[ 
https://issues.apache.org/jira/browse/HDDS-3255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Siyao Meng updated HDDS-3255:
-----------------------------
    Description: 
I just discovered that when ACL is disabled (ozone.acl.enabled=false), any 
non-admin user can delete volumes even when that user is not the owner of the 
volume.

Base branch: c0b18c338
{code:bash|title=Environment}
mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade 
-DskipRecon -pl \!:hadoop-ozone-integration-test
cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure
vim docker-config
# Search for OZONE-SITE.XML_ozone.acl.enabled=true
# Change it to OZONE-SITE.XML_ozone.acl.enabled=false
# Save and quit vim
docker-compose up -d --scale datanode=3
docker-compose exec scm /bin/bash
# Wait for ~20s for the cluster to start up
{code}

Proof:
{code:bash|title=Prep with admin testuser}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab 
testuser/s...@example.com
bash-4.2$ ozone sh volume create vol1
bash-4.2$ ozone sh volume create vol2
bash-4.2$ ozone sh volume setacl vol1 -al world::a
ACL(s) set successfully.
bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a
ACL removed successfully.
bash-4.2$ ozone sh volume list
{
  "metadata" : { },
  "name" : "vol1",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:32.167Z",
  "acls" : [ {
    "type" : "WORLD",
    "name" : "WORLD",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
{
  "metadata" : { },
  "name" : "vol2",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:37.727Z",
  "acls" : [ {
    "type" : "USER",
    "name" : "testuser/s...@example.com",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
bash-4.2$ kdestroy
{code}

Note below uses a uncommitted feature {{ozone sh volume list --all}} in 
HDDS-3056. It lists all volumes on OM.

{code:bash|title=Delete volume with non-admin user testuser2}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab 
testuser2/s...@example.com
bash-4.2$ ozone sh volume list --all
{
  "metadata" : { },
  "name" : "vol1",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:32.167Z",
  "acls" : [ {
    "type" : "WORLD",
    "name" : "WORLD",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
{
  "metadata" : { },
  "name" : "vol2",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:37.727Z",
  "acls" : [ {
    "type" : "USER",
    "name" : "testuser/s...@example.com",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume delete vol2
Volume vol2 is deleted
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume list --all
{
  "metadata" : { },
  "name" : "vol1",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:32.167Z",
  "acls" : [ {
    "type" : "WORLD",
    "name" : "WORLD",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
{code}

Question:
1. Is this because "admin" : "root", therefore the delete command can be 
issued? From the 
[code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779]
 it seems it doesn't really have any owner/admin checks when ACL is disabled.
2. Is this by design?

CC [~xyao]

  was:
I just discovered that when ACL is disabled (ozone.acl.enabled=false), any 
non-admin user can delete volumes even when that user is not the owner of the 
volume.

Base branch: c0b18c338
{code:bash|title=Environment}
mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade 
-DskipRecon -pl \!:hadoop-ozone-integration-test
cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure
vim docker-config
# Search for OZONE-SITE.XML_ozone.acl.enabled=true
# Change it to OZONE-SITE.XML_ozone.acl.enabled=false
# Save and quit vim
docc up -d --scale datanode=3
docc exec scm /bin/bash
# Wait for ~20s for the cluster to start up
{code}

Proof:
{code:bash|title=Prep with admin testuser}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab 
testuser/s...@example.com
bash-4.2$ ozone sh volume create vol1
bash-4.2$ ozone sh volume create vol2
bash-4.2$ ozone sh volume setacl vol1 -al world::a
ACL(s) set successfully.
bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a
ACL removed successfully.
bash-4.2$ ozone sh volume list
{
  "metadata" : { },
  "name" : "vol1",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:32.167Z",
  "acls" : [ {
    "type" : "WORLD",
    "name" : "WORLD",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
{
  "metadata" : { },
  "name" : "vol2",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:37.727Z",
  "acls" : [ {
    "type" : "USER",
    "name" : "testuser/s...@example.com",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
bash-4.2$ kdestroy
{code}

Note below uses a uncommitted feature {{ozone sh volume list --all}} in 
HDDS-3056. It lists all volumes on OM.

{code:bash|title=Delete volume with non-admin user testuser2}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab 
testuser2/s...@example.com
bash-4.2$ ozone sh volume list --all
{
  "metadata" : { },
  "name" : "vol1",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:32.167Z",
  "acls" : [ {
    "type" : "WORLD",
    "name" : "WORLD",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
{
  "metadata" : { },
  "name" : "vol2",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:37.727Z",
  "acls" : [ {
    "type" : "USER",
    "name" : "testuser/s...@example.com",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume delete vol2
Volume vol2 is deleted
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume list --all
{
  "metadata" : { },
  "name" : "vol1",
  "admin" : "root",
  "owner" : "testuser/s...@example.com",
  "creationTime" : "2020-03-24T08:29:32.167Z",
  "acls" : [ {
    "type" : "WORLD",
    "name" : "WORLD",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ],
  "quota" : 1152921504606846976
}
{code}

Question:
1. Is this because "admin" : "root", therefore the delete command can be 
issued? From the 
[code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779]
 it seems it doesn't really have any owner/admin checks when ACL is disabled.
2. Is this by design?

CC [~xyao]


> Any user can delete volumes when ACL is disabled
> ------------------------------------------------
>
>                 Key: HDDS-3255
>                 URL: https://issues.apache.org/jira/browse/HDDS-3255
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>            Reporter: Siyao Meng
>            Assignee: Siyao Meng
>            Priority: Major
>
> I just discovered that when ACL is disabled (ozone.acl.enabled=false), any 
> non-admin user can delete volumes even when that user is not the owner of the 
> volume.
> Base branch: c0b18c338
> {code:bash|title=Environment}
> mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade 
> -DskipRecon -pl \!:hadoop-ozone-integration-test
> cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure
> vim docker-config
> # Search for OZONE-SITE.XML_ozone.acl.enabled=true
> # Change it to OZONE-SITE.XML_ozone.acl.enabled=false
> # Save and quit vim
> docker-compose up -d --scale datanode=3
> docker-compose exec scm /bin/bash
> # Wait for ~20s for the cluster to start up
> {code}
> Proof:
> {code:bash|title=Prep with admin testuser}
> bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab 
> testuser/s...@example.com
> bash-4.2$ ozone sh volume create vol1
> bash-4.2$ ozone sh volume create vol2
> bash-4.2$ ozone sh volume setacl vol1 -al world::a
> ACL(s) set successfully.
> bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a
> ACL removed successfully.
> bash-4.2$ ozone sh volume list
> {
>   "metadata" : { },
>   "name" : "vol1",
>   "admin" : "root",
>   "owner" : "testuser/s...@example.com",
>   "creationTime" : "2020-03-24T08:29:32.167Z",
>   "acls" : [ {
>     "type" : "WORLD",
>     "name" : "WORLD",
>     "aclScope" : "ACCESS",
>     "aclList" : [ "ALL" ]
>   } ],
>   "quota" : 1152921504606846976
> }
> {
>   "metadata" : { },
>   "name" : "vol2",
>   "admin" : "root",
>   "owner" : "testuser/s...@example.com",
>   "creationTime" : "2020-03-24T08:29:37.727Z",
>   "acls" : [ {
>     "type" : "USER",
>     "name" : "testuser/s...@example.com",
>     "aclScope" : "ACCESS",
>     "aclList" : [ "ALL" ]
>   } ],
>   "quota" : 1152921504606846976
> }
> bash-4.2$ kdestroy
> {code}
> Note below uses a uncommitted feature {{ozone sh volume list --all}} in 
> HDDS-3056. It lists all volumes on OM.
> {code:bash|title=Delete volume with non-admin user testuser2}
> bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab 
> testuser2/s...@example.com
> bash-4.2$ ozone sh volume list --all
> {
>   "metadata" : { },
>   "name" : "vol1",
>   "admin" : "root",
>   "owner" : "testuser/s...@example.com",
>   "creationTime" : "2020-03-24T08:29:32.167Z",
>   "acls" : [ {
>     "type" : "WORLD",
>     "name" : "WORLD",
>     "aclScope" : "ACCESS",
>     "aclList" : [ "ALL" ]
>   } ],
>   "quota" : 1152921504606846976
> }
> {
>   "metadata" : { },
>   "name" : "vol2",
>   "admin" : "root",
>   "owner" : "testuser/s...@example.com",
>   "creationTime" : "2020-03-24T08:29:37.727Z",
>   "acls" : [ {
>     "type" : "USER",
>     "name" : "testuser/s...@example.com",
>     "aclScope" : "ACCESS",
>     "aclList" : [ "ALL" ]
>   } ],
>   "quota" : 1152921504606846976
> }
> bash-4.2$ ozone sh volume list
> bash-4.2$ ozone sh volume delete vol2
> Volume vol2 is deleted
> bash-4.2$ ozone sh volume list
> bash-4.2$ ozone sh volume list --all
> {
>   "metadata" : { },
>   "name" : "vol1",
>   "admin" : "root",
>   "owner" : "testuser/s...@example.com",
>   "creationTime" : "2020-03-24T08:29:32.167Z",
>   "acls" : [ {
>     "type" : "WORLD",
>     "name" : "WORLD",
>     "aclScope" : "ACCESS",
>     "aclList" : [ "ALL" ]
>   } ],
>   "quota" : 1152921504606846976
> }
> {code}
> Question:
> 1. Is this because "admin" : "root", therefore the delete command can be 
> issued? From the 
> [code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779]
>  it seems it doesn't really have any owner/admin checks when ACL is disabled.
> 2. Is this by design?
> CC [~xyao]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: ozone-issues-h...@hadoop.apache.org

Reply via email to