[
https://issues.apache.org/jira/browse/HDDS-3047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siyao Meng updated HDDS-3047:
-----------------------------
Description:
{{ObjectStore#listVolumesByUser}} is using {{getShortUserName()}} by default
(when user is empty or null):
{code:java|title=ObjectStore#listVolumesByUser}
public Iterator<? extends OzoneVolume> listVolumesByUser(String user,
String volumePrefix, String prevVolume)
throws IOException {
if(Strings.isNullOrEmpty(user)) {
user = UserGroupInformation.getCurrentUser().getShortUserName(); // <--
}
return new VolumeIterator(user, volumePrefix, prevVolume);
}
{code}
It should use {{getUserName()}} instead.
For a quick reference for the difference between {{getUserName()}} and
{{getShortUserName()}}:
{code:java|title=UserGroupInformation#getUserName}
/**
* Get the user's full principal name.
* @return the user's full principal name.
*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public String getUserName() {
return user.getName();
}
{code}
{code:java|title=UserGroupInformation#getShortUserName}
/**
* Get the user's login name.
* @return the user's name up to the first '/' or '@'.
*/
public String getShortUserName() {
return user.getShortName();
}
{code}
This won't cause issue if Kerberos is not in use. However, once Kerberos is
enabled, {{getUserName()}} and {{getShortUserName()}} result differs and can
cause some issues.
When Kerberos is enabled, {{getUserName()}} returns full principal name e.g.
{{om/[email protected]}}, but {{getShortUserName()}} will return login name e.g.
{{hadoop}}.
If {{hadoop.security.auth_to_local}} is set, {{getShortUserName()}} result can
become very different from full principal name.
For example, when {{hadoop.security.auth_to_local =
RULE:[2:$1@$0](.*)s/.*/root/}},
{{getShortUserName()}} returns {{root}}, while {{getUserName()}} still gives
{{om/[email protected]}}.)
This can lead to user experience issue (when Kerberos is enabled) where the
user creates a volume with ozone shell ([uses
{{getUserName()}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L63-L65]
internally) then try to list it with {{ObjectStore#listVolumesByUser(null,
...)}} ([uses {{getShortUserName()}} by
default|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L238-L256]
when user param is empty or null), the user won't see any volumes because of
the mismatch.
We should also double check *all* usages that uses {{getShortUserName()}}.
*Update:*
Xiaoyu and I checked that the usage of {{getShortUserName()}} on the server
side shouldn't become a problem. Because server should've maintained it's own
auth_to_local rules (admin should make sure they separate each user into
different short names. just don't map multiple principal names into the same
then it won't be a problem).
The usage in {{BasicOzoneFileSystem}} itself also seems valid because that
{{getShortUserName()}} is only used for client side purpose (to set
{{workingDir}}, etc.).
But the usage in {{ObjectStore#listVolumesByUser}} is confirmed problematic at
the moment, which needs to be fixed.
CC [~xyao] [~aengineer] [~arp] [~bharat]
was:
BasicOzoneFileSystem, along with a dozen other classes, are using
{{getShortUserName()}}:
{code:java|title=BasicOzoneFileSystem#initialize}
try {
this.userName =
UserGroupInformation.getCurrentUser().getShortUserName();
} catch (IOException e) {
this.userName = OZONE_DEFAULT_USER;
}
{code}
[Github|https://github.com/apache/hadoop-ozone/blob/c9f26ccf9f93a052c5c0c042c57b6f87709597ae/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneFileSystem.java#L161-L166]
It should use {{getUserName()}} instead.
For quick reference:
{code:java|title=UserGroupInformation#getUserName}
/**
* Get the user's full principal name.
* @return the user's full principal name.
*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public String getUserName() {
return user.getName();
}
{code}
{code:java|title=UserGroupInformation#getShortUserName}
/**
* Get the user's login name.
* @return the user's name up to the first '/' or '@'.
*/
public String getShortUserName() {
return user.getShortName();
}
{code}
This typically wouldn't cause issue if Kerberos is not in use. However, once
Kerberos is enabled, a bunch of problems emerge:
1. When Kerberos is enabled, {{getUserName()}} should return full principal
name e.g. {{om/[email protected]}}, but {{getShortUserName()}} will only return
login name e.g. {{hadoop}}.
(If {{hadoop.security.auth_to_local}} is set, {{getShortUserName()}} result can
become very different from full principal name. e.g.
{{hadoop.security.auth_to_local = RULE:[2:$1@$0](.*)s/.*/root/}}, then
{{getShortUserName()}} returns {{root}}, while {{getUserName()}} should still
give {{om/[email protected]}}.)
This leads to a problem (with Kerberos) where the user creates a volume with
ozone shell ([uses
{{getUserName()}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L63-L65]
internally) then try to list it with {{ObjectStore#listVolumesByUser(null,
...)}} ([uses {{getShortUserName()}} by
default|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L238-L256]
when user param is empty or null), the user won't see any volumes because of
the mismatch.
I think we should check and fix this in *all* classes that uses
{{getShortUserName()}}.
CC [~xyao] [~aengineer] [~arp] [~bharat]
> ObjectStore#listVolumesByUser should get user's full principal name instead
> of login name by default
> ----------------------------------------------------------------------------------------------------
>
> Key: HDDS-3047
> URL: https://issues.apache.org/jira/browse/HDDS-3047
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Components: Ozone Client
> Reporter: Siyao Meng
> Assignee: Siyao Meng
> Priority: Major
>
> {{ObjectStore#listVolumesByUser}} is using {{getShortUserName()}} by default
> (when user is empty or null):
> {code:java|title=ObjectStore#listVolumesByUser}
> public Iterator<? extends OzoneVolume> listVolumesByUser(String user,
> String volumePrefix, String prevVolume)
> throws IOException {
> if(Strings.isNullOrEmpty(user)) {
> user = UserGroupInformation.getCurrentUser().getShortUserName(); // <--
> }
> return new VolumeIterator(user, volumePrefix, prevVolume);
> }
> {code}
> It should use {{getUserName()}} instead.
> For a quick reference for the difference between {{getUserName()}} and
> {{getShortUserName()}}:
> {code:java|title=UserGroupInformation#getUserName}
> /**
> * Get the user's full principal name.
> * @return the user's full principal name.
> */
> @InterfaceAudience.Public
> @InterfaceStability.Evolving
> public String getUserName() {
> return user.getName();
> }
> {code}
> {code:java|title=UserGroupInformation#getShortUserName}
> /**
> * Get the user's login name.
> * @return the user's name up to the first '/' or '@'.
> */
> public String getShortUserName() {
> return user.getShortName();
> }
> {code}
> This won't cause issue if Kerberos is not in use. However, once Kerberos is
> enabled, {{getUserName()}} and {{getShortUserName()}} result differs and can
> cause some issues.
> When Kerberos is enabled, {{getUserName()}} returns full principal name e.g.
> {{om/[email protected]}}, but {{getShortUserName()}} will return login name
> e.g. {{hadoop}}.
> If {{hadoop.security.auth_to_local}} is set, {{getShortUserName()}} result
> can become very different from full principal name.
> For example, when {{hadoop.security.auth_to_local =
> RULE:[2:$1@$0](.*)s/.*/root/}},
> {{getShortUserName()}} returns {{root}}, while {{getUserName()}} still gives
> {{om/[email protected]}}.)
> This can lead to user experience issue (when Kerberos is enabled) where the
> user creates a volume with ozone shell ([uses
> {{getUserName()}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L63-L65]
> internally) then try to list it with {{ObjectStore#listVolumesByUser(null,
> ...)}} ([uses {{getShortUserName()}} by
> default|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L238-L256]
> when user param is empty or null), the user won't see any volumes because of
> the mismatch.
> We should also double check *all* usages that uses {{getShortUserName()}}.
> *Update:*
> Xiaoyu and I checked that the usage of {{getShortUserName()}} on the server
> side shouldn't become a problem. Because server should've maintained it's own
> auth_to_local rules (admin should make sure they separate each user into
> different short names. just don't map multiple principal names into the same
> then it won't be a problem).
> The usage in {{BasicOzoneFileSystem}} itself also seems valid because that
> {{getShortUserName()}} is only used for client side purpose (to set
> {{workingDir}}, etc.).
> But the usage in {{ObjectStore#listVolumesByUser}} is confirmed problematic
> at the moment, which needs to be fixed.
> CC [~xyao] [~aengineer] [~arp] [~bharat]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
