Re: [PR] HDDS-11705. Snapshot operations on linked buckets should work on actual underlying bucket [ozone]

Thu, 14 Nov 2024 20:33:00 -0800 


sumitagrawl commented on code in PR #7434:
URL: https://github.com/apache/ozone/pull/7434#discussion_r1843166430


##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotCreateRequest.java:
##########
@@ -106,7 +108,11 @@ public OMRequest preExecute(OzoneManager ozoneManager) 
throws IOException {
     final OMRequest omRequest = super.preExecute(ozoneManager);
     // Verify name
     OmUtils.validateSnapshotName(snapshotName);
-
+    // Updating the volumeName & bucketName in case the bucket is a linked 
bucket. We need to do this before a
+    // permission check, since linked bucket permissions and source bucket 
permissions could be different.
+    ResolvedBucket bucket = ozoneManager.resolveBucketLink(Pair.of(volumeName, 
bucketName), this);

Review Comment:
   Do we need allow snapshot operation over linked bucket?
   As there may be case like any one can try create snapshot over both read 
bucket and linked bucket. We should restrict operation over linked bucket.



##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshotManager.java:
##########
@@ -656,7 +657,12 @@ private ReferenceCounted<OmSnapshot> getSnapshot(
       // don't allow snapshot indicator without snapshot name
       throw new OMException(INVALID_KEY_NAME);
     }
-
+    // Updating the volumeName & bucketName in case the bucket is a linked 
bucket. We need to do this before a
+    // permission check, since linked bucket permissions and source bucket 
permissions could be different.
+    ResolvedBucket resolvedBucket = 
ozoneManager.resolveBucketLink(Pair.of(volumeName,

Review Comment:
   This resolve link involve acl validation, even for internal operation. We 
should do acl validation for all external operation.
   IMO, we should not propogate linked bucket details to other tables, and 
should be resolved at external operation entry points only.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to