[jira] [Updated] (HDDS-3047) ObjectStore#listVolumesByUser and CreateVolumeHandler#call should get principal name by default

[Arpit Agarwal (Jira)]

     [ 
https://issues.apache.org/jira/browse/HDDS-3047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Arpit Agarwal updated HDDS-3047:
--------------------------------
    Fix Version/s: 0.6.0
       Resolution: Fixed
           Status: Resolved  (was: Patch Available)

Resolving as this seems to be merged via GitHub.

> ObjectStore#listVolumesByUser and CreateVolumeHandler#call should get 
> principal name by default
> -----------------------------------------------------------------------------------------------
>
>                 Key: HDDS-3047
>                 URL: https://issues.apache.org/jira/browse/HDDS-3047
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>          Components: Ozone Client
>            Reporter: Siyao Meng
>            Assignee: Siyao Meng
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 0.6.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> [{{ObjectStore#listVolumesByUser}}|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L249-L256]
>  is using {{getShortUserName()}} by default (when user is empty or null):
> {code:java|title=ObjectStore#listVolumesByUser}
>   public Iterator<? extends OzoneVolume> listVolumesByUser(String user,
>       String volumePrefix, String prevVolume)
>       throws IOException {
>     if(Strings.isNullOrEmpty(user)) {
>       user = UserGroupInformation.getCurrentUser().getShortUserName();  // <--
>     }
>     return new VolumeIterator(user, volumePrefix, prevVolume);
>   }
> {code}
> It should use {{getUserName()}} instead.
> For a quick reference for the difference between {{getUserName()}} and 
> {{getShortUserName()}}:
> {code:java|title=UserGroupInformation#getUserName}
>   /**
>    * Get the user's full principal name.
>    * @return the user's full principal name.
>    */
>   @InterfaceAudience.Public
>   @InterfaceStability.Evolving
>   public String getUserName() {
>     return user.getName();
>   }
> {code}
> {code:java|title=UserGroupInformation#getShortUserName}
>   /**
>    * Get the user's login name.
>    * @return the user's name up to the first '/' or '@'.
>    */
>   public String getShortUserName() {
>     return user.getShortName();
>   }
> {code}
> This won't cause issue if Kerberos is not in use. However, once Kerberos is 
> enabled, {{getUserName()}} and {{getShortUserName()}} result differs and can 
> cause some issues.
> When Kerberos is enabled, {{getUserName()}} returns full principal name e.g. 
> {{om/o...@example.com}}, but {{getShortUserName()}} will return login name 
> e.g. {{hadoop}}.
> If {{hadoop.security.auth_to_local}} is set, {{getShortUserName()}} result 
> can become very different from full principal name.
> For example, when {{hadoop.security.auth_to_local = 
> RULE:[2:$1@$0](.*)s/.*/root/}},
> {{getShortUserName()}} returns {{root}}, while {{getUserName()}} still gives 
> {{om/o...@example.com}}.)
> This can lead to user experience issue (when Kerberos is enabled) where the 
> user creates a volume with ozone shell ([uses 
> {{getUserName()}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L63-L65]
>  internally) then try to list it with {{ObjectStore#listVolumesByUser(null, 
> ...)}} ([uses {{getShortUserName()}} by 
> default|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L238-L256]
>  when user param is empty or null), the user won't see any volumes because of 
> the mismatch.
> We should also double check *all* usages that uses {{getShortUserName()}}.
> *Update:*
> Xiaoyu and I checked that the usage of {{getShortUserName()}} on the server 
> side shouldn't become a problem. Because server should've maintained it's own 
> auth_to_local rules (admin should make sure they separate each user into 
> different short names. just don't map multiple principal names into the same 
> then it won't be a problem).
> The usage in {{BasicOzoneFileSystem}} itself also seems valid because that 
> {{getShortUserName()}} is only used for client side purpose (to set 
> {{workingDir}}, etc.).
> But the usage in {{ObjectStore#listVolumesByUser}} is confirmed problematic 
> at the moment, which needs to be fixed. Same for 
> [{{CreateVolumeHandler#call}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L81-L83]:
> {code:java|title=CreateVolumeHandler#call}
>       } else {
>         rootName = UserGroupInformation.getCurrentUser().getShortUserName();
>       }
> {code}
> It should pass full principal name to server.
> CC [~xyao] [~aengineer] [~arp] [~bharat]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: ozone-issues-h...@hadoop.apache.org