my understanding, this volume check should be done in the respective 
> authorizers (either OzoneNativeAuthorizer or RangerOzoneAuthorizer) and 
> should not leak to the general ACL flow (e.g. getParentNativeAcl should be 
> moved the OzoneNativeAuthorizer instead).
> This patch will remove this check and refactor getNativeAcl to the 
> OzoneNativeAuthorizer.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to