[
https://issues.apache.org/jira/browse/HDDS-3047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siyao Meng updated HDDS-3047:
-----------------------------
Summary: ObjectStore#listVolumesByUser should get user's full principal
name instead of login name by default (was: BasicOzoneFileSystem and other
classes should get user's full principal name instead of login name)
> ObjectStore#listVolumesByUser should get user's full principal name instead
> of login name by default
> ----------------------------------------------------------------------------------------------------
>
> Key: HDDS-3047
> URL: https://issues.apache.org/jira/browse/HDDS-3047
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Components: Ozone Client
> Reporter: Siyao Meng
> Assignee: Siyao Meng
> Priority: Major
>
> BasicOzoneFileSystem, along with a dozen other classes, are using
> {{getShortUserName()}}:
> {code:java|title=BasicOzoneFileSystem#initialize}
> try {
> this.userName =
> UserGroupInformation.getCurrentUser().getShortUserName();
> } catch (IOException e) {
> this.userName = OZONE_DEFAULT_USER;
> }
> {code}
> [Github|https://github.com/apache/hadoop-ozone/blob/c9f26ccf9f93a052c5c0c042c57b6f87709597ae/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneFileSystem.java#L161-L166]
> It should use {{getUserName()}} instead.
> For quick reference:
> {code:java|title=UserGroupInformation#getUserName}
> /**
> * Get the user's full principal name.
> * @return the user's full principal name.
> */
> @InterfaceAudience.Public
> @InterfaceStability.Evolving
> public String getUserName() {
> return user.getName();
> }
> {code}
> {code:java|title=UserGroupInformation#getShortUserName}
> /**
> * Get the user's login name.
> * @return the user's name up to the first '/' or '@'.
> */
> public String getShortUserName() {
> return user.getShortName();
> }
> {code}
> This typically wouldn't cause issue if Kerberos is not in use. However, once
> Kerberos is enabled, a bunch of problems emerge:
> 1. When Kerberos is enabled, {{getUserName()}} should return full principal
> name e.g. {{om/[email protected]}}, but {{getShortUserName()}} will only
> return login name e.g. {{hadoop}}.
> (If {{hadoop.security.auth_to_local}} is set, {{getShortUserName()}} result
> can become very different from full principal name. e.g.
> {{hadoop.security.auth_to_local = RULE:[2:$1@$0](.*)s/.*/root/}}, then
> {{getShortUserName()}} returns {{root}}, while {{getUserName()}} should still
> give {{om/[email protected]}}.)
> This leads to a problem (with Kerberos) where the user creates a volume with
> ozone shell ([uses
> {{getUserName()}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L63-L65]
> internally) then try to list it with {{ObjectStore#listVolumesByUser(null,
> ...)}} ([uses {{getShortUserName()}} by
> default|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L238-L256]
> when user param is empty or null), the user won't see any volumes because of
> the mismatch.
> I think we should check and fix this in *all* classes that uses
> {{getShortUserName()}}.
> CC [~xyao] [~aengineer] [~arp] [~bharat]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
