[ https://issues.apache.org/jira/browse/HDDS-3255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Siyao Meng updated HDDS-3255: ----------------------------- Description: I just discovered that when ACL is disabled (ozone.acl.enabled=false), any non-admin user can delete volumes even when that user is not the owner of the volume. Base branch: c0b18c338 {code:bash|title=Environment} mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure vim docker-config # Search for OZONE-SITE.XML_ozone.acl.enabled=true # Change it to OZONE-SITE.XML_ozone.acl.enabled=false # Save and quit vim docker-compose up -d --scale datanode=3 docker-compose exec scm /bin/bash # Wait for ~20s for the cluster to start up {code} Proof: {code:bash|title=Prep with admin testuser} bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab testuser/s...@example.com bash-4.2$ ozone sh volume create vol1 bash-4.2$ ozone sh volume create vol2 bash-4.2$ ozone sh volume setacl vol1 -al world::a ACL(s) set successfully. bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a ACL removed successfully. bash-4.2$ ozone sh volume list { "metadata" : { }, "name" : "vol1", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:32.167Z", "acls" : [ { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } { "metadata" : { }, "name" : "vol2", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:37.727Z", "acls" : [ { "type" : "USER", "name" : "testuser/s...@example.com", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } bash-4.2$ kdestroy {code} Note below uses a uncommitted feature {{ozone sh volume list --all}} in HDDS-3056. It lists all volumes on OM. {code:bash|title=Delete volume with non-admin user testuser2} bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab testuser2/s...@example.com bash-4.2$ ozone sh volume list --all { "metadata" : { }, "name" : "vol1", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:32.167Z", "acls" : [ { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } { "metadata" : { }, "name" : "vol2", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:37.727Z", "acls" : [ { "type" : "USER", "name" : "testuser/s...@example.com", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } bash-4.2$ ozone sh volume list bash-4.2$ ozone sh volume delete vol2 Volume vol2 is deleted bash-4.2$ ozone sh volume list bash-4.2$ ozone sh volume list --all { "metadata" : { }, "name" : "vol1", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:32.167Z", "acls" : [ { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } {code} Question: 1. Is this because "admin" : "root", therefore the delete command can be issued? From the [code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779] it seems it doesn't really have any owner/admin checks when ACL is disabled. 2. Is this by design? CC [~xyao] was: I just discovered that when ACL is disabled (ozone.acl.enabled=false), any non-admin user can delete volumes even when that user is not the owner of the volume. Base branch: c0b18c338 {code:bash|title=Environment} mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade -DskipRecon -pl \!:hadoop-ozone-integration-test cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure vim docker-config # Search for OZONE-SITE.XML_ozone.acl.enabled=true # Change it to OZONE-SITE.XML_ozone.acl.enabled=false # Save and quit vim docker-compose up -d --scale datanode=3 docker-compose exec scm /bin/bash # Wait for ~20s for the cluster to start up {code} Proof: {code:bash|title=Prep with admin testuser} bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab testuser/s...@example.com bash-4.2$ ozone sh volume create vol1 bash-4.2$ ozone sh volume create vol2 bash-4.2$ ozone sh volume setacl vol1 -al world::a ACL(s) set successfully. bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a ACL removed successfully. bash-4.2$ ozone sh volume list { "metadata" : { }, "name" : "vol1", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:32.167Z", "acls" : [ { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } { "metadata" : { }, "name" : "vol2", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:37.727Z", "acls" : [ { "type" : "USER", "name" : "testuser/s...@example.com", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } bash-4.2$ kdestroy {code} Note below uses a uncommitted feature {{ozone sh volume list --all}} in HDDS-3056. It lists all volumes on OM. {code:bash|title=Delete volume with non-admin user testuser2} bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab testuser2/s...@example.com bash-4.2$ ozone sh volume list --all { "metadata" : { }, "name" : "vol1", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:32.167Z", "acls" : [ { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } { "metadata" : { }, "name" : "vol2", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:37.727Z", "acls" : [ { "type" : "USER", "name" : "testuser/s...@example.com", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } bash-4.2$ ozone sh volume list bash-4.2$ ozone sh volume delete vol2 Volume vol2 is deleted bash-4.2$ ozone sh volume list bash-4.2$ ozone sh volume list --all { "metadata" : { }, "name" : "vol1", "admin" : "root", "owner" : "testuser/s...@example.com", "creationTime" : "2020-03-24T08:29:32.167Z", "acls" : [ { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ], "quota" : 1152921504606846976 } {code} Question: 1. Is this because "admin" : "root", therefore the delete command can be issued? From the [code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779] it seems it doesn't really have any owner/admin checks when ACL is disabled. 2. Is this by design? CC [~xyao] > Any user can delete volumes when ACL is disabled > ------------------------------------------------ > > Key: HDDS-3255 > URL: https://issues.apache.org/jira/browse/HDDS-3255 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Reporter: Siyao Meng > Assignee: Siyao Meng > Priority: Major > > I just discovered that when ACL is disabled (ozone.acl.enabled=false), any > non-admin user can delete volumes even when that user is not the owner of the > volume. > Base branch: c0b18c338 > {code:bash|title=Environment} > mvn clean install -Pdist -DskipTests -e -Dmaven.javadoc.skip=true -DskipShade > cd hadoop-ozone/dist/target/ozone-0.5.0-SNAPSHOT/compose/ozonesecure > vim docker-config > # Search for OZONE-SITE.XML_ozone.acl.enabled=true > # Change it to OZONE-SITE.XML_ozone.acl.enabled=false > # Save and quit vim > docker-compose up -d --scale datanode=3 > docker-compose exec scm /bin/bash > # Wait for ~20s for the cluster to start up > {code} > Proof: > {code:bash|title=Prep with admin testuser} > bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab > testuser/s...@example.com > bash-4.2$ ozone sh volume create vol1 > bash-4.2$ ozone sh volume create vol2 > bash-4.2$ ozone sh volume setacl vol1 -al world::a > ACL(s) set successfully. > bash-4.2$ ozone sh volume removeacl vol2 -a GROUP:root:a > ACL removed successfully. > bash-4.2$ ozone sh volume list > { > "metadata" : { }, > "name" : "vol1", > "admin" : "root", > "owner" : "testuser/s...@example.com", > "creationTime" : "2020-03-24T08:29:32.167Z", > "acls" : [ { > "type" : "WORLD", > "name" : "WORLD", > "aclScope" : "ACCESS", > "aclList" : [ "ALL" ] > } ], > "quota" : 1152921504606846976 > } > { > "metadata" : { }, > "name" : "vol2", > "admin" : "root", > "owner" : "testuser/s...@example.com", > "creationTime" : "2020-03-24T08:29:37.727Z", > "acls" : [ { > "type" : "USER", > "name" : "testuser/s...@example.com", > "aclScope" : "ACCESS", > "aclList" : [ "ALL" ] > } ], > "quota" : 1152921504606846976 > } > bash-4.2$ kdestroy > {code} > Note below uses a uncommitted feature {{ozone sh volume list --all}} in > HDDS-3056. It lists all volumes on OM. > {code:bash|title=Delete volume with non-admin user testuser2} > bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab > testuser2/s...@example.com > bash-4.2$ ozone sh volume list --all > { > "metadata" : { }, > "name" : "vol1", > "admin" : "root", > "owner" : "testuser/s...@example.com", > "creationTime" : "2020-03-24T08:29:32.167Z", > "acls" : [ { > "type" : "WORLD", > "name" : "WORLD", > "aclScope" : "ACCESS", > "aclList" : [ "ALL" ] > } ], > "quota" : 1152921504606846976 > } > { > "metadata" : { }, > "name" : "vol2", > "admin" : "root", > "owner" : "testuser/s...@example.com", > "creationTime" : "2020-03-24T08:29:37.727Z", > "acls" : [ { > "type" : "USER", > "name" : "testuser/s...@example.com", > "aclScope" : "ACCESS", > "aclList" : [ "ALL" ] > } ], > "quota" : 1152921504606846976 > } > bash-4.2$ ozone sh volume list > bash-4.2$ ozone sh volume delete vol2 > Volume vol2 is deleted > bash-4.2$ ozone sh volume list > bash-4.2$ ozone sh volume list --all > { > "metadata" : { }, > "name" : "vol1", > "admin" : "root", > "owner" : "testuser/s...@example.com", > "creationTime" : "2020-03-24T08:29:32.167Z", > "acls" : [ { > "type" : "WORLD", > "name" : "WORLD", > "aclScope" : "ACCESS", > "aclList" : [ "ALL" ] > } ], > "quota" : 1152921504606846976 > } > {code} > Question: > 1. Is this because "admin" : "root", therefore the delete command can be > issued? From the > [code|https://github.com/apache/hadoop-ozone/blob/56def9f0b8c89588a8008e21e299047e3cbeb37a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L1765-L1779] > it seems it doesn't really have any owner/admin checks when ACL is disabled. > 2. Is this by design? > CC [~xyao] -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: ozone-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: ozone-issues-h...@hadoop.apache.org