HDDS-1538. Update ozone protobuf message for ACLs. Contributed by Ajay Kumar. (#828)

This commit is contained in:
Ajay Yadav 2019-05-21 15:53:40 -07:00 committed by GitHub
parent a85451c8d2
commit ef1cc725b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 339 additions and 244 deletions

View File

@ -52,12 +52,11 @@ public final class OzoneConsts {
public static final String OZONE_ACL_USER_TYPE = "user";
public static final String OZONE_ACL_GROUP_TYPE = "group";
public static final String OZONE_ACL_WORLD_TYPE = "world";
public static final String OZONE_ACL_ANONYMOUS_TYPE = "anonymous";
public static final String OZONE_ACL_IP_TYPE = "ip";
public static final String OZONE_ACL_READ = "r";
public static final String OZONE_ACL_WRITE = "w";
public static final String OZONE_ACL_READ_WRITE = "rw";
public static final String OZONE_ACL_WRITE_READ = "wr";
public static final String OZONE_ACL_DELETE = "d";
public static final String OZONE_ACL_LIST = "l";
public static final String OZONE_ACL_ALL = "a";

View File

@ -540,14 +540,6 @@
the address of the OM.
</description>
</property>
<property>
<name>ozone.om.group.rights</name>
<value>READ_WRITE</value>
<tag>OM, SECURITY</tag>
<description>
Default group permissions in Ozone OM.
</description>
</property>
<property>
<name>ozone.om.handler.count.key</name>
<value>20</value>
@ -640,14 +632,6 @@
of buckets or keys inside each bucket a user can create.
</description>
</property>
<property>
<name>ozone.om.user.rights</name>
<value>READ_WRITE</value>
<tag>OM, SECURITY</tag>
<description>
Default user permissions used in OM.
</description>
</property>
<property>
<name>ozone.om.db.dirs</name>
<value/>

View File

@ -112,7 +112,7 @@ public class RestClient implements ClientProtocol {
private final URI ozoneRestUri;
private final CloseableHttpClient httpClient;
private final UserGroupInformation ugi;
private final OzoneAcl.OzoneACLRights userRights;
// private final OzoneAcl.OzoneACLRights userRights;
/**
* Creates RestClient instance with the given configuration.
@ -161,8 +161,8 @@ public RestClient(Configuration conf)
.build())
.build();
this.userRights = conf.getEnum(OMConfigKeys.OZONE_OM_USER_RIGHTS,
OMConfigKeys.OZONE_OM_USER_RIGHTS_DEFAULT);
// this.userRights = conf.getEnum(OMConfigKeys.OZONE_OM_USER_RIGHTS,
// OMConfigKeys.OZONE_OM_USER_RIGHTS_DEFAULT);
// TODO: Add new configuration parameter to configure RestServerSelector.
RestServerSelector defaultSelector = new DefaultRestServerSelector();

View File

@ -73,7 +73,6 @@
.OzoneManagerProtocolClientSideTranslatorPB;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.ozone.OzoneAcl;
import org.apache.hadoop.ozone.om.OMConfigKeys;
import org.apache.hadoop.ozone.protocol.proto
.OzoneManagerProtocolProtos.ServicePort;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
@ -85,6 +84,9 @@
import org.apache.hadoop.hdds.scm.protocolPB
.StorageContainerLocationProtocolPB;
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
import org.apache.hadoop.ozone.security.acl.OzoneAclConfig;
import org.apache.hadoop.ozone.web.utils.OzoneUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
@ -121,8 +123,8 @@ public class RpcClient implements ClientProtocol, KeyProviderTokenIssuer {
private final int bytesPerChecksum;
private boolean verifyChecksum;
private final UserGroupInformation ugi;
private final OzoneAcl.OzoneACLRights userRights;
private final OzoneAcl.OzoneACLRights groupRights;
private final ACLType userRights;
private final ACLType groupRights;
private final long streamBufferFlushSize;
private final long streamBufferMaxSize;
private final long blockSize;
@ -141,10 +143,11 @@ public RpcClient(Configuration conf) throws IOException {
Preconditions.checkNotNull(conf);
this.conf = new OzoneConfiguration(conf);
this.ugi = UserGroupInformation.getCurrentUser();
this.userRights = conf.getEnum(OMConfigKeys.OZONE_OM_USER_RIGHTS,
OMConfigKeys.OZONE_OM_USER_RIGHTS_DEFAULT);
this.groupRights = conf.getEnum(OMConfigKeys.OZONE_OM_GROUP_RIGHTS,
OMConfigKeys.OZONE_OM_GROUP_RIGHTS_DEFAULT);
// Get default acl rights for user and group.
OzoneAclConfig aclConfig = this.conf.getObject(OzoneAclConfig.class);
this.userRights = aclConfig.getUserDefaultRights();
this.groupRights = aclConfig.getGroupDefaultRights();
this.ozoneManagerClient = new OzoneManagerProtocolClientSideTranslatorPB(
this.conf, clientId.toString(), ugi);
long scmVersion =
@ -256,13 +259,13 @@ public void createVolume(String volumeName, VolumeArgs volArgs)
OzoneQuota.parseQuota(volArgs.getQuota()).sizeInBytes();
List<OzoneAcl> listOfAcls = new ArrayList<>();
//User ACL
listOfAcls.add(new OzoneAcl(OzoneAcl.OzoneACLType.USER,
listOfAcls.add(new OzoneAcl(ACLIdentityType.USER,
owner, userRights));
//Group ACLs of the User
List<String> userGroups = Arrays.asList(UserGroupInformation
.createRemoteUser(owner).getGroupNames());
userGroups.stream().forEach((group) -> listOfAcls.add(
new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, group, groupRights)));
new OzoneAcl(ACLIdentityType.GROUP, group, groupRights)));
//ACLs from VolumeArgs
if(volArgs.getAcls() != null) {
listOfAcls.addAll(volArgs.getAcls());
@ -403,13 +406,13 @@ public void createBucket(
List<OzoneAcl> listOfAcls = new ArrayList<>();
//User ACL
listOfAcls.add(new OzoneAcl(OzoneAcl.OzoneACLType.USER,
listOfAcls.add(new OzoneAcl(ACLIdentityType.USER,
ugi.getUserName(), userRights));
//Group ACLs of the User
List<String> userGroups = Arrays.asList(UserGroupInformation
.createRemoteUser(ugi.getUserName()).getGroupNames());
userGroups.stream().forEach((group) -> listOfAcls.add(
new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, group, groupRights)));
new OzoneAcl(ACLIdentityType.GROUP, group, groupRights)));
//ACLs from BucketArgs
if(bucketArgs.getAcls() != null) {
listOfAcls.addAll(bucketArgs.getAcls());

View File

@ -19,6 +19,11 @@
package org.apache.hadoop.ozone;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
/**
@ -32,9 +37,9 @@
* </ul>
*/
public class OzoneAcl {
private OzoneACLType type;
private ACLIdentityType type;
private String name;
private OzoneACLRights rights;
private List<ACLType> rights;
/**
* Constructor for OzoneAcl.
@ -47,16 +52,37 @@ public OzoneAcl() {
*
* @param type - Type
* @param name - Name of user
* @param rights - Rights
* @param acl - Rights
*/
public OzoneAcl(OzoneACLType type, String name, OzoneACLRights rights) {
public OzoneAcl(ACLIdentityType type, String name, ACLType acl) {
this.name = name;
this.rights = rights;
this.rights = new ArrayList<>();
this.rights.add(acl);
this.type = type;
if (type == OzoneACLType.WORLD && name.length() != 0) {
if (type == ACLIdentityType.WORLD && name.length() != 0) {
throw new IllegalArgumentException("Unexpected name part in world type");
}
if (((type == OzoneACLType.USER) || (type == OzoneACLType.GROUP))
if (((type == ACLIdentityType.USER) || (type == ACLIdentityType.GROUP))
&& (name.length() == 0)) {
throw new IllegalArgumentException("User or group name is required");
}
}
/**
* Constructor for OzoneAcl.
*
* @param type - Type
* @param name - Name of user
* @param acls - Rights
*/
public OzoneAcl(ACLIdentityType type, String name, List<ACLType> acls) {
this.name = name;
this.rights = acls;
this.type = type;
if (type == ACLIdentityType.WORLD && name.length() != 0) {
throw new IllegalArgumentException("Unexpected name part in world type");
}
if (((type == ACLIdentityType.USER) || (type == ACLIdentityType.GROUP))
&& (name.length() == 0)) {
throw new IllegalArgumentException("User or group name is required");
}
@ -78,17 +104,20 @@ public static OzoneAcl parseAcl(String acl) throws IllegalArgumentException {
throw new IllegalArgumentException("ACLs are not in expected format");
}
OzoneACLType aclType = OzoneACLType.valueOf(parts[0].toUpperCase());
OzoneACLRights rights = OzoneACLRights.getACLRight(parts[2].toLowerCase());
ACLIdentityType aclType = ACLIdentityType.valueOf(parts[0].toUpperCase());
List<ACLType> acls = new ArrayList<>();
for (char ch : parts[2].toCharArray()) {
acls.add(ACLType.getACLRight(String.valueOf(ch)));
}
// TODO : Support sanitation of these user names by calling into
// userAuth Interface.
return new OzoneAcl(aclType, parts[1], rights);
return new OzoneAcl(aclType, parts[1], acls);
}
@Override
public String toString() {
return type + ":" + name + ":" + OzoneACLRights.getACLRightsString(rights);
return type + ":" + name + ":" + ACLType.getACLString(rights);
}
/**
@ -120,7 +149,7 @@ public String getName() {
*
* @return - Rights
*/
public OzoneACLRights getRights() {
public List<ACLType> getRights() {
return rights;
}
@ -129,7 +158,7 @@ public OzoneACLRights getRights() {
*
* @return type
*/
public OzoneACLType getType() {
public ACLIdentityType getType() {
return type;
}
@ -150,9 +179,7 @@ public boolean equals(Object obj) {
return false;
}
OzoneAcl otherAcl = (OzoneAcl) obj;
return otherAcl.getName().equals(this.getName()) &&
otherAcl.getRights() == this.getRights() &&
otherAcl.getType() == this.getType();
return otherAcl.toString().equals(this.toString());
}
/**
@ -177,57 +204,4 @@ public enum OzoneACLType {
value = val;
}
}
/**
* ACL rights.
*/
public enum OzoneACLRights {
READ, WRITE, READ_WRITE;
/**
* Returns the ACL rights based on passed in String.
*
* @param type ACL right string
*
* @return OzoneACLRights
*/
public static OzoneACLRights getACLRight(String type) {
if (type == null || type.isEmpty()) {
throw new IllegalArgumentException("ACL right cannot be empty");
}
switch (type) {
case OzoneConsts.OZONE_ACL_READ:
return OzoneACLRights.READ;
case OzoneConsts.OZONE_ACL_WRITE:
return OzoneACLRights.WRITE;
case OzoneConsts.OZONE_ACL_READ_WRITE:
case OzoneConsts.OZONE_ACL_WRITE_READ:
return OzoneACLRights.READ_WRITE;
default:
throw new IllegalArgumentException("ACL right is not recognized");
}
}
/**
* Returns String representation of ACL rights.
* @param acl OzoneACLRights
* @return String representation of acl
*/
public static String getACLRightsString(OzoneACLRights acl) {
switch(acl) {
case READ:
return OzoneConsts.OZONE_ACL_READ;
case WRITE:
return OzoneConsts.OZONE_ACL_WRITE;
case READ_WRITE:
return OzoneConsts.OZONE_ACL_READ_WRITE;
default:
throw new IllegalArgumentException("ACL right is not recognized");
}
}
}
}

View File

@ -19,7 +19,6 @@
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.ozone.OzoneAcl;
import org.apache.ratis.util.TimeDuration;
/**
@ -78,17 +77,6 @@ private OMConfigKeys() {
"ozone.om.user.max.volume";
public static final int OZONE_OM_USER_MAX_VOLUME_DEFAULT = 1024;
// OM Default user/group permissions
public static final String OZONE_OM_USER_RIGHTS =
"ozone.om.user.rights";
public static final OzoneAcl.OzoneACLRights OZONE_OM_USER_RIGHTS_DEFAULT =
OzoneAcl.OzoneACLRights.READ_WRITE;
public static final String OZONE_OM_GROUP_RIGHTS =
"ozone.om.group.rights";
public static final OzoneAcl.OzoneACLRights OZONE_OM_GROUP_RIGHTS_DEFAULT =
OzoneAcl.OzoneACLRights.READ_WRITE;
public static final String OZONE_KEY_DELETING_LIMIT_PER_TASK =
"ozone.key.deleting.limit.per.task";
public static final int OZONE_KEY_DELETING_LIMIT_PER_TASK_DEFAULT = 1000;

View File

@ -37,7 +37,7 @@
@SuppressWarnings("ProtocolBufferOrdinal")
public class OmOzoneAclMap {
// per Acl Type user:rights map
private ArrayList<Map<String, OzoneAclRights>> aclMaps;
private ArrayList<Map<String, List<OzoneAclRights>>> aclMaps;
OmOzoneAclMap() {
aclMaps = new ArrayList<>();
@ -46,51 +46,75 @@ public class OmOzoneAclMap {
}
}
private Map<String, OzoneAclRights> getMap(OzoneAclType type) {
private Map<String, List<OzoneAclRights>> getMap(OzoneAclType type) {
return aclMaps.get(type.ordinal());
}
// For a given acl type and user, get the stored acl
private OzoneAclRights getAcl(OzoneAclType type, String user) {
private List<OzoneAclRights> getAcl(OzoneAclType type, String user) {
return getMap(type).get(user);
}
// Add a new acl to the map
public void addAcl(OzoneAclInfo acl) {
getMap(acl.getType()).put(acl.getName(), acl.getRights());
getMap(acl.getType()).put(acl.getName(), acl.getRightsList());
}
// for a given acl, check if the user has access rights
public boolean hasAccess(OzoneAclInfo acl) {
OzoneAclRights storedRights = getAcl(acl.getType(), acl.getName());
if (storedRights != null) {
switch (acl.getRights()) {
case READ:
return (storedRights == OzoneAclRights.READ)
|| (storedRights == OzoneAclRights.READ_WRITE);
if (acl == null) {
return false;
}
List<OzoneAclRights> storedRights = getAcl(acl.getType(), acl.getName());
if(storedRights == null) {
return false;
}
for (OzoneAclRights right : storedRights) {
switch (right) {
case CREATE:
return (right == OzoneAclRights.CREATE)
|| (right == OzoneAclRights.ALL);
case LIST:
return (right == OzoneAclRights.LIST)
|| (right == OzoneAclRights.ALL);
case WRITE:
return (storedRights == OzoneAclRights.WRITE)
|| (storedRights == OzoneAclRights.READ_WRITE);
case READ_WRITE:
return (storedRights == OzoneAclRights.READ_WRITE);
return (right == OzoneAclRights.WRITE)
|| (right == OzoneAclRights.ALL);
case READ:
return (right == OzoneAclRights.READ)
|| (right == OzoneAclRights.ALL);
case DELETE:
return (right == OzoneAclRights.DELETE)
|| (right == OzoneAclRights.ALL);
case READ_ACL:
return (right == OzoneAclRights.READ_ACL)
|| (right == OzoneAclRights.ALL);
case WRITE_ACL:
return (right == OzoneAclRights.WRITE_ACL)
|| (right == OzoneAclRights.ALL);
case ALL:
return (right == OzoneAclRights.ALL);
case NONE:
return !(right == OzoneAclRights.NONE);
default:
return false;
}
} else {
return false;
}
return false;
}
// Convert this map to OzoneAclInfo Protobuf List
public List<OzoneAclInfo> ozoneAclGetProtobuf() {
List<OzoneAclInfo> aclList = new LinkedList<>();
for (OzoneAclType type: OzoneAclType.values()) {
for (Map.Entry<String, OzoneAclRights> entry :
for (Map.Entry<String, List<OzoneAclRights>> entry :
aclMaps.get(type.ordinal()).entrySet()) {
OzoneAclInfo aclInfo = OzoneAclInfo.newBuilder()
.setName(entry.getKey())
.setType(type)
.setRights(entry.getValue())
.addAllRights(entry.getValue())
.build();
aclList.add(aclInfo);
}

View File

@ -41,9 +41,15 @@
import org.apache.hadoop.ozone.protocol.proto
.OzoneManagerProtocolProtos.OzoneAclInfo.OzoneAclRights;
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
import org.apache.hadoop.security.proto.SecurityProtos.TokenProto;
import org.apache.hadoop.security.token.Token;
import java.util.List;
import java.util.ArrayList;
/**
* Utilities for converting protobuf classes.
*/
@ -59,7 +65,7 @@ private OMPBHelper() {
*/
public static OzoneAclInfo convertOzoneAcl(OzoneAcl acl) {
OzoneAclInfo.OzoneAclType aclType;
switch(acl.getType()) {
switch (acl.getType()) {
case USER:
aclType = OzoneAclType.USER;
break;
@ -69,27 +75,24 @@ public static OzoneAclInfo convertOzoneAcl(OzoneAcl acl) {
case WORLD:
aclType = OzoneAclType.WORLD;
break;
case ANONYMOUS:
aclType = OzoneAclType.ANONYMOUS;
break;
case CLIENT_IP:
aclType = OzoneAclType.CLIENT_IP;
break;
default:
throw new IllegalArgumentException("ACL type is not recognized");
}
OzoneAclInfo.OzoneAclRights aclRights;
switch(acl.getRights()) {
case READ:
aclRights = OzoneAclRights.READ;
break;
case WRITE:
aclRights = OzoneAclRights.WRITE;
break;
case READ_WRITE:
aclRights = OzoneAclRights.READ_WRITE;
break;
default:
throw new IllegalArgumentException("ACL right is not recognized");
List<OzoneAclRights> aclRights = new ArrayList<>();
for (ACLType right : acl.getRights()) {
aclRights.add(OzoneAclRights.valueOf(right.name()));
}
return OzoneAclInfo.newBuilder().setType(aclType)
.setName(acl.getName())
.setRights(aclRights)
.addAllRights(aclRights)
.build();
}
@ -98,35 +101,31 @@ public static OzoneAclInfo convertOzoneAcl(OzoneAcl acl) {
* @return OzoneAcl
*/
public static OzoneAcl convertOzoneAcl(OzoneAclInfo aclInfo) {
OzoneAcl.OzoneACLType aclType;
switch(aclInfo.getType()) {
ACLIdentityType aclType;
switch (aclInfo.getType()) {
case USER:
aclType = OzoneAcl.OzoneACLType.USER;
aclType = ACLIdentityType.USER;
break;
case GROUP:
aclType = OzoneAcl.OzoneACLType.GROUP;
aclType = ACLIdentityType.GROUP;
break;
case WORLD:
aclType = OzoneAcl.OzoneACLType.WORLD;
aclType = ACLIdentityType.WORLD;
break;
case ANONYMOUS:
aclType = ACLIdentityType.ANONYMOUS;
break;
case CLIENT_IP:
aclType = ACLIdentityType.CLIENT_IP;
break;
default:
throw new IllegalArgumentException("ACL type is not recognized");
}
OzoneAcl.OzoneACLRights aclRights;
switch(aclInfo.getRights()) {
case READ:
aclRights = OzoneAcl.OzoneACLRights.READ;
break;
case WRITE:
aclRights = OzoneAcl.OzoneACLRights.WRITE;
break;
case READ_WRITE:
aclRights = OzoneAcl.OzoneACLRights.READ_WRITE;
break;
default:
throw new IllegalArgumentException("ACL right is not recognized");
}
List<IAccessAuthorizer.ACLType> aclRights = new ArrayList<>();
for (OzoneAclRights acl : aclInfo.getRightsList()) {
aclRights.add(ACLType.valueOf(acl.name()));
}
return new OzoneAcl(aclType, aclInfo.getName(), aclRights);
}

View File

@ -20,6 +20,8 @@
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.ozone.OzoneConsts;
import java.util.List;
/**
* Public API for Ozone ACLs. Security providers providing support for Ozone
* ACLs should implement this.
@ -84,7 +86,8 @@ public static ACLType getACLRight(String type) {
case OzoneConsts.OZONE_ACL_NONE:
return ACLType.NONE;
default:
throw new IllegalArgumentException("ACL right is not recognized");
throw new IllegalArgumentException(type + " ACL right is not " +
"recognized");
}
}
@ -92,10 +95,18 @@ public static ACLType getACLRight(String type) {
/**
* Returns String representation of ACL rights.
*
* @param acl ACLType
* @param acls ACLType
* @return String representation of acl
*/
public static String getACLRightsString(ACLType acl) {
public static String getACLString(List<ACLType> acls) {
StringBuffer sb = new StringBuffer();
acls.forEach(acl -> {
sb.append(getAclString(acl));
});
return sb.toString();
}
public static String getAclString(ACLType acl) {
switch (acl) {
case READ:
return OzoneConsts.OZONE_ACL_READ;
@ -129,7 +140,8 @@ enum ACLIdentityType {
USER(OzoneConsts.OZONE_ACL_USER_TYPE),
GROUP(OzoneConsts.OZONE_ACL_GROUP_TYPE),
CLIENT_IP(OzoneConsts.OZONE_ACL_IP_TYPE),
WORLD(OzoneConsts.OZONE_ACL_WORLD_TYPE);
WORLD(OzoneConsts.OZONE_ACL_WORLD_TYPE),
ANONYMOUS(OzoneConsts.OZONE_ACL_ANONYMOUS_TYPE);
@Override
public String toString() {

View File

@ -0,0 +1,65 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.ozone.security.acl;
import org.apache.hadoop.hdds.conf.Config;
import org.apache.hadoop.hdds.conf.ConfigGroup;
import org.apache.hadoop.hdds.conf.ConfigTag;
import org.apache.hadoop.hdds.conf.ConfigType;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
/**
* Ozone ACL config pojo.
* */
@ConfigGroup(prefix = "ozone.om")
public class OzoneAclConfig {
// OM Default user/group permissions
private ACLType userDefaultRights = ACLType.ALL;
private ACLType groupDefaultRights = ACLType.ALL;
@Config(key = "user.rights",
defaultValue = "ALL",
type = ConfigType.STRING,
tags = {ConfigTag.OM, ConfigTag.SECURITY},
description = "Default user permissions set for an object in " +
"OzoneManager."
)
public void setUserDefaultRights(String userRights) {
this.userDefaultRights = ACLType.valueOf(userRights);
}
@Config(key = "group.rights",
defaultValue = "ALL",
type = ConfigType.STRING,
tags = {ConfigTag.OM, ConfigTag.SECURITY},
description = "Default group permissions set for an object in " +
"OzoneManager."
)
public void setGroupDefaultRights(String groupRights) {
this.groupDefaultRights = ACLType.valueOf(groupRights);
}
public ACLType getUserDefaultRights() {
return userDefaultRights;
}
public ACLType getGroupDefaultRights() {
return groupDefaultRights;
}
}

View File

@ -451,15 +451,24 @@ message OzoneAclInfo {
USER = 1;
GROUP = 2;
WORLD = 3;
ANONYMOUS = 4;
CLIENT_IP = 5;
}
enum OzoneAclRights {
READ = 1;
WRITE = 2;
READ_WRITE = 3;
CREATE = 1;
LIST = 2;
DELETE = 3;
READ = 4;
WRITE = 5;
READ_ACL = 6;
WRITE_ACL = 7;
ALL = 8;
NONE = 9;
}
required OzoneAclType type = 1;
required string name = 2;
required OzoneAclRights rights = 3;
repeated OzoneAclRights rights = 3;
}
message CreateBucketRequest {

View File

@ -18,16 +18,20 @@
package org.apache.hadoop.ozone;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
import org.junit.Test;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Set;
import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.*;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
/**
* This class is to test acl stoarge and retreival in ozone store.
* This class is to test acl storage and retrieval in ozone store.
*/
public class TestOzoneAcls {
@ -39,8 +43,8 @@ public void testAclParse() {
testMatrix.put("user:bilbo:r", Boolean.TRUE);
testMatrix.put("user:bilbo:w", Boolean.TRUE);
testMatrix.put("user:bilbo:rw", Boolean.TRUE);
testMatrix.put("user:bilbo:wr", Boolean.TRUE);
testMatrix.put(" user:bilbo:wr ", Boolean.TRUE);
testMatrix.put("user:bilbo:a", Boolean.TRUE);
testMatrix.put(" user:bilbo:a ", Boolean.TRUE);
// ACLs makes no judgement on the quality of
@ -53,7 +57,16 @@ public void testAclParse() {
testMatrix.put("", Boolean.FALSE);
testMatrix.put(null, Boolean.FALSE);
testMatrix.put(" user:bilbo:", Boolean.FALSE);
testMatrix.put(" user:bilbo:rx", Boolean.FALSE);
testMatrix.put(" user:bilbo:rx", Boolean.TRUE);
testMatrix.put(" user:bilbo:rwdlncxy", Boolean.TRUE);
testMatrix.put(" group:bilbo:rwdlncxy", Boolean.TRUE);
testMatrix.put(" world::rwdlncxy", Boolean.TRUE);
testMatrix.put(" user:bilbo:rncxy", Boolean.TRUE);
testMatrix.put(" group:bilbo:ncxy", Boolean.TRUE);
testMatrix.put(" world::ncxy", Boolean.TRUE);
testMatrix.put(" user:bilbo:rwcxy", Boolean.TRUE);
testMatrix.put(" group:bilbo:rwcxy", Boolean.TRUE);
testMatrix.put(" world::rwcxy", Boolean.TRUE);
testMatrix.put(" user:bilbo:mk", Boolean.FALSE);
testMatrix.put(" user::rw", Boolean.FALSE);
testMatrix.put("user11:bilbo:rw", Boolean.FALSE);
@ -62,12 +75,12 @@ public void testAclParse() {
testMatrix.put(" group:hobbit:r", Boolean.TRUE);
testMatrix.put(" group:hobbit:w", Boolean.TRUE);
testMatrix.put(" group:hobbit:rw", Boolean.TRUE);
testMatrix.put(" group:hobbit:wr", Boolean.TRUE);
testMatrix.put(" group:hobbit:a", Boolean.TRUE);
testMatrix.put(" group:*:rw", Boolean.TRUE);
testMatrix.put(" group:~!:rw", Boolean.TRUE);
testMatrix.put(" group:hobbit:", Boolean.FALSE);
testMatrix.put(" group:hobbit:rx", Boolean.FALSE);
testMatrix.put(" group:hobbit:rx", Boolean.TRUE);
testMatrix.put(" group:hobbit:mk", Boolean.FALSE);
testMatrix.put(" group::", Boolean.FALSE);
testMatrix.put(" group::rw", Boolean.FALSE);
@ -77,14 +90,14 @@ public void testAclParse() {
testMatrix.put("JUNK group:hobbit:r", Boolean.FALSE);
testMatrix.put("JUNK group:hobbit:w", Boolean.FALSE);
testMatrix.put("JUNK group:hobbit:rw", Boolean.FALSE);
testMatrix.put("JUNK group:hobbit:wr", Boolean.FALSE);
testMatrix.put("JUNK group:hobbit:a", Boolean.FALSE);
testMatrix.put("JUNK group:*:rw", Boolean.FALSE);
testMatrix.put("JUNK group:~!:rw", Boolean.FALSE);
testMatrix.put(" world::r", Boolean.TRUE);
testMatrix.put(" world::w", Boolean.TRUE);
testMatrix.put(" world::rw", Boolean.TRUE);
testMatrix.put(" world::wr", Boolean.TRUE);
testMatrix.put(" world::a", Boolean.TRUE);
testMatrix.put(" world:bilbo:w", Boolean.FALSE);
testMatrix.put(" world:bilbo:rw", Boolean.FALSE);
@ -97,7 +110,7 @@ public void testAclParse() {
try {
OzoneAcl.parseAcl(key);
// should never get here since parseAcl will throw
fail("An exception was expected but did not happen.");
fail("An exception was expected but did not happen. Key: " + key);
} catch (IllegalArgumentException e) {
// nothing to do
}
@ -109,33 +122,51 @@ public void testAclParse() {
public void testAclValues() {
OzoneAcl acl = OzoneAcl.parseAcl("user:bilbo:rw");
assertEquals(acl.getName(), "bilbo");
assertEquals(OzoneAcl.OzoneACLRights.READ_WRITE, acl.getRights());
assertEquals(OzoneAcl.OzoneACLType.USER, acl.getType());
assertEquals(Arrays.asList(READ, WRITE), acl.getRights());
assertEquals(ACLIdentityType.USER, acl.getType());
acl = OzoneAcl.parseAcl("user:bilbo:wr");
acl = OzoneAcl.parseAcl("user:bilbo:a");
assertEquals("bilbo", acl.getName());
assertEquals(OzoneAcl.OzoneACLRights.READ_WRITE, acl.getRights());
assertEquals(OzoneAcl.OzoneACLType.USER, acl.getType());
assertEquals(Arrays.asList(ALL), acl.getRights());
assertEquals(ACLIdentityType.USER, acl.getType());
acl = OzoneAcl.parseAcl("user:bilbo:r");
assertEquals("bilbo", acl.getName());
assertEquals(OzoneAcl.OzoneACLRights.READ, acl.getRights());
assertEquals(OzoneAcl.OzoneACLType.USER, acl.getType());
assertEquals(Arrays.asList(READ), acl.getRights());
assertEquals(ACLIdentityType.USER, acl.getType());
acl = OzoneAcl.parseAcl("user:bilbo:w");
assertEquals("bilbo", acl.getName());
assertEquals(OzoneAcl.OzoneACLRights.WRITE, acl.getRights());
assertEquals(OzoneAcl.OzoneACLType.USER, acl.getType());
assertEquals(Arrays.asList(WRITE), acl.getRights());
assertEquals(ACLIdentityType.USER, acl.getType());
acl = OzoneAcl.parseAcl("group:hobbit:wr");
acl = OzoneAcl.parseAcl("group:hobbit:a");
assertEquals(acl.getName(), "hobbit");
assertEquals(OzoneAcl.OzoneACLRights.READ_WRITE, acl.getRights());
assertEquals(OzoneAcl.OzoneACLType.GROUP, acl.getType());
assertEquals(Arrays.asList(ALL), acl.getRights());
assertEquals(ACLIdentityType.GROUP, acl.getType());
acl = OzoneAcl.parseAcl("world::wr");
acl = OzoneAcl.parseAcl("world::a");
assertEquals(acl.getName(), "");
assertEquals(OzoneAcl.OzoneACLRights.READ_WRITE, acl.getRights());
assertEquals(OzoneAcl.OzoneACLType.WORLD, acl.getType());
assertEquals(Arrays.asList(ALL), acl.getRights());
assertEquals(ACLIdentityType.WORLD, acl.getType());
acl = OzoneAcl.parseAcl("user:bilbo:rwdlncxy");
assertEquals(acl.getName(), "bilbo");
assertEquals(Arrays.asList(READ, WRITE, DELETE, LIST, NONE, CREATE,
READ_ACL, WRITE_ACL), acl.getRights());
assertEquals(ACLIdentityType.USER, acl.getType());
acl = OzoneAcl.parseAcl("group:hadoop:rwdlncxy");
assertEquals(acl.getName(), "hadoop");
assertEquals(Arrays.asList(READ, WRITE, DELETE, LIST, NONE, CREATE,
READ_ACL, WRITE_ACL), acl.getRights());
assertEquals(ACLIdentityType.GROUP, acl.getType());
acl = OzoneAcl.parseAcl("world::rwdlncxy");
assertEquals(acl.getName(), "");
assertEquals(Arrays.asList(READ, WRITE, DELETE, LIST, NONE, CREATE,
READ_ACL, WRITE_ACL), acl.getRights());
assertEquals(ACLIdentityType.WORLD, acl.getType());
}
}

View File

@ -82,6 +82,8 @@
import org.apache.hadoop.ozone.om.helpers.OmMultipartInfo;
import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadCompleteInfo;
import org.apache.hadoop.ozone.s3.util.OzoneS3Util;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
import org.apache.hadoop.test.GenericTestUtils;
import org.apache.hadoop.test.LambdaTestUtils;
import org.apache.hadoop.util.Time;
@ -420,8 +422,8 @@ public void testCreateBucketWithAcls()
throws IOException, OzoneException {
String volumeName = UUID.randomUUID().toString();
String bucketName = UUID.randomUUID().toString();
OzoneAcl userAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER, "test",
OzoneAcl.OzoneACLRights.READ_WRITE);
OzoneAcl userAcl = new OzoneAcl(ACLIdentityType.USER, "test",
ACLType.READ);
List<OzoneAcl> acls = new ArrayList<>();
acls.add(userAcl);
store.createVolume(volumeName);
@ -439,8 +441,8 @@ public void testCreateBucketWithAllArgument()
throws IOException, OzoneException {
String volumeName = UUID.randomUUID().toString();
String bucketName = UUID.randomUUID().toString();
OzoneAcl userAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER, "test",
OzoneAcl.OzoneACLRights.READ_WRITE);
OzoneAcl userAcl = new OzoneAcl(ACLIdentityType.USER, "test",
ACLType.ALL);
List<OzoneAcl> acls = new ArrayList<>();
acls.add(userAcl);
store.createVolume(volumeName);
@ -480,9 +482,7 @@ public void testAddBucketAcl()
OzoneVolume volume = store.getVolume(volumeName);
volume.createBucket(bucketName);
List<OzoneAcl> acls = new ArrayList<>();
acls.add(new OzoneAcl(
OzoneAcl.OzoneACLType.USER, "test",
OzoneAcl.OzoneACLRights.READ_WRITE));
acls.add(new OzoneAcl(ACLIdentityType.USER, "test", ACLType.ALL));
OzoneBucket bucket = volume.getBucket(bucketName);
bucket.addAcls(acls);
OzoneBucket newBucket = volume.getBucket(bucketName);
@ -495,8 +495,8 @@ public void testRemoveBucketAcl()
throws IOException, OzoneException {
String volumeName = UUID.randomUUID().toString();
String bucketName = UUID.randomUUID().toString();
OzoneAcl userAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER, "test",
OzoneAcl.OzoneACLRights.READ_WRITE);
OzoneAcl userAcl = new OzoneAcl(ACLIdentityType.USER, "test",
ACLType.ALL);
List<OzoneAcl> acls = new ArrayList<>();
acls.add(userAcl);
store.createVolume(volumeName);

View File

@ -55,6 +55,8 @@
import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.ServicePort;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.VolumeList;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
import org.apache.hadoop.ozone.util.OzoneVersionInfo;
import org.apache.hadoop.ozone.web.handlers.BucketArgs;
import org.apache.hadoop.ozone.web.handlers.KeyArgs;
@ -356,30 +358,29 @@ public void testAccessVolume() throws IOException, OzoneException {
createVolumeArgs.setGroups(groupName);
storageHandler.createVolume(createVolumeArgs);
OzoneAcl userAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER, userName,
OzoneAcl.OzoneACLRights.READ_WRITE);
OzoneAcl userAcl = new OzoneAcl(ACLIdentityType.USER, userName,
ACLType.READ);
Assert.assertTrue(storageHandler.checkVolumeAccess(volumeName, userAcl));
OzoneAcl group = new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, groupName[0],
OzoneAcl.OzoneACLRights.READ);
OzoneAcl group = new OzoneAcl(ACLIdentityType.GROUP, groupName[0],
ACLType.READ);
Assert.assertTrue(storageHandler.checkVolumeAccess(volumeName, group));
// Create a different user and access should fail
String falseUserName = "user" + RandomStringUtils.randomNumeric(5);
OzoneAcl falseUserAcl =
new OzoneAcl(OzoneAcl.OzoneACLType.USER, falseUserName,
OzoneAcl.OzoneACLRights.READ_WRITE);
new OzoneAcl(ACLIdentityType.USER, falseUserName,
ACLType.ALL);
Assert.assertFalse(storageHandler
.checkVolumeAccess(volumeName, falseUserAcl));
// Checking access with user name and Group Type should fail
OzoneAcl falseGroupAcl = new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, userName,
OzoneAcl.OzoneACLRights.READ_WRITE);
OzoneAcl falseGroupAcl = new OzoneAcl(ACLIdentityType.GROUP, userName,
ACLType.ALL);
Assert.assertFalse(storageHandler
.checkVolumeAccess(volumeName, falseGroupAcl));
// Access for acl type world should also fail
OzoneAcl worldAcl =
new OzoneAcl(OzoneAcl.OzoneACLType.WORLD, "",
OzoneAcl.OzoneACLRights.READ);
new OzoneAcl(ACLIdentityType.WORLD, "", ACLType.READ);
Assert.assertFalse(storageHandler.checkVolumeAccess(volumeName, worldAcl));
Assert.assertEquals(0, omMetrics.getNumVolumeCheckAccessFails());

View File

@ -44,8 +44,6 @@
import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.ozone.MiniOzoneCluster;
import org.apache.hadoop.ozone.OzoneAcl;
import org.apache.hadoop.ozone.OzoneAcl.OzoneACLRights;
import org.apache.hadoop.ozone.OzoneAcl.OzoneACLType;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.client.OzoneBucket;
import org.apache.hadoop.ozone.client.OzoneKey;
@ -59,6 +57,8 @@
import org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes;
import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.ServicePort;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
import org.apache.hadoop.ozone.web.ozShell.OzoneShell;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.request.OzoneQuota;
@ -744,8 +744,9 @@ public void testUpdateBucket() throws Exception {
OzoneAcl acl = bucket.getAcls().get(aclSize);
assertTrue(acl.getName().equals("frodo")
&& acl.getType() == OzoneACLType.USER
&& acl.getRights()== OzoneACLRights.READ_WRITE);
&& acl.getType() == ACLIdentityType.USER
&& acl.getRights().contains(ACLType.READ)
&& acl.getRights().contains(ACLType.WRITE));
args = new String[] {"bucket", "update",
url + "/" + vol.getName() + "/" + bucketName, "--removeAcl",
@ -756,8 +757,8 @@ public void testUpdateBucket() throws Exception {
acl = bucket.getAcls().get(aclSize);
assertEquals(1 + aclSize, bucket.getAcls().size());
assertTrue(acl.getName().equals("samwise")
&& acl.getType() == OzoneACLType.GROUP
&& acl.getRights()== OzoneACLRights.READ);
&& acl.getType() == ACLIdentityType.GROUP
&& acl.getRights().contains(ACLType.READ));
// test update bucket for a non-exist bucket
args = new String[] {"bucket", "update",

View File

@ -44,8 +44,10 @@
import org.apache.hadoop.ozone.client.io.OzoneOutputStream;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.apache.hadoop.ozone.protocolPB.OMPBHelper;
import org.apache.hadoop.ozone.om.OMConfigKeys;
import org.apache.hadoop.ozone.OzoneAcl;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
import org.apache.hadoop.ozone.security.acl.OzoneAclConfig;
import org.apache.hadoop.ozone.web.request.OzoneQuota;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
import org.apache.hadoop.hdds.scm.XceiverClientManager;
@ -80,8 +82,8 @@ public final class DistributedStorageHandler implements StorageHandler {
private final OzoneManagerProtocol
ozoneManagerClient;
private final XceiverClientManager xceiverClientManager;
private final OzoneAcl.OzoneACLRights userRights;
private final OzoneAcl.OzoneACLRights groupRights;
private final ACLType userRights;
private final ACLType groupRights;
private int chunkSize;
private final long streamBufferFlushSize;
private final long streamBufferMaxSize;
@ -109,10 +111,10 @@ public DistributedStorageHandler(OzoneConfiguration conf,
chunkSize = (int)conf.getStorageSize(ScmConfigKeys.OZONE_SCM_CHUNK_SIZE_KEY,
ScmConfigKeys.OZONE_SCM_CHUNK_SIZE_DEFAULT, StorageUnit.BYTES);
userRights = conf.getEnum(OMConfigKeys.OZONE_OM_USER_RIGHTS,
OMConfigKeys.OZONE_OM_USER_RIGHTS_DEFAULT);
groupRights = conf.getEnum(OMConfigKeys.OZONE_OM_GROUP_RIGHTS,
OMConfigKeys.OZONE_OM_GROUP_RIGHTS_DEFAULT);
// Get default acl rights for user and group.
OzoneAclConfig aclConfig = conf.getObject(OzoneAclConfig.class);
this.userRights = aclConfig.getUserDefaultRights();
this.groupRights = aclConfig.getGroupDefaultRights();
if(chunkSize > OzoneConsts.OZONE_SCM_CHUNK_MAX_SIZE) {
LOG.warn("The chunk size ({}) is not allowed to be more than"
+ " the maximum size ({}),"
@ -176,8 +178,7 @@ public void createVolume(VolumeArgs args) throws IOException, OzoneException {
long quota = args.getQuota() == null ?
OzoneConsts.MAX_QUOTA_IN_BYTES : args.getQuota().sizeInBytes();
OzoneAcl userAcl =
new OzoneAcl(OzoneAcl.OzoneACLType.USER,
args.getUserName(), userRights);
new OzoneAcl(ACLIdentityType.USER, args.getUserName(), userRights);
OmVolumeArgs.Builder builder = OmVolumeArgs.newBuilder();
builder.setAdminName(args.getAdminName())
.setOwnerName(args.getUserName())
@ -187,7 +188,7 @@ public void createVolume(VolumeArgs args) throws IOException, OzoneException {
if (args.getGroups() != null) {
for (String group : args.getGroups()) {
OzoneAcl groupAcl =
new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, group, groupRights);
new OzoneAcl(ACLIdentityType.GROUP, group, groupRights);
builder.addOzoneAcls(OMPBHelper.convertOzoneAcl(groupAcl));
}
}

View File

@ -20,6 +20,7 @@
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.OmDeleteVolumeResponse;
@ -484,7 +485,8 @@ public boolean checkVolumeAccess(String volume, OzoneAclInfo userAcl)
} catch (IOException ex) {
if (!(ex instanceof OMException)) {
LOG.error("Check volume access failed for volume:{} user:{} rights:{}",
volume, userAcl.getName(), userAcl.getRights(), ex);
volume, userAcl.getName(),
StringUtils.join(userAcl.getRightsList(), ","), ex);
}
throw ex;
} finally {

View File

@ -42,6 +42,8 @@
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;
import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.*;
/**
* Tests BucketManagerImpl, mocks OMMetadataManager for testing.
*/
@ -217,8 +219,8 @@ public void testSetBucketPropertyAddACL() throws Exception {
OmMetadataManagerImpl metaMgr = createSampleVol();
List<OzoneAcl> acls = new LinkedList<>();
OzoneAcl ozoneAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER,
"root", OzoneAcl.OzoneACLRights.READ);
OzoneAcl ozoneAcl = new OzoneAcl(ACLIdentityType.USER,
"root", ACLType.READ);
acls.add(ozoneAcl);
BucketManager bucketManager = new BucketManagerImpl(metaMgr);
OmBucketInfo bucketInfo = OmBucketInfo.newBuilder()
@ -235,8 +237,8 @@ public void testSetBucketPropertyAddACL() throws Exception {
Assert.assertEquals("bucketOne", result.getBucketName());
Assert.assertEquals(1, result.getAcls().size());
List<OzoneAcl> addAcls = new LinkedList<>();
OzoneAcl newAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER,
"ozone", OzoneAcl.OzoneACLRights.READ);
OzoneAcl newAcl = new OzoneAcl(ACLIdentityType.USER,
"ozone", ACLType.READ);
addAcls.add(newAcl);
OmBucketArgs bucketArgs = OmBucketArgs.newBuilder()
.setVolumeName("sampleVol")
@ -256,10 +258,10 @@ public void testSetBucketPropertyRemoveACL() throws Exception {
OmMetadataManagerImpl metaMgr = createSampleVol();
List<OzoneAcl> acls = new LinkedList<>();
OzoneAcl aclOne = new OzoneAcl(OzoneAcl.OzoneACLType.USER,
"root", OzoneAcl.OzoneACLRights.READ);
OzoneAcl aclTwo = new OzoneAcl(OzoneAcl.OzoneACLType.USER,
"ozone", OzoneAcl.OzoneACLRights.READ);
OzoneAcl aclOne = new OzoneAcl(ACLIdentityType.USER,
"root", ACLType.READ);
OzoneAcl aclTwo = new OzoneAcl(ACLIdentityType.USER,
"ozone", ACLType.READ);
acls.add(aclOne);
acls.add(aclTwo);
BucketManager bucketManager = new BucketManagerImpl(metaMgr);

View File

@ -378,7 +378,7 @@ private void insertOMDB(Connection conn, KeyType type, String keyName,
for (OzoneAclInfo aclInfo : volumeInfo.getVolumeAclsList()) {
String insertAclInfo =
String.format(INSERT_ACL_INFO, adminName, ownerName, volumeName,
aclInfo.getType(), aclInfo.getName(), aclInfo.getRights());
aclInfo.getType(), aclInfo.getName(), aclInfo.getRightsList());
executeSQL(conn, insertAclInfo);
}
break;