Wei-Chiu Chuang created HDDS-11656:
--------------------------------------
Summary: KeyInfo has hundreds of ACLs
Key: HDDS-11656
URL: https://issues.apache.org/jira/browse/HDDS-11656
Project: Apache Ozone
Issue Type: Bug
Reporter: Wei-Chiu Chuang
Related to HDDS-11655.
We found a cluster where files are created with hundreds of ACLs.
Here's the culprit:
https://github.com/apache/ozone/blob/master/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OzoneAclUtil.java#L66
When creating a file, Ozone client supplies the ACL by composing the current
user's group. The problem is, if Ranger is enabled, these ACLs does not take
effect.
(1) OM does not limit the number of ACLs. That could potentially lead to some
kind of DDoS attack. We should update
OMKeyCreateRequest(WithFSO)/OMFileCreateRequest(WithFSO), OMKeyAclRequest and
its subclasses.
(2) If Ranger is enabled, prune the ACLs provided by the client from KeyInfo in
OMKeyCreateRequest(WithFSO)/OMFileCreateRequest(WithFSO).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
