[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385885
##
File path:
hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOzoneManager.java
##
@@ -356,7 +359,7 @@ public void testFailedDeleteVolume() throws IOException,
OzoneException {
// Create a volume and test Volume access for a different user
@Test
public void testAccessVolume() throws IOException, OzoneException {
-String userName = "user" + RandomStringUtils.randomNumeric(5);
+String userName = UserGroupInformation.getCurrentUser().getUserName();
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar. URL: https://github.com/apache/hadoop/pull/973#discussion_r298385923 ## File path: hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3BucketManager.java ## @@ -78,4 +78,12 @@ * @throws IOException - incase of volume creation failure. */ boolean createOzoneVolumeIfNeeded(String userName) throws IOException; + Review comment: whitespace:end of line This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385910
##
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java
##
@@ -1623,6 +1625,58 @@ public boolean setAcl(OzoneObj obj, List
acls) throws IOException {
}
}
+ /**
+ * Check access for given ozoneObject.
+ *
+ * @param ozObject object for which access needs to be checked.
+ * @param context Context object encapsulating all user related information.
+ * @return true if user has access else false.
+ */
+ @Override
+ public boolean checkAccess(OzoneObj ozObject, RequestContext context)
+ throws OMException {
+Objects.requireNonNull(ozObject);
+Objects.requireNonNull(context);
+Objects.requireNonNull(context.getClientUgi());
+
+String volume = ozObject.getVolumeName();
+String bucket = ozObject.getBucketName();
+String keyName = ozObject.getKeyName();
+
+metadataManager.getLock().acquireBucketLock(volume, bucket);
+try {
+ validateBucket(volume, bucket);
+ String objectKey = metadataManager.getOzoneKey(volume, bucket, keyName);
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385881
##
File path: hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot
##
@@ -33,21 +33,21 @@ Setup volume names
*** Test Cases ***
Create volume bucket with wrong credentials
Execute kdestroy
-${rc} ${output} = Run And Return Rc And Output
ozone sh volume create o3://om/fstest --user bilbo --quota 100TB --root
+${rc} ${output} = Run And Return Rc And Output
ozone sh volume create o3://om/fstest
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385867
##
File path: hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot
##
@@ -91,7 +91,41 @@ Test key Acls
${result} = Execute ozone sh key removeacl
${volume3}/bk1/key1 -a user:superuser1:xy
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
-${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al user:superuser1:rwxy,group:superuser1:a
+${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al
user:superuser1:rwxy,group:superuser1:a,user:testuser/s...@example.com:rwxyc
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1*\",\n.*\"aclList\" : . \"READ\",
\"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
-Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
\ No newline at end of file
+Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
+
+Test native authorizer
+Execute ozone sh volume removeacl ${volume3} -a group:root:a
+Execute kdestroy
+Run Keyword Kinit test user testuser2testuser2.keytab
+${result} = Execute And Ignore Error ozone sh bucket list
/${volume3}/
+Should contain ${result}PERMISSION_DENIED
+${result} = Execute And Ignore Error ozone sh key list
/${volume3}/bk1
+Should contain ${result}PERMISSION_DENIED
+${result} = Execute And Ignore Error ozone sh volume addacl
${volume3} -a user:testuser2/s...@example.com:xy
+Should contain ${result}PERMISSION_DENIED User
testuser2/s...@example.com doesn't have WRITE_ACL permission to access volume
+Execute kdestroy
+Run Keyword Kinit test user testuser testuser.keytab
+Execute ozone sh volume addacl ${volume3} -a
user:testuser2/s...@example.com:xyrw
+Execute kdestroy
+Run Keyword Kinit test user testuser2testuser2.keytab
+${result} = Execute And Ignore Error ozone sh bucket list
/${volume3}/
+Should contain ${result}PERMISSION_DENIED
org.apache.hadoop.ozone.om.exceptions.OMException: User
testuser2/s...@example.com doesn't have LIST permission to access volume
+Execute ozone sh volume addacl ${volume3} -a
user:testuser2/s...@example.com:l
+Execute ozone sh bucket list /${volume3}/
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385916
##
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
##
@@ -2277,8 +2332,19 @@ public OmKeyLocationInfo allocateBlock(OmKeyArgs args,
long clientID,
ExcludeList excludeList)
throws IOException {
if(isAclEnabled) {
- checkAcls(ResourceType.KEY, StoreType.OZONE, ACLType.WRITE,
- args.getVolumeName(), args.getBucketName(), args.getKeyName());
+ try {
+checkAcls(ResourceType.KEY, StoreType.OZONE, ACLType.WRITE,
+args.getVolumeName(), args.getBucketName(), args.getKeyName());
+ } catch (OMException ex) {
+// For new keys key checkAccess call will fail as key doesn't exist.
+// Check user access for bucket.
+if (ex.getResult().equals(KEY_NOT_FOUND)) {
+ checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.WRITE,
+ args.getVolumeName(), args.getBucketName(), args.getKeyName());
+} else {
+ throw ex;
+}
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385934
##
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3BucketManagerImpl.java
##
@@ -159,13 +162,17 @@ public boolean createOzoneVolumeIfNeeded(String userName)
boolean newVolumeCreate = true;
String ozoneVolumeName = formatOzoneVolumeName(userName);
try {
- OmVolumeArgs args =
+ OmVolumeArgs.Builder builder =
OmVolumeArgs.newBuilder()
.setAdminName(S3_ADMIN_NAME)
.setOwnerName(userName)
.setVolume(ozoneVolumeName)
- .setQuotaInBytes(OzoneConsts.MAX_QUOTA_IN_BYTES)
- .build();
+ .setQuotaInBytes(OzoneConsts.MAX_QUOTA_IN_BYTES);
+ for (OzoneAcl acl : getDefaultAcls()) {
+builder.addOzoneAcls(OzoneAcl.toProtobuf(acl));
+ }
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385836
##
File path: hadoop-ozone/dist/src/main/smoketest/basic/ozone-shell.robot
##
@@ -44,16 +44,17 @@ RpcClient without scheme
*** Keywords ***
Test ozone shell
[arguments] ${protocol} ${server} ${volume}
-${result} = Execute ozone sh volume create
${protocol}${server}/${volume} --user bilbo --quota 100TB --root
+${result} = Execute ozone sh volume create
${protocol}${server}/${volume} --quota 100TB
Should not contain ${result} Failed
Should contain ${result} Creating Volume:
${volume}
-${result} = Execute ozone sh volume list
${protocol}${server}/ --user bilbo | grep -Ev
'Removed|WARN|DEBUG|ERROR|INFO|TRACE' | jq -r '.[] |
select(.volumeName=="${volume}")'
+${result} = Execute ozone sh volume list
${protocol}${server}/ | grep -Ev 'Removed|WARN|DEBUG|ERROR|INFO|TRACE' | jq -r
'.[] | select(.volumeName=="${volume}")'
Should contain ${result} createdOn
-${result} = Execute ozone sh volume list --user bilbo |
grep -Ev 'Removed|DEBUG|ERROR|INFO|TRACE|WARN' | jq -r '.[] |
select(.volumeName=="${volume}")'
+${result} = Execute ozone sh volume list | grep -Ev
'Removed|DEBUG|ERROR|INFO|TRACE|WARN' | jq -r '.[] |
select(.volumeName=="${volume}")'
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385855
##
File path: hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot
##
@@ -91,7 +91,41 @@ Test key Acls
${result} = Execute ozone sh key removeacl
${volume3}/bk1/key1 -a user:superuser1:xy
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
-${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al user:superuser1:rwxy,group:superuser1:a
+${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al
user:superuser1:rwxy,group:superuser1:a,user:testuser/s...@example.com:rwxyc
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1*\",\n.*\"aclList\" : . \"READ\",
\"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
-Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
\ No newline at end of file
+Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
+
+Test native authorizer
+Execute ozone sh volume removeacl ${volume3} -a group:root:a
+Execute kdestroy
+Run Keyword Kinit test user testuser2testuser2.keytab
+${result} = Execute And Ignore Error ozone sh bucket list
/${volume3}/
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385842
##
File path: hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot
##
@@ -91,7 +91,41 @@ Test key Acls
${result} = Execute ozone sh key removeacl
${volume3}/bk1/key1 -a user:superuser1:xy
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
-${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al user:superuser1:rwxy,group:superuser1:a
+${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al
user:superuser1:rwxy,group:superuser1:a,user:testuser/s...@example.com:rwxyc
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1*\",\n.*\"aclList\" : . \"READ\",
\"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
-Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
\ No newline at end of file
+Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
+
+Test native authorizer
+Execute ozone sh volume removeacl ${volume3} -a group:root:a
+Execute kdestroy
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385900
##
File path:
hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneNativeAuthorizer.java
##
@@ -0,0 +1,450 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
under
+ * the License.
+ */
+package org.apache.hadoop.ozone.security.acl;
+
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
+import org.apache.hadoop.hdds.scm.TestUtils;
+import org.apache.hadoop.hdds.scm.container.MockNodeManager;
+import org.apache.hadoop.hdds.scm.node.NodeManager;
+import org.apache.hadoop.hdds.scm.server.SCMConfigurator;
+import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
+import org.apache.hadoop.ozone.OzoneAcl;
+import org.apache.hadoop.ozone.om.BucketManagerImpl;
+import org.apache.hadoop.ozone.om.IOzoneAcl;
+import org.apache.hadoop.ozone.om.KeyManagerImpl;
+import org.apache.hadoop.ozone.om.OMMetadataManager;
+import org.apache.hadoop.ozone.om.OmMetadataManagerImpl;
+import org.apache.hadoop.ozone.om.PrefixManager;
+import org.apache.hadoop.ozone.om.PrefixManagerImpl;
+import org.apache.hadoop.ozone.om.VolumeManagerImpl;
+import org.apache.hadoop.ozone.om.exceptions.OMException;
+import org.apache.hadoop.ozone.om.helpers.OmBucketInfo;
+import org.apache.hadoop.ozone.om.helpers.OmKeyArgs;
+import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
+import org.apache.hadoop.ozone.om.helpers.OpenKeySession;
+import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
+import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
+import org.apache.hadoop.ozone.web.utils.OzoneUtils;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.test.GenericTestUtils;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE;
+import static org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.ANONYMOUS;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.GROUP;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.WORLD;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.NONE;
+import static
org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET;
+import static org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY;
+import static
org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.PREFIX;
+import static
org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.VOLUME;
+import static org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE;
+import static org.junit.Assert.*;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Test class for {@link OzoneNativeAuthorizer}.
+ */
+@RunWith(Parameterized.class)
+public class TestOzoneNativeAuthorizer {
+
+ private static OzoneConfiguration ozConfig;
+ private String vol;
+ private String buck;
+ private String key;
+ private String prefix;
+ private ACLType parentDirUserAcl;
+ private ACLType parentDirGroupAcl;
+ private boolean expectedAclResult;
+
+ private static KeyManagerImpl keyManager;
+ private static VolumeManagerImpl volumeManager;
+ private static BucketManagerImpl
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385875
##
File path: hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot
##
@@ -91,7 +91,41 @@ Test key Acls
${result} = Execute ozone sh key removeacl
${volume3}/bk1/key1 -a user:superuser1:xy
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
-${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al user:superuser1:rwxy,group:superuser1:a
+${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al
user:superuser1:rwxy,group:superuser1:a,user:testuser/s...@example.com:rwxyc
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1*\",\n.*\"aclList\" : . \"READ\",
\"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
-Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
\ No newline at end of file
+Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
+
+Test native authorizer
+Execute ozone sh volume removeacl ${volume3} -a group:root:a
+Execute kdestroy
+Run Keyword Kinit test user testuser2testuser2.keytab
+${result} = Execute And Ignore Error ozone sh bucket list
/${volume3}/
+Should contain ${result}PERMISSION_DENIED
+${result} = Execute And Ignore Error ozone sh key list
/${volume3}/bk1
+Should contain ${result}PERMISSION_DENIED
+${result} = Execute And Ignore Error ozone sh volume addacl
${volume3} -a user:testuser2/s...@example.com:xy
+Should contain ${result}PERMISSION_DENIED User
testuser2/s...@example.com doesn't have WRITE_ACL permission to access volume
+Execute kdestroy
+Run Keyword Kinit test user testuser testuser.keytab
+Execute ozone sh volume addacl ${volume3} -a
user:testuser2/s...@example.com:xyrw
+Execute kdestroy
+Run Keyword Kinit test user testuser2testuser2.keytab
+${result} = Execute And Ignore Error ozone sh bucket list
/${volume3}/
+Should contain ${result}PERMISSION_DENIED
org.apache.hadoop.ozone.om.exceptions.OMException: User
testuser2/s...@example.com doesn't have LIST permission to access volume
+Execute ozone sh volume addacl ${volume3} -a
user:testuser2/s...@example.com:l
+Execute ozone sh bucket list /${volume3}/
+Execute ozone sh volume getacl /${volume3}/
Review comment:
whitespace:end of line
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate ACL on volume bucket key and prefix to authorize access. Contributed by Ajay Kumar.
hadoop-yetus commented on a change in pull request #973: HDDS-1611. Evaluate
ACL on volume bucket key and prefix to authorize access. Contributed by Ajay
Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385891
##
File path:
hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneNativeAuthorizer.java
##
@@ -0,0 +1,450 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
under
+ * the License.
+ */
+package org.apache.hadoop.ozone.security.acl;
+
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
+import org.apache.hadoop.hdds.scm.TestUtils;
+import org.apache.hadoop.hdds.scm.container.MockNodeManager;
+import org.apache.hadoop.hdds.scm.node.NodeManager;
+import org.apache.hadoop.hdds.scm.server.SCMConfigurator;
+import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
+import org.apache.hadoop.ozone.OzoneAcl;
+import org.apache.hadoop.ozone.om.BucketManagerImpl;
+import org.apache.hadoop.ozone.om.IOzoneAcl;
+import org.apache.hadoop.ozone.om.KeyManagerImpl;
+import org.apache.hadoop.ozone.om.OMMetadataManager;
+import org.apache.hadoop.ozone.om.OmMetadataManagerImpl;
+import org.apache.hadoop.ozone.om.PrefixManager;
+import org.apache.hadoop.ozone.om.PrefixManagerImpl;
+import org.apache.hadoop.ozone.om.VolumeManagerImpl;
+import org.apache.hadoop.ozone.om.exceptions.OMException;
+import org.apache.hadoop.ozone.om.helpers.OmBucketInfo;
+import org.apache.hadoop.ozone.om.helpers.OmKeyArgs;
+import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
+import org.apache.hadoop.ozone.om.helpers.OpenKeySession;
+import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
+import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
+import org.apache.hadoop.ozone.web.utils.OzoneUtils;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.test.GenericTestUtils;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE;
+import static org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.ANONYMOUS;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.GROUP;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.WORLD;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL;
+import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.NONE;
+import static
org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET;
+import static org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY;
+import static
org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.PREFIX;
+import static
org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.VOLUME;
+import static org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE;
+import static org.junit.Assert.*;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Test class for {@link OzoneNativeAuthorizer}.
+ */
+@RunWith(Parameterized.class)
+public class TestOzoneNativeAuthorizer {
+
+ private static OzoneConfiguration ozConfig;
+ private String vol;
+ private String buck;
+ private String key;
+ private String prefix;
+ private ACLType parentDirUserAcl;
+ private ACLType parentDirGroupAcl;
+ private boolean expectedAclResult;
+
+ private static KeyManagerImpl keyManager;
+ private static VolumeManagerImpl volumeManager;
+ private static BucketManagerImpl
