HDDS-1538. Update ozone protobuf message for ACLs. Contributed by Ajay Kumar. (#828)
This commit is contained in:
parent
a85451c8d2
commit
ef1cc725b8
@ -52,12 +52,11 @@ public final class OzoneConsts {
|
||||
public static final String OZONE_ACL_USER_TYPE = "user";
|
||||
public static final String OZONE_ACL_GROUP_TYPE = "group";
|
||||
public static final String OZONE_ACL_WORLD_TYPE = "world";
|
||||
public static final String OZONE_ACL_ANONYMOUS_TYPE = "anonymous";
|
||||
public static final String OZONE_ACL_IP_TYPE = "ip";
|
||||
|
||||
public static final String OZONE_ACL_READ = "r";
|
||||
public static final String OZONE_ACL_WRITE = "w";
|
||||
public static final String OZONE_ACL_READ_WRITE = "rw";
|
||||
public static final String OZONE_ACL_WRITE_READ = "wr";
|
||||
public static final String OZONE_ACL_DELETE = "d";
|
||||
public static final String OZONE_ACL_LIST = "l";
|
||||
public static final String OZONE_ACL_ALL = "a";
|
||||
|
@ -540,14 +540,6 @@
|
||||
the address of the OM.
|
||||
</description>
|
||||
</property>
|
||||
<property>
|
||||
<name>ozone.om.group.rights</name>
|
||||
<value>READ_WRITE</value>
|
||||
<tag>OM, SECURITY</tag>
|
||||
<description>
|
||||
Default group permissions in Ozone OM.
|
||||
</description>
|
||||
</property>
|
||||
<property>
|
||||
<name>ozone.om.handler.count.key</name>
|
||||
<value>20</value>
|
||||
@ -640,14 +632,6 @@
|
||||
of buckets or keys inside each bucket a user can create.
|
||||
</description>
|
||||
</property>
|
||||
<property>
|
||||
<name>ozone.om.user.rights</name>
|
||||
<value>READ_WRITE</value>
|
||||
<tag>OM, SECURITY</tag>
|
||||
<description>
|
||||
Default user permissions used in OM.
|
||||
</description>
|
||||
</property>
|
||||
<property>
|
||||
<name>ozone.om.db.dirs</name>
|
||||
<value/>
|
||||
|
@ -112,7 +112,7 @@ public class RestClient implements ClientProtocol {
|
||||
private final URI ozoneRestUri;
|
||||
private final CloseableHttpClient httpClient;
|
||||
private final UserGroupInformation ugi;
|
||||
private final OzoneAcl.OzoneACLRights userRights;
|
||||
// private final OzoneAcl.OzoneACLRights userRights;
|
||||
|
||||
/**
|
||||
* Creates RestClient instance with the given configuration.
|
||||
@ -161,8 +161,8 @@ public RestClient(Configuration conf)
|
||||
.build())
|
||||
.build();
|
||||
|
||||
this.userRights = conf.getEnum(OMConfigKeys.OZONE_OM_USER_RIGHTS,
|
||||
OMConfigKeys.OZONE_OM_USER_RIGHTS_DEFAULT);
|
||||
// this.userRights = conf.getEnum(OMConfigKeys.OZONE_OM_USER_RIGHTS,
|
||||
// OMConfigKeys.OZONE_OM_USER_RIGHTS_DEFAULT);
|
||||
|
||||
// TODO: Add new configuration parameter to configure RestServerSelector.
|
||||
RestServerSelector defaultSelector = new DefaultRestServerSelector();
|
||||
|
@ -73,7 +73,6 @@
|
||||
.OzoneManagerProtocolClientSideTranslatorPB;
|
||||
import org.apache.hadoop.net.NetUtils;
|
||||
import org.apache.hadoop.ozone.OzoneAcl;
|
||||
import org.apache.hadoop.ozone.om.OMConfigKeys;
|
||||
import org.apache.hadoop.ozone.protocol.proto
|
||||
.OzoneManagerProtocolProtos.ServicePort;
|
||||
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
|
||||
@ -85,6 +84,9 @@
|
||||
import org.apache.hadoop.hdds.scm.protocolPB
|
||||
.StorageContainerLocationProtocolPB;
|
||||
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
|
||||
import org.apache.hadoop.ozone.security.acl.OzoneAclConfig;
|
||||
import org.apache.hadoop.ozone.web.utils.OzoneUtils;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.security.token.Token;
|
||||
@ -121,8 +123,8 @@ public class RpcClient implements ClientProtocol, KeyProviderTokenIssuer {
|
||||
private final int bytesPerChecksum;
|
||||
private boolean verifyChecksum;
|
||||
private final UserGroupInformation ugi;
|
||||
private final OzoneAcl.OzoneACLRights userRights;
|
||||
private final OzoneAcl.OzoneACLRights groupRights;
|
||||
private final ACLType userRights;
|
||||
private final ACLType groupRights;
|
||||
private final long streamBufferFlushSize;
|
||||
private final long streamBufferMaxSize;
|
||||
private final long blockSize;
|
||||
@ -141,10 +143,11 @@ public RpcClient(Configuration conf) throws IOException {
|
||||
Preconditions.checkNotNull(conf);
|
||||
this.conf = new OzoneConfiguration(conf);
|
||||
this.ugi = UserGroupInformation.getCurrentUser();
|
||||
this.userRights = conf.getEnum(OMConfigKeys.OZONE_OM_USER_RIGHTS,
|
||||
OMConfigKeys.OZONE_OM_USER_RIGHTS_DEFAULT);
|
||||
this.groupRights = conf.getEnum(OMConfigKeys.OZONE_OM_GROUP_RIGHTS,
|
||||
OMConfigKeys.OZONE_OM_GROUP_RIGHTS_DEFAULT);
|
||||
// Get default acl rights for user and group.
|
||||
OzoneAclConfig aclConfig = this.conf.getObject(OzoneAclConfig.class);
|
||||
this.userRights = aclConfig.getUserDefaultRights();
|
||||
this.groupRights = aclConfig.getGroupDefaultRights();
|
||||
|
||||
this.ozoneManagerClient = new OzoneManagerProtocolClientSideTranslatorPB(
|
||||
this.conf, clientId.toString(), ugi);
|
||||
long scmVersion =
|
||||
@ -256,13 +259,13 @@ public void createVolume(String volumeName, VolumeArgs volArgs)
|
||||
OzoneQuota.parseQuota(volArgs.getQuota()).sizeInBytes();
|
||||
List<OzoneAcl> listOfAcls = new ArrayList<>();
|
||||
//User ACL
|
||||
listOfAcls.add(new OzoneAcl(OzoneAcl.OzoneACLType.USER,
|
||||
listOfAcls.add(new OzoneAcl(ACLIdentityType.USER,
|
||||
owner, userRights));
|
||||
//Group ACLs of the User
|
||||
List<String> userGroups = Arrays.asList(UserGroupInformation
|
||||
.createRemoteUser(owner).getGroupNames());
|
||||
userGroups.stream().forEach((group) -> listOfAcls.add(
|
||||
new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, group, groupRights)));
|
||||
new OzoneAcl(ACLIdentityType.GROUP, group, groupRights)));
|
||||
//ACLs from VolumeArgs
|
||||
if(volArgs.getAcls() != null) {
|
||||
listOfAcls.addAll(volArgs.getAcls());
|
||||
@ -403,13 +406,13 @@ public void createBucket(
|
||||
|
||||
List<OzoneAcl> listOfAcls = new ArrayList<>();
|
||||
//User ACL
|
||||
listOfAcls.add(new OzoneAcl(OzoneAcl.OzoneACLType.USER,
|
||||
listOfAcls.add(new OzoneAcl(ACLIdentityType.USER,
|
||||
ugi.getUserName(), userRights));
|
||||
//Group ACLs of the User
|
||||
List<String> userGroups = Arrays.asList(UserGroupInformation
|
||||
.createRemoteUser(ugi.getUserName()).getGroupNames());
|
||||
userGroups.stream().forEach((group) -> listOfAcls.add(
|
||||
new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, group, groupRights)));
|
||||
new OzoneAcl(ACLIdentityType.GROUP, group, groupRights)));
|
||||
//ACLs from BucketArgs
|
||||
if(bucketArgs.getAcls() != null) {
|
||||
listOfAcls.addAll(bucketArgs.getAcls());
|
||||
|
@ -19,6 +19,11 @@
|
||||
|
||||
package org.apache.hadoop.ozone;
|
||||
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
|
||||
/**
|
||||
@ -32,9 +37,9 @@
|
||||
* </ul>
|
||||
*/
|
||||
public class OzoneAcl {
|
||||
private OzoneACLType type;
|
||||
private ACLIdentityType type;
|
||||
private String name;
|
||||
private OzoneACLRights rights;
|
||||
private List<ACLType> rights;
|
||||
|
||||
/**
|
||||
* Constructor for OzoneAcl.
|
||||
@ -47,16 +52,37 @@ public OzoneAcl() {
|
||||
*
|
||||
* @param type - Type
|
||||
* @param name - Name of user
|
||||
* @param rights - Rights
|
||||
* @param acl - Rights
|
||||
*/
|
||||
public OzoneAcl(OzoneACLType type, String name, OzoneACLRights rights) {
|
||||
public OzoneAcl(ACLIdentityType type, String name, ACLType acl) {
|
||||
this.name = name;
|
||||
this.rights = rights;
|
||||
this.rights = new ArrayList<>();
|
||||
this.rights.add(acl);
|
||||
this.type = type;
|
||||
if (type == OzoneACLType.WORLD && name.length() != 0) {
|
||||
if (type == ACLIdentityType.WORLD && name.length() != 0) {
|
||||
throw new IllegalArgumentException("Unexpected name part in world type");
|
||||
}
|
||||
if (((type == OzoneACLType.USER) || (type == OzoneACLType.GROUP))
|
||||
if (((type == ACLIdentityType.USER) || (type == ACLIdentityType.GROUP))
|
||||
&& (name.length() == 0)) {
|
||||
throw new IllegalArgumentException("User or group name is required");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructor for OzoneAcl.
|
||||
*
|
||||
* @param type - Type
|
||||
* @param name - Name of user
|
||||
* @param acls - Rights
|
||||
*/
|
||||
public OzoneAcl(ACLIdentityType type, String name, List<ACLType> acls) {
|
||||
this.name = name;
|
||||
this.rights = acls;
|
||||
this.type = type;
|
||||
if (type == ACLIdentityType.WORLD && name.length() != 0) {
|
||||
throw new IllegalArgumentException("Unexpected name part in world type");
|
||||
}
|
||||
if (((type == ACLIdentityType.USER) || (type == ACLIdentityType.GROUP))
|
||||
&& (name.length() == 0)) {
|
||||
throw new IllegalArgumentException("User or group name is required");
|
||||
}
|
||||
@ -78,17 +104,20 @@ public static OzoneAcl parseAcl(String acl) throws IllegalArgumentException {
|
||||
throw new IllegalArgumentException("ACLs are not in expected format");
|
||||
}
|
||||
|
||||
OzoneACLType aclType = OzoneACLType.valueOf(parts[0].toUpperCase());
|
||||
OzoneACLRights rights = OzoneACLRights.getACLRight(parts[2].toLowerCase());
|
||||
ACLIdentityType aclType = ACLIdentityType.valueOf(parts[0].toUpperCase());
|
||||
List<ACLType> acls = new ArrayList<>();
|
||||
for (char ch : parts[2].toCharArray()) {
|
||||
acls.add(ACLType.getACLRight(String.valueOf(ch)));
|
||||
}
|
||||
|
||||
// TODO : Support sanitation of these user names by calling into
|
||||
// userAuth Interface.
|
||||
return new OzoneAcl(aclType, parts[1], rights);
|
||||
return new OzoneAcl(aclType, parts[1], acls);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return type + ":" + name + ":" + OzoneACLRights.getACLRightsString(rights);
|
||||
return type + ":" + name + ":" + ACLType.getACLString(rights);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -120,7 +149,7 @@ public String getName() {
|
||||
*
|
||||
* @return - Rights
|
||||
*/
|
||||
public OzoneACLRights getRights() {
|
||||
public List<ACLType> getRights() {
|
||||
return rights;
|
||||
}
|
||||
|
||||
@ -129,7 +158,7 @@ public OzoneACLRights getRights() {
|
||||
*
|
||||
* @return type
|
||||
*/
|
||||
public OzoneACLType getType() {
|
||||
public ACLIdentityType getType() {
|
||||
return type;
|
||||
}
|
||||
|
||||
@ -150,9 +179,7 @@ public boolean equals(Object obj) {
|
||||
return false;
|
||||
}
|
||||
OzoneAcl otherAcl = (OzoneAcl) obj;
|
||||
return otherAcl.getName().equals(this.getName()) &&
|
||||
otherAcl.getRights() == this.getRights() &&
|
||||
otherAcl.getType() == this.getType();
|
||||
return otherAcl.toString().equals(this.toString());
|
||||
}
|
||||
|
||||
/**
|
||||
@ -177,57 +204,4 @@ public enum OzoneACLType {
|
||||
value = val;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* ACL rights.
|
||||
*/
|
||||
public enum OzoneACLRights {
|
||||
READ, WRITE, READ_WRITE;
|
||||
|
||||
/**
|
||||
* Returns the ACL rights based on passed in String.
|
||||
*
|
||||
* @param type ACL right string
|
||||
*
|
||||
* @return OzoneACLRights
|
||||
*/
|
||||
public static OzoneACLRights getACLRight(String type) {
|
||||
if (type == null || type.isEmpty()) {
|
||||
throw new IllegalArgumentException("ACL right cannot be empty");
|
||||
}
|
||||
|
||||
switch (type) {
|
||||
case OzoneConsts.OZONE_ACL_READ:
|
||||
return OzoneACLRights.READ;
|
||||
case OzoneConsts.OZONE_ACL_WRITE:
|
||||
return OzoneACLRights.WRITE;
|
||||
case OzoneConsts.OZONE_ACL_READ_WRITE:
|
||||
case OzoneConsts.OZONE_ACL_WRITE_READ:
|
||||
return OzoneACLRights.READ_WRITE;
|
||||
default:
|
||||
throw new IllegalArgumentException("ACL right is not recognized");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns String representation of ACL rights.
|
||||
* @param acl OzoneACLRights
|
||||
* @return String representation of acl
|
||||
*/
|
||||
public static String getACLRightsString(OzoneACLRights acl) {
|
||||
switch(acl) {
|
||||
case READ:
|
||||
return OzoneConsts.OZONE_ACL_READ;
|
||||
case WRITE:
|
||||
return OzoneConsts.OZONE_ACL_WRITE;
|
||||
case READ_WRITE:
|
||||
return OzoneConsts.OZONE_ACL_READ_WRITE;
|
||||
default:
|
||||
throw new IllegalArgumentException("ACL right is not recognized");
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
@ -19,7 +19,6 @@
|
||||
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
import org.apache.hadoop.ozone.OzoneAcl;
|
||||
import org.apache.ratis.util.TimeDuration;
|
||||
|
||||
/**
|
||||
@ -78,17 +77,6 @@ private OMConfigKeys() {
|
||||
"ozone.om.user.max.volume";
|
||||
public static final int OZONE_OM_USER_MAX_VOLUME_DEFAULT = 1024;
|
||||
|
||||
// OM Default user/group permissions
|
||||
public static final String OZONE_OM_USER_RIGHTS =
|
||||
"ozone.om.user.rights";
|
||||
public static final OzoneAcl.OzoneACLRights OZONE_OM_USER_RIGHTS_DEFAULT =
|
||||
OzoneAcl.OzoneACLRights.READ_WRITE;
|
||||
|
||||
public static final String OZONE_OM_GROUP_RIGHTS =
|
||||
"ozone.om.group.rights";
|
||||
public static final OzoneAcl.OzoneACLRights OZONE_OM_GROUP_RIGHTS_DEFAULT =
|
||||
OzoneAcl.OzoneACLRights.READ_WRITE;
|
||||
|
||||
public static final String OZONE_KEY_DELETING_LIMIT_PER_TASK =
|
||||
"ozone.key.deleting.limit.per.task";
|
||||
public static final int OZONE_KEY_DELETING_LIMIT_PER_TASK_DEFAULT = 1000;
|
||||
|
@ -37,7 +37,7 @@
|
||||
@SuppressWarnings("ProtocolBufferOrdinal")
|
||||
public class OmOzoneAclMap {
|
||||
// per Acl Type user:rights map
|
||||
private ArrayList<Map<String, OzoneAclRights>> aclMaps;
|
||||
private ArrayList<Map<String, List<OzoneAclRights>>> aclMaps;
|
||||
|
||||
OmOzoneAclMap() {
|
||||
aclMaps = new ArrayList<>();
|
||||
@ -46,51 +46,75 @@ public class OmOzoneAclMap {
|
||||
}
|
||||
}
|
||||
|
||||
private Map<String, OzoneAclRights> getMap(OzoneAclType type) {
|
||||
private Map<String, List<OzoneAclRights>> getMap(OzoneAclType type) {
|
||||
return aclMaps.get(type.ordinal());
|
||||
}
|
||||
|
||||
// For a given acl type and user, get the stored acl
|
||||
private OzoneAclRights getAcl(OzoneAclType type, String user) {
|
||||
private List<OzoneAclRights> getAcl(OzoneAclType type, String user) {
|
||||
return getMap(type).get(user);
|
||||
}
|
||||
|
||||
// Add a new acl to the map
|
||||
public void addAcl(OzoneAclInfo acl) {
|
||||
getMap(acl.getType()).put(acl.getName(), acl.getRights());
|
||||
getMap(acl.getType()).put(acl.getName(), acl.getRightsList());
|
||||
}
|
||||
|
||||
// for a given acl, check if the user has access rights
|
||||
public boolean hasAccess(OzoneAclInfo acl) {
|
||||
OzoneAclRights storedRights = getAcl(acl.getType(), acl.getName());
|
||||
if (storedRights != null) {
|
||||
switch (acl.getRights()) {
|
||||
case READ:
|
||||
return (storedRights == OzoneAclRights.READ)
|
||||
|| (storedRights == OzoneAclRights.READ_WRITE);
|
||||
if (acl == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
List<OzoneAclRights> storedRights = getAcl(acl.getType(), acl.getName());
|
||||
if(storedRights == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (OzoneAclRights right : storedRights) {
|
||||
switch (right) {
|
||||
case CREATE:
|
||||
return (right == OzoneAclRights.CREATE)
|
||||
|| (right == OzoneAclRights.ALL);
|
||||
case LIST:
|
||||
return (right == OzoneAclRights.LIST)
|
||||
|| (right == OzoneAclRights.ALL);
|
||||
case WRITE:
|
||||
return (storedRights == OzoneAclRights.WRITE)
|
||||
|| (storedRights == OzoneAclRights.READ_WRITE);
|
||||
case READ_WRITE:
|
||||
return (storedRights == OzoneAclRights.READ_WRITE);
|
||||
return (right == OzoneAclRights.WRITE)
|
||||
|| (right == OzoneAclRights.ALL);
|
||||
case READ:
|
||||
return (right == OzoneAclRights.READ)
|
||||
|| (right == OzoneAclRights.ALL);
|
||||
case DELETE:
|
||||
return (right == OzoneAclRights.DELETE)
|
||||
|| (right == OzoneAclRights.ALL);
|
||||
case READ_ACL:
|
||||
return (right == OzoneAclRights.READ_ACL)
|
||||
|| (right == OzoneAclRights.ALL);
|
||||
case WRITE_ACL:
|
||||
return (right == OzoneAclRights.WRITE_ACL)
|
||||
|| (right == OzoneAclRights.ALL);
|
||||
case ALL:
|
||||
return (right == OzoneAclRights.ALL);
|
||||
case NONE:
|
||||
return !(right == OzoneAclRights.NONE);
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// Convert this map to OzoneAclInfo Protobuf List
|
||||
public List<OzoneAclInfo> ozoneAclGetProtobuf() {
|
||||
List<OzoneAclInfo> aclList = new LinkedList<>();
|
||||
for (OzoneAclType type: OzoneAclType.values()) {
|
||||
for (Map.Entry<String, OzoneAclRights> entry :
|
||||
for (Map.Entry<String, List<OzoneAclRights>> entry :
|
||||
aclMaps.get(type.ordinal()).entrySet()) {
|
||||
OzoneAclInfo aclInfo = OzoneAclInfo.newBuilder()
|
||||
.setName(entry.getKey())
|
||||
.setType(type)
|
||||
.setRights(entry.getValue())
|
||||
.addAllRights(entry.getValue())
|
||||
.build();
|
||||
aclList.add(aclInfo);
|
||||
}
|
||||
|
@ -41,9 +41,15 @@
|
||||
import org.apache.hadoop.ozone.protocol.proto
|
||||
.OzoneManagerProtocolProtos.OzoneAclInfo.OzoneAclRights;
|
||||
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
|
||||
import org.apache.hadoop.security.proto.SecurityProtos.TokenProto;
|
||||
import org.apache.hadoop.security.token.Token;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.ArrayList;
|
||||
|
||||
/**
|
||||
* Utilities for converting protobuf classes.
|
||||
*/
|
||||
@ -59,7 +65,7 @@ private OMPBHelper() {
|
||||
*/
|
||||
public static OzoneAclInfo convertOzoneAcl(OzoneAcl acl) {
|
||||
OzoneAclInfo.OzoneAclType aclType;
|
||||
switch(acl.getType()) {
|
||||
switch (acl.getType()) {
|
||||
case USER:
|
||||
aclType = OzoneAclType.USER;
|
||||
break;
|
||||
@ -69,27 +75,24 @@ public static OzoneAclInfo convertOzoneAcl(OzoneAcl acl) {
|
||||
case WORLD:
|
||||
aclType = OzoneAclType.WORLD;
|
||||
break;
|
||||
case ANONYMOUS:
|
||||
aclType = OzoneAclType.ANONYMOUS;
|
||||
break;
|
||||
case CLIENT_IP:
|
||||
aclType = OzoneAclType.CLIENT_IP;
|
||||
break;
|
||||
default:
|
||||
throw new IllegalArgumentException("ACL type is not recognized");
|
||||
}
|
||||
OzoneAclInfo.OzoneAclRights aclRights;
|
||||
switch(acl.getRights()) {
|
||||
case READ:
|
||||
aclRights = OzoneAclRights.READ;
|
||||
break;
|
||||
case WRITE:
|
||||
aclRights = OzoneAclRights.WRITE;
|
||||
break;
|
||||
case READ_WRITE:
|
||||
aclRights = OzoneAclRights.READ_WRITE;
|
||||
break;
|
||||
default:
|
||||
throw new IllegalArgumentException("ACL right is not recognized");
|
||||
List<OzoneAclRights> aclRights = new ArrayList<>();
|
||||
|
||||
for (ACLType right : acl.getRights()) {
|
||||
aclRights.add(OzoneAclRights.valueOf(right.name()));
|
||||
}
|
||||
|
||||
return OzoneAclInfo.newBuilder().setType(aclType)
|
||||
.setName(acl.getName())
|
||||
.setRights(aclRights)
|
||||
.addAllRights(aclRights)
|
||||
.build();
|
||||
}
|
||||
|
||||
@ -98,35 +101,31 @@ public static OzoneAclInfo convertOzoneAcl(OzoneAcl acl) {
|
||||
* @return OzoneAcl
|
||||
*/
|
||||
public static OzoneAcl convertOzoneAcl(OzoneAclInfo aclInfo) {
|
||||
OzoneAcl.OzoneACLType aclType;
|
||||
switch(aclInfo.getType()) {
|
||||
ACLIdentityType aclType;
|
||||
switch (aclInfo.getType()) {
|
||||
case USER:
|
||||
aclType = OzoneAcl.OzoneACLType.USER;
|
||||
aclType = ACLIdentityType.USER;
|
||||
break;
|
||||
case GROUP:
|
||||
aclType = OzoneAcl.OzoneACLType.GROUP;
|
||||
aclType = ACLIdentityType.GROUP;
|
||||
break;
|
||||
case WORLD:
|
||||
aclType = OzoneAcl.OzoneACLType.WORLD;
|
||||
aclType = ACLIdentityType.WORLD;
|
||||
break;
|
||||
case ANONYMOUS:
|
||||
aclType = ACLIdentityType.ANONYMOUS;
|
||||
break;
|
||||
case CLIENT_IP:
|
||||
aclType = ACLIdentityType.CLIENT_IP;
|
||||
break;
|
||||
default:
|
||||
throw new IllegalArgumentException("ACL type is not recognized");
|
||||
}
|
||||
OzoneAcl.OzoneACLRights aclRights;
|
||||
switch(aclInfo.getRights()) {
|
||||
case READ:
|
||||
aclRights = OzoneAcl.OzoneACLRights.READ;
|
||||
break;
|
||||
case WRITE:
|
||||
aclRights = OzoneAcl.OzoneACLRights.WRITE;
|
||||
break;
|
||||
case READ_WRITE:
|
||||
aclRights = OzoneAcl.OzoneACLRights.READ_WRITE;
|
||||
break;
|
||||
default:
|
||||
throw new IllegalArgumentException("ACL right is not recognized");
|
||||
}
|
||||
|
||||
List<IAccessAuthorizer.ACLType> aclRights = new ArrayList<>();
|
||||
for (OzoneAclRights acl : aclInfo.getRightsList()) {
|
||||
aclRights.add(ACLType.valueOf(acl.name()));
|
||||
}
|
||||
return new OzoneAcl(aclType, aclInfo.getName(), aclRights);
|
||||
}
|
||||
|
||||
|
@ -20,6 +20,8 @@
|
||||
import org.apache.hadoop.classification.InterfaceStability;
|
||||
import org.apache.hadoop.ozone.OzoneConsts;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Public API for Ozone ACLs. Security providers providing support for Ozone
|
||||
* ACLs should implement this.
|
||||
@ -84,7 +86,8 @@ public static ACLType getACLRight(String type) {
|
||||
case OzoneConsts.OZONE_ACL_NONE:
|
||||
return ACLType.NONE;
|
||||
default:
|
||||
throw new IllegalArgumentException("ACL right is not recognized");
|
||||
throw new IllegalArgumentException(type + " ACL right is not " +
|
||||
"recognized");
|
||||
}
|
||||
|
||||
}
|
||||
@ -92,10 +95,18 @@ public static ACLType getACLRight(String type) {
|
||||
/**
|
||||
* Returns String representation of ACL rights.
|
||||
*
|
||||
* @param acl ACLType
|
||||
* @param acls ACLType
|
||||
* @return String representation of acl
|
||||
*/
|
||||
public static String getACLRightsString(ACLType acl) {
|
||||
public static String getACLString(List<ACLType> acls) {
|
||||
StringBuffer sb = new StringBuffer();
|
||||
acls.forEach(acl -> {
|
||||
sb.append(getAclString(acl));
|
||||
});
|
||||
return sb.toString();
|
||||
}
|
||||
|
||||
public static String getAclString(ACLType acl) {
|
||||
switch (acl) {
|
||||
case READ:
|
||||
return OzoneConsts.OZONE_ACL_READ;
|
||||
@ -129,7 +140,8 @@ enum ACLIdentityType {
|
||||
USER(OzoneConsts.OZONE_ACL_USER_TYPE),
|
||||
GROUP(OzoneConsts.OZONE_ACL_GROUP_TYPE),
|
||||
CLIENT_IP(OzoneConsts.OZONE_ACL_IP_TYPE),
|
||||
WORLD(OzoneConsts.OZONE_ACL_WORLD_TYPE);
|
||||
WORLD(OzoneConsts.OZONE_ACL_WORLD_TYPE),
|
||||
ANONYMOUS(OzoneConsts.OZONE_ACL_ANONYMOUS_TYPE);
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
|
@ -0,0 +1,65 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.ozone.security.acl;
|
||||
|
||||
import org.apache.hadoop.hdds.conf.Config;
|
||||
import org.apache.hadoop.hdds.conf.ConfigGroup;
|
||||
import org.apache.hadoop.hdds.conf.ConfigTag;
|
||||
import org.apache.hadoop.hdds.conf.ConfigType;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
|
||||
|
||||
/**
|
||||
* Ozone ACL config pojo.
|
||||
* */
|
||||
@ConfigGroup(prefix = "ozone.om")
|
||||
public class OzoneAclConfig {
|
||||
// OM Default user/group permissions
|
||||
private ACLType userDefaultRights = ACLType.ALL;
|
||||
private ACLType groupDefaultRights = ACLType.ALL;
|
||||
|
||||
@Config(key = "user.rights",
|
||||
defaultValue = "ALL",
|
||||
type = ConfigType.STRING,
|
||||
tags = {ConfigTag.OM, ConfigTag.SECURITY},
|
||||
description = "Default user permissions set for an object in " +
|
||||
"OzoneManager."
|
||||
)
|
||||
public void setUserDefaultRights(String userRights) {
|
||||
this.userDefaultRights = ACLType.valueOf(userRights);
|
||||
}
|
||||
|
||||
@Config(key = "group.rights",
|
||||
defaultValue = "ALL",
|
||||
type = ConfigType.STRING,
|
||||
tags = {ConfigTag.OM, ConfigTag.SECURITY},
|
||||
description = "Default group permissions set for an object in " +
|
||||
"OzoneManager."
|
||||
)
|
||||
public void setGroupDefaultRights(String groupRights) {
|
||||
this.groupDefaultRights = ACLType.valueOf(groupRights);
|
||||
}
|
||||
|
||||
public ACLType getUserDefaultRights() {
|
||||
return userDefaultRights;
|
||||
}
|
||||
|
||||
public ACLType getGroupDefaultRights() {
|
||||
return groupDefaultRights;
|
||||
}
|
||||
|
||||
}
|
@ -451,15 +451,24 @@ message OzoneAclInfo {
|
||||
USER = 1;
|
||||
GROUP = 2;
|
||||
WORLD = 3;
|
||||
ANONYMOUS = 4;
|
||||
CLIENT_IP = 5;
|
||||
}
|
||||
|
||||
enum OzoneAclRights {
|
||||
READ = 1;
|
||||
WRITE = 2;
|
||||
READ_WRITE = 3;
|
||||
CREATE = 1;
|
||||
LIST = 2;
|
||||
DELETE = 3;
|
||||
READ = 4;
|
||||
WRITE = 5;
|
||||
READ_ACL = 6;
|
||||
WRITE_ACL = 7;
|
||||
ALL = 8;
|
||||
NONE = 9;
|
||||
}
|
||||
required OzoneAclType type = 1;
|
||||
required string name = 2;
|
||||
required OzoneAclRights rights = 3;
|
||||
repeated OzoneAclRights rights = 3;
|
||||
}
|
||||
|
||||
message CreateBucketRequest {
|
||||
|
@ -18,16 +18,20 @@
|
||||
|
||||
package org.apache.hadoop.ozone;
|
||||
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.Set;
|
||||
|
||||
import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.*;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.fail;
|
||||
|
||||
/**
|
||||
* This class is to test acl stoarge and retreival in ozone store.
|
||||
* This class is to test acl storage and retrieval in ozone store.
|
||||
*/
|
||||
public class TestOzoneAcls {
|
||||
|
||||
@ -39,8 +43,8 @@ public void testAclParse() {
|
||||
testMatrix.put("user:bilbo:r", Boolean.TRUE);
|
||||
testMatrix.put("user:bilbo:w", Boolean.TRUE);
|
||||
testMatrix.put("user:bilbo:rw", Boolean.TRUE);
|
||||
testMatrix.put("user:bilbo:wr", Boolean.TRUE);
|
||||
testMatrix.put(" user:bilbo:wr ", Boolean.TRUE);
|
||||
testMatrix.put("user:bilbo:a", Boolean.TRUE);
|
||||
testMatrix.put(" user:bilbo:a ", Boolean.TRUE);
|
||||
|
||||
|
||||
// ACLs makes no judgement on the quality of
|
||||
@ -53,7 +57,16 @@ public void testAclParse() {
|
||||
testMatrix.put("", Boolean.FALSE);
|
||||
testMatrix.put(null, Boolean.FALSE);
|
||||
testMatrix.put(" user:bilbo:", Boolean.FALSE);
|
||||
testMatrix.put(" user:bilbo:rx", Boolean.FALSE);
|
||||
testMatrix.put(" user:bilbo:rx", Boolean.TRUE);
|
||||
testMatrix.put(" user:bilbo:rwdlncxy", Boolean.TRUE);
|
||||
testMatrix.put(" group:bilbo:rwdlncxy", Boolean.TRUE);
|
||||
testMatrix.put(" world::rwdlncxy", Boolean.TRUE);
|
||||
testMatrix.put(" user:bilbo:rncxy", Boolean.TRUE);
|
||||
testMatrix.put(" group:bilbo:ncxy", Boolean.TRUE);
|
||||
testMatrix.put(" world::ncxy", Boolean.TRUE);
|
||||
testMatrix.put(" user:bilbo:rwcxy", Boolean.TRUE);
|
||||
testMatrix.put(" group:bilbo:rwcxy", Boolean.TRUE);
|
||||
testMatrix.put(" world::rwcxy", Boolean.TRUE);
|
||||
testMatrix.put(" user:bilbo:mk", Boolean.FALSE);
|
||||
testMatrix.put(" user::rw", Boolean.FALSE);
|
||||
testMatrix.put("user11:bilbo:rw", Boolean.FALSE);
|
||||
@ -62,12 +75,12 @@ public void testAclParse() {
|
||||
testMatrix.put(" group:hobbit:r", Boolean.TRUE);
|
||||
testMatrix.put(" group:hobbit:w", Boolean.TRUE);
|
||||
testMatrix.put(" group:hobbit:rw", Boolean.TRUE);
|
||||
testMatrix.put(" group:hobbit:wr", Boolean.TRUE);
|
||||
testMatrix.put(" group:hobbit:a", Boolean.TRUE);
|
||||
testMatrix.put(" group:*:rw", Boolean.TRUE);
|
||||
testMatrix.put(" group:~!:rw", Boolean.TRUE);
|
||||
|
||||
testMatrix.put(" group:hobbit:", Boolean.FALSE);
|
||||
testMatrix.put(" group:hobbit:rx", Boolean.FALSE);
|
||||
testMatrix.put(" group:hobbit:rx", Boolean.TRUE);
|
||||
testMatrix.put(" group:hobbit:mk", Boolean.FALSE);
|
||||
testMatrix.put(" group::", Boolean.FALSE);
|
||||
testMatrix.put(" group::rw", Boolean.FALSE);
|
||||
@ -77,14 +90,14 @@ public void testAclParse() {
|
||||
testMatrix.put("JUNK group:hobbit:r", Boolean.FALSE);
|
||||
testMatrix.put("JUNK group:hobbit:w", Boolean.FALSE);
|
||||
testMatrix.put("JUNK group:hobbit:rw", Boolean.FALSE);
|
||||
testMatrix.put("JUNK group:hobbit:wr", Boolean.FALSE);
|
||||
testMatrix.put("JUNK group:hobbit:a", Boolean.FALSE);
|
||||
testMatrix.put("JUNK group:*:rw", Boolean.FALSE);
|
||||
testMatrix.put("JUNK group:~!:rw", Boolean.FALSE);
|
||||
|
||||
testMatrix.put(" world::r", Boolean.TRUE);
|
||||
testMatrix.put(" world::w", Boolean.TRUE);
|
||||
testMatrix.put(" world::rw", Boolean.TRUE);
|
||||
testMatrix.put(" world::wr", Boolean.TRUE);
|
||||
testMatrix.put(" world::a", Boolean.TRUE);
|
||||
|
||||
testMatrix.put(" world:bilbo:w", Boolean.FALSE);
|
||||
testMatrix.put(" world:bilbo:rw", Boolean.FALSE);
|
||||
@ -97,7 +110,7 @@ public void testAclParse() {
|
||||
try {
|
||||
OzoneAcl.parseAcl(key);
|
||||
// should never get here since parseAcl will throw
|
||||
fail("An exception was expected but did not happen.");
|
||||
fail("An exception was expected but did not happen. Key: " + key);
|
||||
} catch (IllegalArgumentException e) {
|
||||
// nothing to do
|
||||
}
|
||||
@ -109,33 +122,51 @@ public void testAclParse() {
|
||||
public void testAclValues() {
|
||||
OzoneAcl acl = OzoneAcl.parseAcl("user:bilbo:rw");
|
||||
assertEquals(acl.getName(), "bilbo");
|
||||
assertEquals(OzoneAcl.OzoneACLRights.READ_WRITE, acl.getRights());
|
||||
assertEquals(OzoneAcl.OzoneACLType.USER, acl.getType());
|
||||
assertEquals(Arrays.asList(READ, WRITE), acl.getRights());
|
||||
assertEquals(ACLIdentityType.USER, acl.getType());
|
||||
|
||||
acl = OzoneAcl.parseAcl("user:bilbo:wr");
|
||||
acl = OzoneAcl.parseAcl("user:bilbo:a");
|
||||
assertEquals("bilbo", acl.getName());
|
||||
assertEquals(OzoneAcl.OzoneACLRights.READ_WRITE, acl.getRights());
|
||||
assertEquals(OzoneAcl.OzoneACLType.USER, acl.getType());
|
||||
assertEquals(Arrays.asList(ALL), acl.getRights());
|
||||
assertEquals(ACLIdentityType.USER, acl.getType());
|
||||
|
||||
acl = OzoneAcl.parseAcl("user:bilbo:r");
|
||||
assertEquals("bilbo", acl.getName());
|
||||
assertEquals(OzoneAcl.OzoneACLRights.READ, acl.getRights());
|
||||
assertEquals(OzoneAcl.OzoneACLType.USER, acl.getType());
|
||||
assertEquals(Arrays.asList(READ), acl.getRights());
|
||||
assertEquals(ACLIdentityType.USER, acl.getType());
|
||||
|
||||
acl = OzoneAcl.parseAcl("user:bilbo:w");
|
||||
assertEquals("bilbo", acl.getName());
|
||||
assertEquals(OzoneAcl.OzoneACLRights.WRITE, acl.getRights());
|
||||
assertEquals(OzoneAcl.OzoneACLType.USER, acl.getType());
|
||||
assertEquals(Arrays.asList(WRITE), acl.getRights());
|
||||
assertEquals(ACLIdentityType.USER, acl.getType());
|
||||
|
||||
acl = OzoneAcl.parseAcl("group:hobbit:wr");
|
||||
acl = OzoneAcl.parseAcl("group:hobbit:a");
|
||||
assertEquals(acl.getName(), "hobbit");
|
||||
assertEquals(OzoneAcl.OzoneACLRights.READ_WRITE, acl.getRights());
|
||||
assertEquals(OzoneAcl.OzoneACLType.GROUP, acl.getType());
|
||||
assertEquals(Arrays.asList(ALL), acl.getRights());
|
||||
assertEquals(ACLIdentityType.GROUP, acl.getType());
|
||||
|
||||
acl = OzoneAcl.parseAcl("world::wr");
|
||||
acl = OzoneAcl.parseAcl("world::a");
|
||||
assertEquals(acl.getName(), "");
|
||||
assertEquals(OzoneAcl.OzoneACLRights.READ_WRITE, acl.getRights());
|
||||
assertEquals(OzoneAcl.OzoneACLType.WORLD, acl.getType());
|
||||
assertEquals(Arrays.asList(ALL), acl.getRights());
|
||||
assertEquals(ACLIdentityType.WORLD, acl.getType());
|
||||
|
||||
acl = OzoneAcl.parseAcl("user:bilbo:rwdlncxy");
|
||||
assertEquals(acl.getName(), "bilbo");
|
||||
assertEquals(Arrays.asList(READ, WRITE, DELETE, LIST, NONE, CREATE,
|
||||
READ_ACL, WRITE_ACL), acl.getRights());
|
||||
assertEquals(ACLIdentityType.USER, acl.getType());
|
||||
|
||||
acl = OzoneAcl.parseAcl("group:hadoop:rwdlncxy");
|
||||
assertEquals(acl.getName(), "hadoop");
|
||||
assertEquals(Arrays.asList(READ, WRITE, DELETE, LIST, NONE, CREATE,
|
||||
READ_ACL, WRITE_ACL), acl.getRights());
|
||||
assertEquals(ACLIdentityType.GROUP, acl.getType());
|
||||
|
||||
acl = OzoneAcl.parseAcl("world::rwdlncxy");
|
||||
assertEquals(acl.getName(), "");
|
||||
assertEquals(Arrays.asList(READ, WRITE, DELETE, LIST, NONE, CREATE,
|
||||
READ_ACL, WRITE_ACL), acl.getRights());
|
||||
assertEquals(ACLIdentityType.WORLD, acl.getType());
|
||||
}
|
||||
|
||||
}
|
@ -82,6 +82,8 @@
|
||||
import org.apache.hadoop.ozone.om.helpers.OmMultipartInfo;
|
||||
import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadCompleteInfo;
|
||||
import org.apache.hadoop.ozone.s3.util.OzoneS3Util;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
|
||||
import org.apache.hadoop.test.GenericTestUtils;
|
||||
import org.apache.hadoop.test.LambdaTestUtils;
|
||||
import org.apache.hadoop.util.Time;
|
||||
@ -420,8 +422,8 @@ public void testCreateBucketWithAcls()
|
||||
throws IOException, OzoneException {
|
||||
String volumeName = UUID.randomUUID().toString();
|
||||
String bucketName = UUID.randomUUID().toString();
|
||||
OzoneAcl userAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER, "test",
|
||||
OzoneAcl.OzoneACLRights.READ_WRITE);
|
||||
OzoneAcl userAcl = new OzoneAcl(ACLIdentityType.USER, "test",
|
||||
ACLType.READ);
|
||||
List<OzoneAcl> acls = new ArrayList<>();
|
||||
acls.add(userAcl);
|
||||
store.createVolume(volumeName);
|
||||
@ -439,8 +441,8 @@ public void testCreateBucketWithAllArgument()
|
||||
throws IOException, OzoneException {
|
||||
String volumeName = UUID.randomUUID().toString();
|
||||
String bucketName = UUID.randomUUID().toString();
|
||||
OzoneAcl userAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER, "test",
|
||||
OzoneAcl.OzoneACLRights.READ_WRITE);
|
||||
OzoneAcl userAcl = new OzoneAcl(ACLIdentityType.USER, "test",
|
||||
ACLType.ALL);
|
||||
List<OzoneAcl> acls = new ArrayList<>();
|
||||
acls.add(userAcl);
|
||||
store.createVolume(volumeName);
|
||||
@ -480,9 +482,7 @@ public void testAddBucketAcl()
|
||||
OzoneVolume volume = store.getVolume(volumeName);
|
||||
volume.createBucket(bucketName);
|
||||
List<OzoneAcl> acls = new ArrayList<>();
|
||||
acls.add(new OzoneAcl(
|
||||
OzoneAcl.OzoneACLType.USER, "test",
|
||||
OzoneAcl.OzoneACLRights.READ_WRITE));
|
||||
acls.add(new OzoneAcl(ACLIdentityType.USER, "test", ACLType.ALL));
|
||||
OzoneBucket bucket = volume.getBucket(bucketName);
|
||||
bucket.addAcls(acls);
|
||||
OzoneBucket newBucket = volume.getBucket(bucketName);
|
||||
@ -495,8 +495,8 @@ public void testRemoveBucketAcl()
|
||||
throws IOException, OzoneException {
|
||||
String volumeName = UUID.randomUUID().toString();
|
||||
String bucketName = UUID.randomUUID().toString();
|
||||
OzoneAcl userAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER, "test",
|
||||
OzoneAcl.OzoneACLRights.READ_WRITE);
|
||||
OzoneAcl userAcl = new OzoneAcl(ACLIdentityType.USER, "test",
|
||||
ACLType.ALL);
|
||||
List<OzoneAcl> acls = new ArrayList<>();
|
||||
acls.add(userAcl);
|
||||
store.createVolume(volumeName);
|
||||
|
@ -55,6 +55,8 @@
|
||||
import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
|
||||
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.ServicePort;
|
||||
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.VolumeList;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
|
||||
import org.apache.hadoop.ozone.util.OzoneVersionInfo;
|
||||
import org.apache.hadoop.ozone.web.handlers.BucketArgs;
|
||||
import org.apache.hadoop.ozone.web.handlers.KeyArgs;
|
||||
@ -356,30 +358,29 @@ public void testAccessVolume() throws IOException, OzoneException {
|
||||
createVolumeArgs.setGroups(groupName);
|
||||
storageHandler.createVolume(createVolumeArgs);
|
||||
|
||||
OzoneAcl userAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER, userName,
|
||||
OzoneAcl.OzoneACLRights.READ_WRITE);
|
||||
OzoneAcl userAcl = new OzoneAcl(ACLIdentityType.USER, userName,
|
||||
ACLType.READ);
|
||||
Assert.assertTrue(storageHandler.checkVolumeAccess(volumeName, userAcl));
|
||||
OzoneAcl group = new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, groupName[0],
|
||||
OzoneAcl.OzoneACLRights.READ);
|
||||
OzoneAcl group = new OzoneAcl(ACLIdentityType.GROUP, groupName[0],
|
||||
ACLType.READ);
|
||||
Assert.assertTrue(storageHandler.checkVolumeAccess(volumeName, group));
|
||||
|
||||
// Create a different user and access should fail
|
||||
String falseUserName = "user" + RandomStringUtils.randomNumeric(5);
|
||||
OzoneAcl falseUserAcl =
|
||||
new OzoneAcl(OzoneAcl.OzoneACLType.USER, falseUserName,
|
||||
OzoneAcl.OzoneACLRights.READ_WRITE);
|
||||
new OzoneAcl(ACLIdentityType.USER, falseUserName,
|
||||
ACLType.ALL);
|
||||
Assert.assertFalse(storageHandler
|
||||
.checkVolumeAccess(volumeName, falseUserAcl));
|
||||
// Checking access with user name and Group Type should fail
|
||||
OzoneAcl falseGroupAcl = new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, userName,
|
||||
OzoneAcl.OzoneACLRights.READ_WRITE);
|
||||
OzoneAcl falseGroupAcl = new OzoneAcl(ACLIdentityType.GROUP, userName,
|
||||
ACLType.ALL);
|
||||
Assert.assertFalse(storageHandler
|
||||
.checkVolumeAccess(volumeName, falseGroupAcl));
|
||||
|
||||
// Access for acl type world should also fail
|
||||
OzoneAcl worldAcl =
|
||||
new OzoneAcl(OzoneAcl.OzoneACLType.WORLD, "",
|
||||
OzoneAcl.OzoneACLRights.READ);
|
||||
new OzoneAcl(ACLIdentityType.WORLD, "", ACLType.READ);
|
||||
Assert.assertFalse(storageHandler.checkVolumeAccess(volumeName, worldAcl));
|
||||
|
||||
Assert.assertEquals(0, omMetrics.getNumVolumeCheckAccessFails());
|
||||
|
@ -44,8 +44,6 @@
|
||||
import org.apache.hadoop.hdfs.DFSUtil;
|
||||
import org.apache.hadoop.ozone.MiniOzoneCluster;
|
||||
import org.apache.hadoop.ozone.OzoneAcl;
|
||||
import org.apache.hadoop.ozone.OzoneAcl.OzoneACLRights;
|
||||
import org.apache.hadoop.ozone.OzoneAcl.OzoneACLType;
|
||||
import org.apache.hadoop.ozone.OzoneConsts;
|
||||
import org.apache.hadoop.ozone.client.OzoneBucket;
|
||||
import org.apache.hadoop.ozone.client.OzoneKey;
|
||||
@ -59,6 +57,8 @@
|
||||
import org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes;
|
||||
import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
|
||||
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.ServicePort;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
|
||||
import org.apache.hadoop.ozone.web.ozShell.OzoneShell;
|
||||
import org.apache.hadoop.ozone.web.ozShell.Shell;
|
||||
import org.apache.hadoop.ozone.web.request.OzoneQuota;
|
||||
@ -744,8 +744,9 @@ public void testUpdateBucket() throws Exception {
|
||||
|
||||
OzoneAcl acl = bucket.getAcls().get(aclSize);
|
||||
assertTrue(acl.getName().equals("frodo")
|
||||
&& acl.getType() == OzoneACLType.USER
|
||||
&& acl.getRights()== OzoneACLRights.READ_WRITE);
|
||||
&& acl.getType() == ACLIdentityType.USER
|
||||
&& acl.getRights().contains(ACLType.READ)
|
||||
&& acl.getRights().contains(ACLType.WRITE));
|
||||
|
||||
args = new String[] {"bucket", "update",
|
||||
url + "/" + vol.getName() + "/" + bucketName, "--removeAcl",
|
||||
@ -756,8 +757,8 @@ public void testUpdateBucket() throws Exception {
|
||||
acl = bucket.getAcls().get(aclSize);
|
||||
assertEquals(1 + aclSize, bucket.getAcls().size());
|
||||
assertTrue(acl.getName().equals("samwise")
|
||||
&& acl.getType() == OzoneACLType.GROUP
|
||||
&& acl.getRights()== OzoneACLRights.READ);
|
||||
&& acl.getType() == ACLIdentityType.GROUP
|
||||
&& acl.getRights().contains(ACLType.READ));
|
||||
|
||||
// test update bucket for a non-exist bucket
|
||||
args = new String[] {"bucket", "update",
|
||||
|
@ -44,8 +44,10 @@
|
||||
import org.apache.hadoop.ozone.client.io.OzoneOutputStream;
|
||||
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
|
||||
import org.apache.hadoop.ozone.protocolPB.OMPBHelper;
|
||||
import org.apache.hadoop.ozone.om.OMConfigKeys;
|
||||
import org.apache.hadoop.ozone.OzoneAcl;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
|
||||
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
|
||||
import org.apache.hadoop.ozone.security.acl.OzoneAclConfig;
|
||||
import org.apache.hadoop.ozone.web.request.OzoneQuota;
|
||||
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
|
||||
import org.apache.hadoop.hdds.scm.XceiverClientManager;
|
||||
@ -80,8 +82,8 @@ public final class DistributedStorageHandler implements StorageHandler {
|
||||
private final OzoneManagerProtocol
|
||||
ozoneManagerClient;
|
||||
private final XceiverClientManager xceiverClientManager;
|
||||
private final OzoneAcl.OzoneACLRights userRights;
|
||||
private final OzoneAcl.OzoneACLRights groupRights;
|
||||
private final ACLType userRights;
|
||||
private final ACLType groupRights;
|
||||
private int chunkSize;
|
||||
private final long streamBufferFlushSize;
|
||||
private final long streamBufferMaxSize;
|
||||
@ -109,10 +111,10 @@ public DistributedStorageHandler(OzoneConfiguration conf,
|
||||
|
||||
chunkSize = (int)conf.getStorageSize(ScmConfigKeys.OZONE_SCM_CHUNK_SIZE_KEY,
|
||||
ScmConfigKeys.OZONE_SCM_CHUNK_SIZE_DEFAULT, StorageUnit.BYTES);
|
||||
userRights = conf.getEnum(OMConfigKeys.OZONE_OM_USER_RIGHTS,
|
||||
OMConfigKeys.OZONE_OM_USER_RIGHTS_DEFAULT);
|
||||
groupRights = conf.getEnum(OMConfigKeys.OZONE_OM_GROUP_RIGHTS,
|
||||
OMConfigKeys.OZONE_OM_GROUP_RIGHTS_DEFAULT);
|
||||
// Get default acl rights for user and group.
|
||||
OzoneAclConfig aclConfig = conf.getObject(OzoneAclConfig.class);
|
||||
this.userRights = aclConfig.getUserDefaultRights();
|
||||
this.groupRights = aclConfig.getGroupDefaultRights();
|
||||
if(chunkSize > OzoneConsts.OZONE_SCM_CHUNK_MAX_SIZE) {
|
||||
LOG.warn("The chunk size ({}) is not allowed to be more than"
|
||||
+ " the maximum size ({}),"
|
||||
@ -176,8 +178,7 @@ public void createVolume(VolumeArgs args) throws IOException, OzoneException {
|
||||
long quota = args.getQuota() == null ?
|
||||
OzoneConsts.MAX_QUOTA_IN_BYTES : args.getQuota().sizeInBytes();
|
||||
OzoneAcl userAcl =
|
||||
new OzoneAcl(OzoneAcl.OzoneACLType.USER,
|
||||
args.getUserName(), userRights);
|
||||
new OzoneAcl(ACLIdentityType.USER, args.getUserName(), userRights);
|
||||
OmVolumeArgs.Builder builder = OmVolumeArgs.newBuilder();
|
||||
builder.setAdminName(args.getAdminName())
|
||||
.setOwnerName(args.getUserName())
|
||||
@ -187,7 +188,7 @@ public void createVolume(VolumeArgs args) throws IOException, OzoneException {
|
||||
if (args.getGroups() != null) {
|
||||
for (String group : args.getGroups()) {
|
||||
OzoneAcl groupAcl =
|
||||
new OzoneAcl(OzoneAcl.OzoneACLType.GROUP, group, groupRights);
|
||||
new OzoneAcl(ACLIdentityType.GROUP, group, groupRights);
|
||||
builder.addOzoneAcls(OMPBHelper.convertOzoneAcl(groupAcl));
|
||||
}
|
||||
}
|
||||
|
@ -20,6 +20,7 @@
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
|
||||
import org.apache.hadoop.ozone.om.exceptions.OMException;
|
||||
import org.apache.hadoop.ozone.om.helpers.OmDeleteVolumeResponse;
|
||||
@ -484,7 +485,8 @@ public boolean checkVolumeAccess(String volume, OzoneAclInfo userAcl)
|
||||
} catch (IOException ex) {
|
||||
if (!(ex instanceof OMException)) {
|
||||
LOG.error("Check volume access failed for volume:{} user:{} rights:{}",
|
||||
volume, userAcl.getName(), userAcl.getRights(), ex);
|
||||
volume, userAcl.getName(),
|
||||
StringUtils.join(userAcl.getRightsList(), ","), ex);
|
||||
}
|
||||
throw ex;
|
||||
} finally {
|
||||
|
@ -42,6 +42,8 @@
|
||||
import org.mockito.Mockito;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
|
||||
import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.*;
|
||||
|
||||
/**
|
||||
* Tests BucketManagerImpl, mocks OMMetadataManager for testing.
|
||||
*/
|
||||
@ -217,8 +219,8 @@ public void testSetBucketPropertyAddACL() throws Exception {
|
||||
OmMetadataManagerImpl metaMgr = createSampleVol();
|
||||
|
||||
List<OzoneAcl> acls = new LinkedList<>();
|
||||
OzoneAcl ozoneAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER,
|
||||
"root", OzoneAcl.OzoneACLRights.READ);
|
||||
OzoneAcl ozoneAcl = new OzoneAcl(ACLIdentityType.USER,
|
||||
"root", ACLType.READ);
|
||||
acls.add(ozoneAcl);
|
||||
BucketManager bucketManager = new BucketManagerImpl(metaMgr);
|
||||
OmBucketInfo bucketInfo = OmBucketInfo.newBuilder()
|
||||
@ -235,8 +237,8 @@ public void testSetBucketPropertyAddACL() throws Exception {
|
||||
Assert.assertEquals("bucketOne", result.getBucketName());
|
||||
Assert.assertEquals(1, result.getAcls().size());
|
||||
List<OzoneAcl> addAcls = new LinkedList<>();
|
||||
OzoneAcl newAcl = new OzoneAcl(OzoneAcl.OzoneACLType.USER,
|
||||
"ozone", OzoneAcl.OzoneACLRights.READ);
|
||||
OzoneAcl newAcl = new OzoneAcl(ACLIdentityType.USER,
|
||||
"ozone", ACLType.READ);
|
||||
addAcls.add(newAcl);
|
||||
OmBucketArgs bucketArgs = OmBucketArgs.newBuilder()
|
||||
.setVolumeName("sampleVol")
|
||||
@ -256,10 +258,10 @@ public void testSetBucketPropertyRemoveACL() throws Exception {
|
||||
OmMetadataManagerImpl metaMgr = createSampleVol();
|
||||
|
||||
List<OzoneAcl> acls = new LinkedList<>();
|
||||
OzoneAcl aclOne = new OzoneAcl(OzoneAcl.OzoneACLType.USER,
|
||||
"root", OzoneAcl.OzoneACLRights.READ);
|
||||
OzoneAcl aclTwo = new OzoneAcl(OzoneAcl.OzoneACLType.USER,
|
||||
"ozone", OzoneAcl.OzoneACLRights.READ);
|
||||
OzoneAcl aclOne = new OzoneAcl(ACLIdentityType.USER,
|
||||
"root", ACLType.READ);
|
||||
OzoneAcl aclTwo = new OzoneAcl(ACLIdentityType.USER,
|
||||
"ozone", ACLType.READ);
|
||||
acls.add(aclOne);
|
||||
acls.add(aclTwo);
|
||||
BucketManager bucketManager = new BucketManagerImpl(metaMgr);
|
||||
|
@ -378,7 +378,7 @@ private void insertOMDB(Connection conn, KeyType type, String keyName,
|
||||
for (OzoneAclInfo aclInfo : volumeInfo.getVolumeAclsList()) {
|
||||
String insertAclInfo =
|
||||
String.format(INSERT_ACL_INFO, adminName, ownerName, volumeName,
|
||||
aclInfo.getType(), aclInfo.getName(), aclInfo.getRights());
|
||||
aclInfo.getType(), aclInfo.getName(), aclInfo.getRightsList());
|
||||
executeSQL(conn, insertAclInfo);
|
||||
}
|
||||
break;
|
||||
|
Loading…
Reference in New Issue
Block a user