[
https://issues.apache.org/jira/browse/HDDS-3255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siyao Meng updated HDDS-3255:
-----------------------------
Description:
I just discovered that when ACL is disabled (ozone.acl.enabled=false), any
non-admin user can delete volumes even when that user is not the owner of the
volume.
Base branch: c0b18c338
{code:bash|title=Environment}
mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade
cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure
vim docker-config
# Search for OZONE-SITE.XML_ozone.acl.enabled=true
# Change it to OZONE-SITE.XML_ozone.acl.enabled=false
# Save and quit vim
docker-compose up -d --scale datanode=3
docker-compose exec scm /bin/bash
# Wait for ~20s for the cluster to start up
{code}
Proof:
{code:bash|title=Prep with admin testuser}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab
testuser/s...@example.com
bash-4.2$ ozone sh volume create vol1
bash-4.2$ ozone sh volume create vol2
bash-4.2$ ozone sh volume setacl vol1 -al world::a
ACL(s) set successfully.
bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a
ACL removed successfully.
bash-4.2$ ozone sh volume list
{
"metadata" : { },
"name" : "vol1",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:32.167Z",
"acls" : [ {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
{
"metadata" : { },
"name" : "vol2",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:37.727Z",
"acls" : [ {
"type" : "USER",
"name" : "testuser/s...@example.com",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
bash-4.2$ kdestroy
{code}
Note below uses a uncommitted feature {{ozone sh volume list --all}} in
HDDS-3056. It lists all volumes on OM.
{code:bash|title=Delete volume with non-admin user testuser2}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab
testuser2/s...@example.com
bash-4.2$ ozone sh volume list --all
{
"metadata" : { },
"name" : "vol1",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:32.167Z",
"acls" : [ {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
{
"metadata" : { },
"name" : "vol2",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:37.727Z",
"acls" : [ {
"type" : "USER",
"name" : "testuser/s...@example.com",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume delete vol2
Volume vol2 is deleted
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume list --all
{
"metadata" : { },
"name" : "vol1",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:32.167Z",
"acls" : [ {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
{code}
Question:
1. Is this because "admin" : "root", therefore the delete command can be
issued? From the
[code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779]
it seems it doesn't really have any owner/admin checks when ACL is disabled.
2. Is this by design?
CC [~xyao]
was:
I just discovered that when ACL is disabled (ozone.acl.enabled=false), any
non-admin user can delete volumes even when that user is not the owner of the
volume.
Base branch: c0b18c338
{code:bash|title=Environment}
mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade
-DskipRecon -pl \!:hadoop-ozone-integration-test
cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure
vim docker-config
# Search for OZONE-SITE.XML_ozone.acl.enabled=true
# Change it to OZONE-SITE.XML_ozone.acl.enabled=false
# Save and quit vim
docker-compose up -d --scale datanode=3
docker-compose exec scm /bin/bash
# Wait for ~20s for the cluster to start up
{code}
Proof:
{code:bash|title=Prep with admin testuser}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab
testuser/s...@example.com
bash-4.2$ ozone sh volume create vol1
bash-4.2$ ozone sh volume create vol2
bash-4.2$ ozone sh volume setacl vol1 -al world::a
ACL(s) set successfully.
bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a
ACL removed successfully.
bash-4.2$ ozone sh volume list
{
"metadata" : { },
"name" : "vol1",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:32.167Z",
"acls" : [ {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
{
"metadata" : { },
"name" : "vol2",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:37.727Z",
"acls" : [ {
"type" : "USER",
"name" : "testuser/s...@example.com",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
bash-4.2$ kdestroy
{code}
Note below uses a uncommitted feature {{ozone sh volume list --all}} in
HDDS-3056. It lists all volumes on OM.
{code:bash|title=Delete volume with non-admin user testuser2}
bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab
testuser2/s...@example.com
bash-4.2$ ozone sh volume list --all
{
"metadata" : { },
"name" : "vol1",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:32.167Z",
"acls" : [ {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
{
"metadata" : { },
"name" : "vol2",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:37.727Z",
"acls" : [ {
"type" : "USER",
"name" : "testuser/s...@example.com",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume delete vol2
Volume vol2 is deleted
bash-4.2$ ozone sh volume list
bash-4.2$ ozone sh volume list --all
{
"metadata" : { },
"name" : "vol1",
"admin" : "root",
"owner" : "testuser/s...@example.com",
"creationTime" : "2020-03-24T08:29:32.167Z",
"acls" : [ {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ],
"quota" : 1152921504606846976
}
{code}
Question:
1. Is this because "admin" : "root", therefore the delete command can be
issued? From the
[code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779]
it seems it doesn't really have any owner/admin checks when ACL is disabled.
2. Is this by design?
CC [~xyao]
> Any user can delete volumes when ACL is disabled
> ------------------------------------------------
>
> Key: HDDS-3255
> URL: https://issues.apache.org/jira/browse/HDDS-3255
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Reporter: Siyao Meng
> Assignee: Siyao Meng
> Priority: Major
>
> I just discovered that when ACL is disabled (ozone.acl.enabled=false), any
> non-admin user can delete volumes even when that user is not the owner of the
> volume.
> Base branch: c0b18c338
> {code:bash|title=Environment}
> mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade
> cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure
> vim docker-config
> # Search for OZONE-SITE.XML_ozone.acl.enabled=true
> # Change it to OZONE-SITE.XML_ozone.acl.enabled=false
> # Save and quit vim
> docker-compose up -d --scale datanode=3
> docker-compose exec scm /bin/bash
> # Wait for ~20s for the cluster to start up
> {code}
> Proof:
> {code:bash|title=Prep with admin testuser}
> bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab
> testuser/s...@example.com
> bash-4.2$ ozone sh volume create vol1
> bash-4.2$ ozone sh volume create vol2
> bash-4.2$ ozone sh volume setacl vol1 -al world::a
> ACL(s) set successfully.
> bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a
> ACL removed successfully.
> bash-4.2$ ozone sh volume list
> {
> "metadata" : { },
> "name" : "vol1",
> "admin" : "root",
> "owner" : "testuser/s...@example.com",
> "creationTime" : "2020-03-24T08:29:32.167Z",
> "acls" : [ {
> "type" : "WORLD",
> "name" : "WORLD",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ],
> "quota" : 1152921504606846976
> }
> {
> "metadata" : { },
> "name" : "vol2",
> "admin" : "root",
> "owner" : "testuser/s...@example.com",
> "creationTime" : "2020-03-24T08:29:37.727Z",
> "acls" : [ {
> "type" : "USER",
> "name" : "testuser/s...@example.com",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ],
> "quota" : 1152921504606846976
> }
> bash-4.2$ kdestroy
> {code}
> Note below uses a uncommitted feature {{ozone sh volume list --all}} in
> HDDS-3056. It lists all volumes on OM.
> {code:bash|title=Delete volume with non-admin user testuser2}
> bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab
> testuser2/s...@example.com
> bash-4.2$ ozone sh volume list --all
> {
> "metadata" : { },
> "name" : "vol1",
> "admin" : "root",
> "owner" : "testuser/s...@example.com",
> "creationTime" : "2020-03-24T08:29:32.167Z",
> "acls" : [ {
> "type" : "WORLD",
> "name" : "WORLD",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ],
> "quota" : 1152921504606846976
> }
> {
> "metadata" : { },
> "name" : "vol2",
> "admin" : "root",
> "owner" : "testuser/s...@example.com",
> "creationTime" : "2020-03-24T08:29:37.727Z",
> "acls" : [ {
> "type" : "USER",
> "name" : "testuser/s...@example.com",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ],
> "quota" : 1152921504606846976
> }
> bash-4.2$ ozone sh volume list
> bash-4.2$ ozone sh volume delete vol2
> Volume vol2 is deleted
> bash-4.2$ ozone sh volume list
> bash-4.2$ ozone sh volume list --all
> {
> "metadata" : { },
> "name" : "vol1",
> "admin" : "root",
> "owner" : "testuser/s...@example.com",
> "creationTime" : "2020-03-24T08:29:32.167Z",
> "acls" : [ {
> "type" : "WORLD",
> "name" : "WORLD",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ],
> "quota" : 1152921504606846976
> }
> {code}
> Question:
> 1. Is this because "admin" : "root", therefore the delete command can be
> issued? From the
> [code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779]
> it seems it doesn't really have any owner/admin checks when ACL is disabled.
> 2. Is this by design?
> CC [~xyao]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: ozone-issues-h...@hadoop.apache.org
