This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new d7fdcab8b70 HDDS-14207. Inconsistent Ozone admin check (#9859)
d7fdcab8b70 is described below
commit d7fdcab8b7055fcc1791c11538f57fb83b3d0076
Author: Gargi Jaiswal <[email protected]>
AuthorDate: Mon Mar 9 17:10:35 2026 +0530
HDDS-14207. Inconsistent Ozone admin check (#9859)
---
.../hadoop/hdds/security/SecurityConfig.java | 31 +++++++++
.../org/apache/hadoop/ozone/OzoneConfigKeys.java | 2 +
.../org/apache/hadoop/ozone/OzoneSecurityUtil.java | 21 ++++++
.../common/src/main/resources/ozone-default.xml | 14 ++++
.../apache/hadoop/ozone/HddsDatanodeService.java | 5 ++
.../ozone/container/common/SCMTestUtils.java | 2 +
.../org/apache/hadoop/hdds/server/OzoneAdmins.java | 2 +
.../hadoop/hdds/utils/DBCheckpointServlet.java | 14 ++--
.../hdds/scm/server/SCMDBCheckpointServlet.java | 10 +--
.../hdds/scm/server/StorageContainerManager.java | 15 +++++
.../hdds/scm/TestStorageContainerManager.java | 2 +
.../ozone/client/rpc/TestOzoneRpcClient.java | 3 +
.../ozone/client/rpc/TestSecureOzoneRpcClient.java | 2 +
.../hadoop/ozone/om/TestAddRemoveOzoneManager.java | 76 +++++++++++++---------
.../hadoop/ozone/om/TestOMDbCheckpointServlet.java | 6 +-
.../om/TestOMHALeaderSpecificACLEnforcement.java | 3 +
.../org/apache/hadoop/ozone/om/TestOmAcls.java | 2 +
.../om/snapshot/TestOzoneManagerSnapshotAcl.java | 2 +
.../test/java/org/apache/ozone/test/AclTests.java | 3 +
.../hadoop/ozone/om/OMDBCheckpointServlet.java | 10 +--
.../om/OMDBCheckpointServletInodeBasedXfer.java | 2 +-
.../hadoop/ozone/om/OMMultiTenantManagerImpl.java | 4 ++
.../org/apache/hadoop/ozone/om/OzoneManager.java | 57 +++++++++++-----
.../ozone/om/ratis/OzoneManagerStateMachine.java | 2 +-
.../om/request/bucket/OMBucketDeleteRequest.java | 2 +-
.../request/snapshot/OMSnapshotCreateRequest.java | 12 ++--
.../request/snapshot/OMSnapshotDeleteRequest.java | 12 ++--
.../request/snapshot/OMSnapshotRenameRequest.java | 12 ++--
.../om/request/upgrade/OMCancelPrepareRequest.java | 2 +-
.../request/upgrade/OMFinalizeUpgradeRequest.java | 2 +-
.../om/request/volume/OMQuotaRepairRequest.java | 2 +-
.../protocolPB/OMAdminProtocolServerSideImpl.java | 3 +-
.../om/ratis/TestOzoneManagerStateMachine.java | 2 +-
.../snapshot/TestOMSnapshotCreateRequest.java | 1 +
.../snapshot/TestOMSnapshotDeleteRequest.java | 2 +
.../snapshot/TestOMSnapshotRenameRequest.java | 2 +
.../hadoop/ozone/recon/ReconRestServletModule.java | 8 +--
.../ozone/recon/api/filters/ReconAdminFilter.java | 15 ++++-
.../ozone/recon/api/filters/TestAdminFilter.java | 3 +-
.../hadoop/ozone/s3secret/S3SecretAdminFilter.java | 6 ++
40 files changed, 276 insertions(+), 100 deletions(-)
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
index 645b3e0b663..2b0efc4d6ab 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
@@ -71,6 +71,8 @@
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_SIGNATURE_ALGO;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_SIGNATURE_ALGO_DEFAULT;
import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED;
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
@@ -104,6 +106,15 @@ public class SecurityConfig {
private static final Logger LOG =
LoggerFactory.getLogger(SecurityConfig.class);
private static volatile Provider provider;
+
+ /**
+ * Test-only configuration property to enable authorization checks without
+ * requiring full security (Kerberos) setup. This is for testing purposes
+ * only.
+ */
+ public static final String OZONE_TEST_AUTHORIZATION_ENABLED =
"ozone.test.authorization.enabled";
+ public static final boolean OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT = false;
+
private final int size;
private final String keyAlgo;
private final String providerString;
@@ -136,6 +147,7 @@ public class SecurityConfig {
private final Duration rootCaCertificatePollingInterval;
private final boolean autoCARotationEnabled;
private final Duration expiredCertificateCheckInterval;
+ private final boolean authorizationEnabled;
/**
* Constructs a SecurityConfig.
@@ -200,6 +212,14 @@ public SecurityConfig(ConfigurationSource configuration) {
OZONE_SECURITY_ENABLED_KEY,
OZONE_SECURITY_ENABLED_DEFAULT);
+ // Authorization is only effective when security is enabled, unless test
mode is enabled
+ boolean testAuthorizationEnabled = configuration.getBoolean(
+ OZONE_TEST_AUTHORIZATION_ENABLED,
+ OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT);
+ this.authorizationEnabled = (isSecurityEnabled ||
testAuthorizationEnabled) &&
+ configuration.getBoolean(OZONE_AUTHORIZATION_ENABLED,
+ OZONE_AUTHORIZATION_ENABLED_DEFAULT);
+
String certDurationString =
configuration.get(HDDS_X509_DEFAULT_DURATION,
HDDS_X509_DEFAULT_DURATION_DEFAULT);
@@ -608,4 +628,15 @@ public boolean useTestCert() {
public boolean isTokenEnabled() {
return blockTokenEnabled || containerTokenEnabled;
}
+
+ /**
+ * Check if authorization checks should be performed in Ozone.
+ * Authorization is only effective when security is enabled, unless test
mode is enabled.
+ * This controls both admin privilege checks and ACL checks.
+ *
+ * @return true if authorization checks should be performed
+ */
+ public boolean isAuthorizationEnabled() {
+ return authorizationEnabled;
+ }
}
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
index 853a98314aa..456f44bac11 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
@@ -469,6 +469,8 @@ public final class OzoneConfigKeys {
"ozone.acl.enabled";
public static final boolean OZONE_ACL_ENABLED_DEFAULT =
false;
+ public static final String OZONE_AUTHORIZATION_ENABLED =
"ozone.authorization.enabled";
+ public static final boolean OZONE_AUTHORIZATION_ENABLED_DEFAULT = true;
public static final String OZONE_S3_VOLUME_NAME =
"ozone.s3g.volume.name";
public static final String OZONE_S3_VOLUME_NAME_DEFAULT =
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
index 71e09bd4ca5..6e9da83b2bb 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
@@ -17,6 +17,10 @@
package org.apache.hadoop.ozone;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT;
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED;
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_DEFAULT;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_KEY;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT;
@@ -60,6 +64,23 @@ public static boolean
isHttpSecurityEnabled(ConfigurationSource conf) {
OZONE_HTTP_SECURITY_ENABLED_DEFAULT);
}
+ /**
+ * Check if authorization checks should be performed in Ozone.
+ * Authorization is only effective when security is enabled, unless test
mode is enabled.
+ * This controls both admin privilege checks and ACL checks.
+ *
+ * @param conf Configuration source
+ * @return true if authorization checks should be performed
+ */
+ public static boolean isAuthorizationEnabled(ConfigurationSource conf) {
+ // Check if test mode is enabled (allows authorization without full
security)
+ boolean testAuthorizationEnabled =
conf.getBoolean(OZONE_TEST_AUTHORIZATION_ENABLED,
+ OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT);
+ return (isSecurityEnabled(conf) || testAuthorizationEnabled) &&
+ conf.getBoolean(OZONE_AUTHORIZATION_ENABLED,
+ OZONE_AUTHORIZATION_ENABLED_DEFAULT);
+ }
+
/**
* Returns Keys status.
*
diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml
b/hadoop-hdds/common/src/main/resources/ozone-default.xml
index 3bbefe3bb68..6c4bd26ebe8 100644
--- a/hadoop-hdds/common/src/main/resources/ozone-default.xml
+++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -2393,6 +2393,20 @@
<tag>OZONE, SECURITY, ACL</tag>
<description>Key to enable/disable ozone acls.</description>
</property>
+ <property>
+ <name>ozone.authorization.enabled</name>
+ <value>true</value>
+ <tag>OZONE, SECURITY, AUTHORIZATION</tag>
+ <description>
+ Master switch to enable/disable authorization checks in Ozone
+ (admin privilege checks and ACL checks).
+ This property only takes effect when ozone.security.enabled is true.
+ When true: admin privilege checks are always performed, and object
+ ACL checks are controlled by ozone.acl.enabled.
+ When false: no authorization checks are performed.
+ Default is true.
+ </description>
+ </property>
<property>
<name>ozone.om.kerberos.keytab.file</name>
<value>/etc/security/keytabs/OM.keytab</value>
diff --git
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
index 561d3e1b244..9b0d8747933 100644
---
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
+++
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
@@ -675,6 +675,11 @@ public boolean isStopped() {
*/
private void checkAdminPrivilege(String operation)
throws IOException {
+ // Skip check if authorization is disabled
+ if (secConf == null || !secConf.isAuthorizationEnabled()) {
+ return;
+ }
+
final UserGroupInformation ugi = getRemoteUser();
admins.checkAdminUserPrivilege(ugi);
}
diff --git
a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java
b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java
index 11fa95734fd..e29f46cd74e 100644
---
a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java
+++
b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java
@@ -17,6 +17,7 @@
package org.apache.hadoop.ozone.container.common;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.Mockito.mock;
@@ -137,6 +138,7 @@ public static OzoneConfiguration getConf(File testDir) {
conf.setClass(SpaceUsageCheckFactory.Conf.configKeyForClassName(),
MockSpaceUsageCheckFactory.None.class,
SpaceUsageCheckFactory.class);
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
return conf;
}
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java
index cf4cf2af550..cfbb189212f 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java
@@ -103,6 +103,8 @@ public static OzoneAdmins getReadonlyAdmins(
/**
* Check ozone admin privilege, throws exception if not admin.
+ * Note: This method does NOT check if authorization is enabled.
+ * Callers should check authorization before calling this method.
*/
public void checkAdminUserPrivilege(UserGroupInformation ugi)
throws AccessControlException {
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java
index 38e98658380..a133e5188a2 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java
@@ -73,14 +73,14 @@ public class DBCheckpointServlet extends HttpServlet
private transient DBStore dbStore;
private transient DBCheckpointMetrics dbMetrics;
- private boolean aclEnabled;
+ private boolean authorizationEnabled;
private boolean isSpnegoEnabled;
private transient OzoneAdmins admins;
private transient BootstrapStateHandler.Lock lock;
private transient File bootstrapTempData;
public void initialize(DBStore store, DBCheckpointMetrics metrics,
- boolean omAclEnabled,
+ boolean isAuthorizationEnabled,
Collection<String> allowedAdminUsers,
Collection<String> allowedAdminGroups,
boolean isSpnegoAuthEnabled)
@@ -94,7 +94,7 @@ public void initialize(DBStore store, DBCheckpointMetrics
metrics,
throw new ServletException("DB Store is null");
}
- this.aclEnabled = omAclEnabled;
+ this.authorizationEnabled = isAuthorizationEnabled;
this.admins = new OzoneAdmins(allowedAdminUsers, allowedAdminGroups);
this.isSpnegoEnabled = isSpnegoAuthEnabled;
lock = new NoOpLock();
@@ -129,9 +129,9 @@ public File getBootstrapTempData() {
}
private boolean hasPermission(UserGroupInformation user) {
- // Check ACL for dbCheckpoint only when global Ozone ACL and SPNEGO is
+ // Check admin access for dbCheckpoint only when authorization and SPNEGO
is
// enabled
- if (aclEnabled && isSpnegoEnabled) {
+ if (authorizationEnabled && isSpnegoEnabled) {
return admins.isAdmin(user);
} else {
return true;
@@ -165,8 +165,8 @@ private void generateSnapshotCheckpoint(HttpServletRequest
request,
return;
}
- // Check ACL for dbCheckpoint only when global Ozone ACL is enabled
- if (aclEnabled) {
+ // Check authorization for dbCheckpoint only when authorization is enabled
+ if (authorizationEnabled) {
final java.security.Principal userPrincipal = request.getUserPrincipal();
if (userPrincipal == null) {
final String remoteUser = request.getRemoteUser();
diff --git
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMDBCheckpointServlet.java
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMDBCheckpointServlet.java
index 5c90409efd8..04cb600d810 100644
---
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMDBCheckpointServlet.java
+++
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMDBCheckpointServlet.java
@@ -27,10 +27,10 @@
/**
* Provides the current checkpoint Snapshot of the SCM DB. (tar.gz)
*
- * When Ozone ACL is enabled (`ozone.acl.enabled`=`true`), only
users/principals
- * configured in `ozone.administrator` (along with the user that starts OM,
- * which automatically becomes an Ozone administrator but not necessarily in
- * the config) are allowed to access this endpoint.
+ * When Ozone authorization is enabled (`ozone.authorization.enabled`=`true`),
+ * only users/principals configured in `ozone.administrator` (along with the
+ * user that starts SCM, which automatically becomes an Ozone administrator
+ * but not necessarily in the config) are allowed to access this endpoint.
*
* If Kerberos is enabled, the principal should be appended to
* `ozone.administrator`, e.g. `scm/[email protected]`
@@ -56,7 +56,7 @@ public void init() throws ServletException {
initialize(scm.getScmMetadataStore().getStore(),
scm.getMetrics().getDBCheckpointMetrics(),
- false,
+ scm.isAdminAuthorizationEnabled(),
Collections.emptyList(),
Collections.emptyList(),
false);
diff --git
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
index 133eafe45b7..dcfc6aa52eb 100644
---
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
+++
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
@@ -1952,8 +1952,23 @@ private void checkAdminAccess(String op) throws
IOException {
checkAdminAccess(getRemoteUser(), false);
}
+ /**
+ * Check if admin privilege authorization should be enforced.
+ * This controls system-level admin operations (upgrades, decommission, etc.)
+ *
+ * @return true if admin authorization checks should be performed
+ */
+ public boolean isAdminAuthorizationEnabled() {
+ return securityConfig != null && securityConfig.isAuthorizationEnabled();
+ }
+
public void checkAdminAccess(UserGroupInformation remoteUser, boolean isRead)
throws IOException {
+ // Skip check if authorization is disabled
+ if (!isAdminAuthorizationEnabled()) {
+ return;
+ }
+
if (remoteUser != null && !scmAdmins.isAdmin(remoteUser)) {
if (!isRead || !scmReadOnlyAdmins.isAdmin(remoteUser)) {
throw new AccessControlException(
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java
index 7afaa10c35b..37c4cfd380d 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java
@@ -24,6 +24,7 @@
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_SCM_SAFEMODE_PIPELINE_CREATION;
import static org.apache.hadoop.hdds.scm.HddsTestUtils.mockRemoteUser;
import static
org.apache.hadoop.hdds.scm.HddsWhiteboxTestUtils.setInternalState;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_BLOCK_DELETING_SERVICE_INTERVAL;
import static org.apache.hadoop.ozone.common.BlockGroup.SIZE_NOT_AVAILABLE;
import static org.assertj.core.api.Assertions.assertThat;
@@ -167,6 +168,7 @@ public class TestStorageContainerManager {
@Test
void test(@TempDir Path tempDir) throws Exception {
OzoneConfiguration conf = new OzoneConfiguration();
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
configureTopology(conf);
configureBlockDeletion(conf);
Path scmPath = tempDir.resolve("scm-meta");
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java
index 5559ed2b228..7e6a64ea098 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java
@@ -17,6 +17,8 @@
package org.apache.hadoop.ozone.client.rpc;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
+
import java.io.IOException;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
@@ -32,6 +34,7 @@ class TestOzoneRpcClient extends OzoneRpcClientTests {
@BeforeAll
public static void init() throws Exception {
OzoneConfiguration conf = new OzoneConfiguration();
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
conf.setInt(ScmConfigKeys.OZONE_SCM_PIPELINE_OWNER_CONTAINER_COUNT, 1);
conf.setBoolean(OzoneConfigKeys.OZONE_ACL_ENABLED, true);
conf.set(OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS,
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java
index 773ea96c3c7..772ec0383fb 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java
@@ -19,6 +19,7 @@
import static java.nio.charset.StandardCharsets.UTF_8;
import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
import static org.apache.hadoop.ozone.OzoneConsts.FORCE_LEASE_RECOVERY_ENV;
import static org.apache.hadoop.ozone.OzoneConsts.OZONE_OFS_URI_SCHEME;
import static org.apache.hadoop.ozone.OzoneConsts.OZONE_ROOT;
@@ -116,6 +117,7 @@ public static void init() throws Exception {
conf.setBoolean(HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED, true);
conf.set(OZONE_METADATA_DIRS, testDir.getAbsolutePath());
conf.setBoolean(OzoneConfigKeys.OZONE_ACL_ENABLED, true);
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
conf.set(OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS,
OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE);
CertificateClientTestImpl certificateClientTest =
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java
index 2376a0e93ff..c891ca99ff4 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java
@@ -17,6 +17,7 @@
package org.apache.hadoop.ozone.om;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
import static org.apache.hadoop.ozone.OzoneConsts.SCM_DUMMY_SERVICE_ID;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_DECOMMISSIONED_NODES_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_RATIS_SERVER_REQUEST_TIMEOUT_DEFAULT;
@@ -89,7 +90,14 @@ public class TestAddRemoveOzoneManager {
private OzoneClient client;
private void setupCluster(int numInitialOMs) throws Exception {
+ setupCluster(numInitialOMs, false);
+ }
+
+ private void setupCluster(int numInitialOMs, boolean
enableTestAuthorization) throws Exception {
conf = new OzoneConfiguration();
+ if (enableTestAuthorization) {
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
+ }
conf.setInt(OzoneConfigKeys.OZONE_CLIENT_FAILOVER_MAX_ATTEMPTS_KEY, 5);
cluster = MiniOzoneCluster.newHABuilder(conf)
.setSCMServiceId(SCM_DUMMY_SERVICE_ID)
@@ -408,41 +416,45 @@ public void testBootstrapListenerOM() throws Exception {
*/
@Test
public void testDecommission() throws Exception {
- setupCluster(3);
-
- user = UserGroupInformation.createUserForTesting("user", new String[]{});
- // Stop the 3rd OM and decommission it using non-privileged user
- String omNodeId3 = cluster.getOzoneManager(2).getOMNodeId();
- cluster.stopOzoneManager(omNodeId3);
- // decommission should fail
- assertThrows(IOException.class, () -> decommissionOM(omNodeId3));
-
- // Switch to admin user
- user = UserGroupInformation.getCurrentUser();
- // Stop the 3rd OM and decommission it
- cluster.stopOzoneManager(omNodeId3);
- decommissionOM(omNodeId3);
-
- // Decommission the non leader OM and then stop it. Stopping OM before will
- // lead to no quorum and there will not be a elected leader OM to process
- // the decommission request.
- String omNodeId2;
- if (cluster.getOMLeader().getOMNodeId().equals(
- cluster.getOzoneManager(1).getOMNodeId())) {
- omNodeId2 = cluster.getOzoneManager(0).getOMNodeId();
- } else {
- omNodeId2 = cluster.getOzoneManager(1).getOMNodeId();
- }
- decommissionOM(omNodeId2);
- cluster.stopOzoneManager(omNodeId2);
+ try {
+ setupCluster(3, true);
+
+ user = UserGroupInformation.createUserForTesting("user", new String[]{});
+ // Stop the 3rd OM and decommission it using non-privileged user
+ String omNodeId3 = cluster.getOzoneManager(2).getOMNodeId();
+ cluster.stopOzoneManager(omNodeId3);
+ // decommission should fail
+ assertThrows(IOException.class, () -> decommissionOM(omNodeId3));
+
+ // Switch to admin user
+ user = UserGroupInformation.getCurrentUser();
+ // Stop the 3rd OM and decommission it
+ cluster.stopOzoneManager(omNodeId3);
+ decommissionOM(omNodeId3);
+
+ // Decommission the non leader OM and then stop it. Stopping OM before
will
+ // lead to no quorum and there will not be a elected leader OM to process
+ // the decommission request.
+ String omNodeId2;
+ if (cluster.getOMLeader().getOMNodeId().equals(
+ cluster.getOzoneManager(1).getOMNodeId())) {
+ omNodeId2 = cluster.getOzoneManager(0).getOMNodeId();
+ } else {
+ omNodeId2 = cluster.getOzoneManager(1).getOMNodeId();
+ }
+ decommissionOM(omNodeId2);
+ cluster.stopOzoneManager(omNodeId2);
- // Verify that we can read/ write to the cluster with only 1 OM.
- OzoneVolume volume = objectStore.getVolume(VOLUME_NAME);
- OzoneBucket bucket = volume.getBucket(BUCKET_NAME);
- String key = createKey(bucket);
+ // Verify that we can read/ write to the cluster with only 1 OM.
+ OzoneVolume volume = objectStore.getVolume(VOLUME_NAME);
+ OzoneBucket bucket = volume.getBucket(BUCKET_NAME);
+ String key = createKey(bucket);
- assertNotNull(bucket.getKey(key));
+ assertNotNull(bucket.getKey(key));
+ } finally {
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, false);
+ }
}
/**
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java
index df15d50e150..ac12189b1f6 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java
@@ -18,6 +18,7 @@
package org.apache.hadoop.ozone.om;
import static
org.apache.hadoop.hdds.recon.ReconConfig.ConfigStrings.OZONE_RECON_KERBEROS_PRINCIPAL_KEY;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
import static
org.apache.hadoop.hdds.utils.HddsServerUtil.OZONE_RATIS_SNAPSHOT_COMPLETE_FLAG_NAME;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
@@ -260,7 +261,7 @@ private void testEndpoint(String method) throws Exception {
doCallRealMethod().when(omDbCheckpointServletMock).initialize(
om.getMetadataManager().getStore(),
om.getMetrics().getDBCheckpointMetrics(),
- om.getAclsEnabled(),
+ om.isAdminAuthorizationEnabled(),
om.getOmAdminUsernames(),
om.getOmAdminGroups(),
om.isSpnegoEnabled());
@@ -300,7 +301,7 @@ private void testDoPostWithInvalidContentType() throws
Exception {
doCallRealMethod().when(omDbCheckpointServletMock).initialize(
om.getMetadataManager().getStore(),
om.getMetrics().getDBCheckpointMetrics(),
- om.getAclsEnabled(),
+ om.isAdminAuthorizationEnabled(),
om.getOmAdminUsernames(),
om.getOmAdminGroups(),
om.isSpnegoEnabled());
@@ -320,6 +321,7 @@ private void testDoPostWithInvalidContentType() throws
Exception {
@Test
void testSpnegoEnabled() throws Exception {
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
conf.setBoolean(OZONE_ACL_ENABLED, true);
conf.set(OZONE_ADMINISTRATORS, "");
conf.set(OZONE_OM_HTTP_AUTH_TYPE, "kerberos");
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java
index 57a7a6f4f22..43acb0f823d 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java
@@ -18,6 +18,7 @@
package org.apache.hadoop.ozone.om;
import static java.nio.charset.StandardCharsets.UTF_8;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
@@ -185,6 +186,8 @@ private void setupCluster() throws Exception {
private OzoneConfiguration createBaseConfiguration() throws IOException {
OzoneConfiguration conf = new OzoneConfiguration();
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
+
// Enable ACL for proper permission testing
conf.setBoolean(OZONE_ACL_ENABLED, true);
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
index 350cc09c7ba..8faf7d973cf 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java
@@ -17,6 +17,7 @@
package org.apache.hadoop.ozone.om;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
@@ -73,6 +74,7 @@ public class TestOmAcls {
@BeforeAll
public static void init() throws Exception {
OzoneConfiguration conf = new OzoneConfiguration();
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
conf.setBoolean(OZONE_ACL_ENABLED, true);
conf.setClass(OZONE_ACL_AUTHORIZER_CLASS, OzoneAccessAuthorizerTest.class,
IAccessAuthorizer.class);
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java
index 455f1430d99..ae6cddba7cf 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java
@@ -19,6 +19,7 @@
import static java.nio.charset.StandardCharsets.UTF_8;
import static org.apache.hadoop.fs.FileSystem.FS_DEFAULT_NAME_KEY;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED;
@@ -107,6 +108,7 @@ public class TestOzoneManagerSnapshotAcl {
public static void init() throws Exception {
UserGroupInformation.setLoginUser(ADMIN_UGI);
final OzoneConfiguration conf = new OzoneConfiguration();
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
conf.setBoolean(OZONE_ACL_ENABLED, true);
conf.set(OZONE_ACL_AUTHORIZER_CLASS, OZONE_ACL_AUTHORIZER_CLASS_NATIVE);
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java
index 9136e159c6c..fa51d5b9b4f 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java
@@ -17,6 +17,7 @@
package org.apache.ozone.test;
+import static
org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED;
@@ -49,7 +50,9 @@ protected MiniOzoneCluster.Builder newClusterBuilder() {
@Override
protected OzoneConfiguration createOzoneConfig() {
loginAdmin();
+ // Enable test security mode to allow ACL checks without Kerberos
OzoneConfiguration conf = super.createOzoneConfig();
+ conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true);
conf.setBoolean(OZONE_ACL_ENABLED, true);
conf.set(OZONE_ACL_AUTHORIZER_CLASS, OZONE_ACL_AUTHORIZER_CLASS_NATIVE);
conf.setBoolean(OMConfigKeys.OZONE_OM_ENABLE_FILESYSTEM_PATHS, true);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
index a90ee336b00..db5de6b5b8e 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
@@ -81,10 +81,10 @@
/**
* Provides the current checkpoint Snapshot of the OM DB. (tar.gz)
*
- * When Ozone ACL is enabled (`ozone.acl.enabled`=`true`), only
users/principals
- * configured in `ozone.administrator` (along with the user that starts OM,
- * which automatically becomes an Ozone administrator but not necessarily in
- * the config) are allowed to access this endpoint.
+ * When Ozone authorization is enabled (`ozone.authorization.enabled`=`true`),
+ * only users/principals configured in `ozone.administrator` (along with the
user
+ * that starts OM, which automatically becomes an Ozone administrator but not
+ * necessarily in the config) are allowed to access this endpoint.
*
* If Kerberos is enabled, the principal should be appended to
* `ozone.administrator`, e.g. `scm/[email protected]`
@@ -125,7 +125,7 @@ public void init() throws ServletException {
initialize(om.getMetadataManager().getStore(),
om.getMetrics().getDBCheckpointMetrics(),
- om.getAclsEnabled(),
+ om.isAdminAuthorizationEnabled(),
allowedUsers,
allowedGroups,
om.isSpnegoEnabled());
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServletInodeBasedXfer.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServletInodeBasedXfer.java
index 5e305204328..a4a63dde7ad 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServletInodeBasedXfer.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServletInodeBasedXfer.java
@@ -128,7 +128,7 @@ public void init() throws ServletException {
initialize(om.getMetadataManager().getStore(),
om.getMetrics().getDBCheckpointMetrics(),
- om.getAclsEnabled(),
+ om.isAdminAuthorizationEnabled(),
allowedUsers,
allowedGroups,
om.isSpnegoEnabled());
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
index ff0066f712f..f2449a3c68e 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
@@ -897,6 +897,10 @@ private void loadTenantCacheFromDB() {
@Override
public void checkAdmin() throws OMException {
+ // Skip check if authorization is disabled
+ if (!ozoneManager.isAdminAuthorizationEnabled()) {
+ return;
+ }
final UserGroupInformation ugi = ProtobufRpcEngine.Server.getRemoteUser();
if (!ozoneManager.isAdmin(ugi)) {
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 09f1d8b0148..b1449e7c633 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -869,6 +869,9 @@ public String getThreadNamePrefix() {
private void setInstanceVariablesFromConf() {
this.isAclEnabled = configuration.getBoolean(OZONE_ACL_ENABLED,
OZONE_ACL_ENABLED_DEFAULT);
+ LOG.info("Authorization enabled: {}, ACL enabled: {}",
+ secConfig != null ? secConfig.isAuthorizationEnabled() : false,
+ isAclEnabled);
}
/**
@@ -2752,13 +2755,25 @@ public boolean checkAcls(ResourceType resType,
StoreType storeType,
return omMetadataReader.checkAcls(obj, context, throwIfPermissionDenied);
}
+ /**
+ * Check if admin privilege authorization should be enforced.
+ * This controls system-level admin operations (upgrades, decommission, etc.)
+ *
+ * @return true if admin authorization checks should be performed
+ */
+ public boolean isAdminAuthorizationEnabled() {
+ return secConfig != null && secConfig.isAuthorizationEnabled();
+ }
+
/**
* Return true if Ozone acl's are enabled, else false.
+ * ACLs are only effective when authorization is enabled.
+ * This controls volume/bucket/key level permissions.
*
* @return boolean
*/
public boolean getAclsEnabled() {
- return isAclEnabled;
+ return isAdminAuthorizationEnabled() && isAclEnabled;
}
public UncheckedAutoCloseableSupplier<IOmMetadataReader>
getOmMetadataReader() {
@@ -2785,7 +2800,7 @@ public OmVolumeArgs getVolumeInfo(String volume) throws
IOException {
boolean auditSuccess = true;
Map<String, String> auditMap = buildAuditMap(volume);
try {
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
omMetadataReader.checkAcls(ResourceType.VOLUME,
StoreType.OZONE, ACLType.READ, volume,
null, null);
@@ -2821,7 +2836,7 @@ public List<OmVolumeArgs> listVolumeByUser(String
userName, String prefix,
String prevKey, int maxKeys) throws IOException {
UserGroupInformation remoteUserUgi =
ProtobufRpcEngine.Server.getRemoteUser();
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
if (remoteUserUgi == null) {
LOG.error("Rpc user UGI is null. Authorization failed.");
throw new OMException("Rpc user UGI is null. Authorization failed.",
@@ -2836,7 +2851,7 @@ public List<OmVolumeArgs> listVolumeByUser(String
userName, String prefix,
auditMap.put(OzoneConsts.USERNAME, userName);
try {
metrics.incNumVolumeLists();
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
String remoteUserName = remoteUserUgi.getShortUserName();
// if not admin nor list my own volumes, check ACL.
if (!remoteUserName.equals(userName) && !isAdmin(remoteUserUgi)) {
@@ -2894,7 +2909,7 @@ public List<OmVolumeArgs> listAllVolumes(String prefix,
String prevKey, int
auditMap.put(OzoneConsts.USERNAME, null);
try {
metrics.incNumVolumeLists();
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
omMetadataReader.checkAcls(ResourceType.VOLUME,
StoreType.OZONE, ACLType.LIST,
OzoneConsts.OZONE_ROOT, null, null);
@@ -2931,7 +2946,7 @@ public List<OmBucketInfo> listBuckets(String volumeName,
String startKey,
auditMap.put(OzoneConsts.HAS_SNAPSHOT, String.valueOf(hasSnapshot));
try {
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
omMetadataReader.checkAcls(ResourceType.VOLUME,
StoreType.OZONE, ACLType.LIST,
volumeName, null, null);
@@ -2967,7 +2982,7 @@ public OmBucketInfo getBucketInfo(String volume, String
bucket)
Map<String, String> auditMap = buildAuditMap(volume);
auditMap.put(OzoneConsts.BUCKET, bucket);
try {
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
omMetadataReader.checkAcls(ResourceType.BUCKET,
StoreType.OZONE, ACLType.READ, volume,
bucket, null);
@@ -3091,7 +3106,7 @@ public SnapshotInfo getSnapshotInfo(String volumeName,
String bucketName,
ResolvedBucket resolvedBucket = resolveBucketLink(Pair.of(volumeName,
bucketName));
auditMap = buildAuditMap(resolvedBucket.realVolume());
auditMap.put(OzoneConsts.BUCKET, resolvedBucket.realBucket());
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE,
ACLType.READ, resolvedBucket.realVolume(),
resolvedBucket.realBucket(), null);
}
@@ -3122,7 +3137,7 @@ public ListSnapshotResponse listSnapshot(
ResolvedBucket resolvedBucket = resolveBucketLink(Pair.of(volumeName,
bucketName));
auditMap = buildAuditMap(resolvedBucket.realVolume());
auditMap.put(OzoneConsts.BUCKET, resolvedBucket.realBucket());
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE,
ACLType.LIST, resolvedBucket.realVolume(),
resolvedBucket.realBucket(), null);
}
@@ -3529,7 +3544,7 @@ public boolean triggerRangerBGSync(boolean noWait) throws
IOException {
final UserGroupInformation ugi = getRemoteUser();
// Check Ozone admin privilege
- if (!isAdmin(ugi)) {
+ if (isAdminAuthorizationEnabled() && !isAdmin(ugi)) {
throw new OMException("Only Ozone admins are allowed to trigger "
+ "Ranger background sync manually", PERMISSION_DENIED);
}
@@ -3569,7 +3584,7 @@ public boolean triggerSnapshotDefrag(boolean noWait)
throws IOException {
final UserGroupInformation ugi = getRemoteUser();
// Check Ozone admin privilege
- if (!isAdmin(ugi)) {
+ if (isAdminAuthorizationEnabled() && !isAdmin(ugi)) {
throw new OMException("Only Ozone admins are allowed to trigger "
+ "snapshot defragmentation manually", PERMISSION_DENIED);
}
@@ -3626,7 +3641,7 @@ public TenantStateList listTenant() throws IOException {
metrics.incNumTenantLists();
final UserGroupInformation ugi = getRemoteUser();
- if (!isAdmin(ugi)) {
+ if (isAdminAuthorizationEnabled() && !isAdmin(ugi)) {
final OMException omEx = new OMException(
"Only Ozone admins are allowed to list tenants.", PERMISSION_DENIED);
AUDIT.logReadFailure(buildAuditMessageForFailure(
@@ -4614,8 +4629,14 @@ public boolean isAdmin(UserGroupInformation callerUgi) {
/**
* Check ozone admin privilege, throws exception if not admin.
+ * Only checks admin privilege if authorization is enabled.
*/
private void checkAdminUserPrivilege(String operation) throws IOException {
+ // Skip check if authorization is disabled
+ if (!isAdminAuthorizationEnabled()) {
+ return;
+ }
+
final UserGroupInformation ugi = getRemoteUser();
if (!isAdmin(ugi)) {
throw new OMException("Only Ozone admins are allowed to " + operation,
@@ -4653,7 +4674,7 @@ public ResolvedBucket resolveBucketLink(Pair<String,
String> requested,
OMClientRequest omClientRequest)
throws IOException {
OmBucketInfo resolved;
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
resolved = resolveBucketLink(requested, new HashSet<>(),
omClientRequest.createUGIForApi(),
omClientRequest.getRemoteAddress(),
@@ -4669,7 +4690,7 @@ public ResolvedBucket resolveBucketLink(Pair<String,
String> requested,
public ResolvedBucket resolveBucketLink(Pair<String, String> requested,
boolean allowDanglingBuckets) throws
IOException {
- return resolveBucketLink(requested, allowDanglingBuckets, isAclEnabled);
+ return resolveBucketLink(requested, allowDanglingBuckets,
getAclsEnabled());
}
public ResolvedBucket resolveBucketLink(Pair<String, String> requested,
@@ -4705,7 +4726,7 @@ private OmBucketInfo resolveBucketLink(
String hostName,
boolean allowDanglingBuckets) throws IOException {
return resolveBucketLink(volumeAndBucket, visited, userGroupInformation,
remoteAddress, hostName,
- allowDanglingBuckets, isAclEnabled);
+ allowDanglingBuckets, getAclsEnabled());
}
/**
@@ -5215,7 +5236,7 @@ public SnapshotDiffResponse snapshotDiff(String volume,
// Updating the volumeName & bucketName in case the bucket is a linked
bucket. We need to do this before a
// permission check, since linked bucket permissions and source bucket
permissions could be different.
ResolvedBucket resolvedBucket = resolveBucketLink(Pair.of(volume,
bucket), false);
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE,
ACLType.READ, resolvedBucket.realVolume(),
resolvedBucket.realBucket(), null);
}
@@ -5252,7 +5273,7 @@ public CancelSnapshotDiffResponse
cancelSnapshotDiff(String volume,
try {
ResolvedBucket resolvedBucket = this.resolveBucketLink(Pair.of(volume,
bucket), false);
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE,
ACLType.READ, resolvedBucket.realVolume(),
resolvedBucket.realBucket(), null);
}
@@ -5289,7 +5310,7 @@ public ListSnapshotDiffJobResponse listSnapshotDiffJobs(
try {
ResolvedBucket resolvedBucket = this.resolveBucketLink(Pair.of(volume,
bucket), false);
- if (isAclEnabled) {
+ if (getAclsEnabled()) {
omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE,
ACLType.LIST, volume, bucket, null);
}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java
index 2cd27687694..09a530ab6cc 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java
@@ -369,7 +369,7 @@ public TransactionContext
preAppendTransaction(TransactionContext trx)
UserGroupInformation userGroupInformation =
UserGroupInformation.createRemoteUser(
request.getUserInfo().getUserName());
- if (ozoneManager.getAclsEnabled()
+ if (ozoneManager.isAdminAuthorizationEnabled()
&& !ozoneManager.isAdmin(userGroupInformation)) {
String message = "Access denied for user " + userGroupInformation
+ ". Superuser privilege is required to prepare
upgrade/downgrade.";
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java
index 3c5f028bb5d..deb2c8a05b3 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java
@@ -126,7 +126,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager
ozoneManager, Execut
if (omBucketInfo == null) {
LOG.debug("bucket: {} not found ", bucketName);
- throw new OMException("Bucket not exists", BUCKET_NOT_FOUND);
+ throw new OMException("Bucket not found", BUCKET_NOT_FOUND);
}
//Check if bucket is empty
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotCreateRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotCreateRequest.java
index 07a8aeed313..77858c0a50b 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotCreateRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotCreateRequest.java
@@ -113,11 +113,13 @@ public OMRequest preExecute(OzoneManager ozoneManager)
throws IOException {
UserGroupInformation ugi = createUGIForApi();
String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName,
IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET);
- if (!ozoneManager.isAdmin(ugi) &&
- !ozoneManager.isOwner(ugi, bucketOwner)) {
- throw new OMException(
- "Only bucket owners and Ozone admins can create snapshots",
- OMException.ResultCodes.PERMISSION_DENIED);
+ if (ozoneManager.isAdminAuthorizationEnabled()) {
+ if (!ozoneManager.isAdmin(ugi) &&
+ !ozoneManager.isOwner(ugi, bucketOwner)) {
+ throw new OMException(
+ "Only bucket owners and Ozone admins can create snapshots",
+ OMException.ResultCodes.PERMISSION_DENIED);
+ }
}
// verify snapshot limit
ozoneManager.getOmSnapshotManager().snapshotLimitCheck();
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotDeleteRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotDeleteRequest.java
index 3f8bae61c53..9313bc815d9 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotDeleteRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotDeleteRequest.java
@@ -92,11 +92,13 @@ public OMRequest preExecute(OzoneManager ozoneManager)
throws IOException {
UserGroupInformation ugi = createUGIForApi();
String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName,
IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET);
- if (!ozoneManager.isAdmin(ugi) &&
- !ozoneManager.isOwner(ugi, bucketOwner)) {
- throw new OMException(
- "Only bucket owners and Ozone admins can delete snapshots",
- OMException.ResultCodes.PERMISSION_DENIED);
+ if (ozoneManager.isAdminAuthorizationEnabled()) {
+ if (!ozoneManager.isAdmin(ugi) &&
+ !ozoneManager.isOwner(ugi, bucketOwner)) {
+ throw new OMException(
+ "Only bucket owners and Ozone admins can delete snapshots",
+ OMException.ResultCodes.PERMISSION_DENIED);
+ }
}
// Set deletion time here so OM leader and follower would have the
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotRenameRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotRenameRequest.java
index 7a4cdc640dc..2d9bd5c21ab 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotRenameRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotRenameRequest.java
@@ -88,11 +88,13 @@ public OMRequest preExecute(OzoneManager ozoneManager)
throws IOException {
UserGroupInformation ugi = createUGIForApi();
String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName,
IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET);
- if (!ozoneManager.isAdmin(ugi) &&
- !ozoneManager.isOwner(ugi, bucketOwner)) {
- throw new OMException(
- "Only bucket owners and Ozone admins can rename snapshots",
- OMException.ResultCodes.PERMISSION_DENIED);
+ if (ozoneManager.isAdminAuthorizationEnabled()) {
+ if (!ozoneManager.isAdmin(ugi) &&
+ !ozoneManager.isOwner(ugi, bucketOwner)) {
+ throw new OMException(
+ "Only bucket owners and Ozone admins can rename snapshots",
+ OMException.ResultCodes.PERMISSION_DENIED);
+ }
}
// Set rename time here so OM leader and follower would have the
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMCancelPrepareRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMCancelPrepareRequest.java
index efbdf6bcd18..2a9d36940e6 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMCancelPrepareRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMCancelPrepareRequest.java
@@ -66,7 +66,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager
ozoneManager, Execut
try {
UserGroupInformation ugi = createUGIForApi();
- if (ozoneManager.getAclsEnabled() && !ozoneManager.isAdmin(ugi)) {
+ if (ozoneManager.isAdminAuthorizationEnabled() &&
!ozoneManager.isAdmin(ugi)) {
throw new OMException("Access denied for user "
+ ugi + ". " +
"Superuser privilege is required to cancel ozone manager " +
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java
index b37d1ee6d1d..e401af95d58 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java
@@ -68,7 +68,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager
ozoneManager, Execut
Exception exception = null;
try {
- if (ozoneManager.getAclsEnabled()) {
+ if (ozoneManager.isAdminAuthorizationEnabled()) {
UserGroupInformation ugi = createUGIForApi();
if (!ozoneManager.isAdmin(ugi)) {
throw new OMException("Access denied for user " + ugi + ". "
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMQuotaRepairRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMQuotaRepairRequest.java
index b4c05a1263e..08b38cb2174 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMQuotaRepairRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMQuotaRepairRequest.java
@@ -62,7 +62,7 @@ public OMQuotaRepairRequest(OMRequest omRequest) {
@Override
public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
UserGroupInformation ugi = createUGIForApi();
- if (ozoneManager.getAclsEnabled() && !ozoneManager.isAdmin(ugi)) {
+ if (ozoneManager.isAdminAuthorizationEnabled() &&
!ozoneManager.isAdmin(ugi)) {
throw new OMException("Access denied for user " + ugi + ". Admin
privilege is required for quota repair.",
OMException.ResultCodes.ACCESS_DENIED);
}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OMAdminProtocolServerSideImpl.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OMAdminProtocolServerSideImpl.java
index 7cd3a3e3d71..8b76f6c0fe4 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OMAdminProtocolServerSideImpl.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OMAdminProtocolServerSideImpl.java
@@ -98,7 +98,8 @@ public DecommissionOMResponse decommission(RpcController
controller,
}
try {
- if (!ozoneManager.isAdmin(getRemoteUser())) {
+ if (ozoneManager.isAdminAuthorizationEnabled() &&
+ !ozoneManager.isAdmin(getRemoteUser())) {
throw new OMException("Only administrators are authorized to perform
decommission.", PERMISSION_DENIED);
}
omRatisServer.removeOMFromRatisRing(decommNode);
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java
index d799556a6f9..36d7a80aeea 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java
@@ -223,7 +223,7 @@ public void testPreAppendTransactionAclDenied() {
OzoneConfiguration conf = new OzoneConfiguration();
OzoneManagerPrepareState ps = new OzoneManagerPrepareState(conf);
when(om.getPrepareState()).thenReturn(ps);
- when(om.getAclsEnabled()).thenReturn(true);
+ when(om.isAdminAuthorizationEnabled()).thenReturn(true);
when(om.isAdmin(any(UserGroupInformation.class))).thenReturn(false);
OMRequest prepareRequest = OMRequest.newBuilder()
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotCreateRequest.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotCreateRequest.java
index 4136f4da20f..80cfba97bb8 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotCreateRequest.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotCreateRequest.java
@@ -144,6 +144,7 @@ public void testPreExecuteFailure(String snapshotName) {
@Test
public void testPreExecuteBadOwner() {
+ when(getOzoneManager().isAdminAuthorizationEnabled()).thenReturn(true);
// Owner is not set for the request.
OMRequest omRequest = createSnapshotRequest(getVolumeName(),
getBucketName(), snapshotName1);
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotDeleteRequest.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotDeleteRequest.java
index 267e99829ac..d007b1ae29e 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotDeleteRequest.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotDeleteRequest.java
@@ -128,6 +128,8 @@ public void testPreExecuteFailure(String
deleteSnapshotName) {
@Test
public void testPreExecuteBadOwner() {
+ when(getOzoneManager().isAdminAuthorizationEnabled()).thenReturn(true);
+
// Owner is not set for the request.
OMRequest omRequest = deleteSnapshotRequest(getVolumeName(),
getBucketName(), snapshotName);
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotRenameRequest.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotRenameRequest.java
index 6430b9a7f50..87de986a2a1 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotRenameRequest.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/snapshot/TestOMSnapshotRenameRequest.java
@@ -138,6 +138,8 @@ public void testPreExecuteFailure(String toSnapshotName) {
@Test
public void testPreExecuteBadOwner() {
+ when(getOzoneManager().isAdminAuthorizationEnabled()).thenReturn(true);
+
// Owner is not set for the request.
OzoneManagerProtocolProtos.OMRequest omRequest =
renameSnapshotRequest(getVolumeName(),
getBucketName(), snapshotName1, snapshotName2);
diff --git
a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconRestServletModule.java
b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconRestServletModule.java
index 9ec9621ed32..d3b631cac3f 100644
---
a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconRestServletModule.java
+++
b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconRestServletModule.java
@@ -17,9 +17,6 @@
package org.apache.hadoop.ozone.recon;
-import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED;
-import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED_DEFAULT;
-
import com.google.inject.Injector;
import com.google.inject.Scopes;
import com.google.inject.servlet.ServletModule;
@@ -118,9 +115,8 @@ private void addFilters(String basePath, Set<String>
adminSubPaths) {
LOG.debug("Added authentication filter to path {}", authPath);
}
- boolean aclEnabled = conf.getBoolean(OZONE_ACL_ENABLED,
- OZONE_ACL_ENABLED_DEFAULT);
- if (aclEnabled) {
+ boolean authorizationEnabled =
OzoneSecurityUtil.isAuthorizationEnabled(conf);
+ if (authorizationEnabled) {
for (String path: adminSubPaths) {
String adminPath =
UriBuilder.fromPath(basePath).path(path +
"*").build().toString();
diff --git
a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java
b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java
index f4ae82b7d61..5cc82f38458 100644
---
a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java
+++
b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java
@@ -29,6 +29,8 @@
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.ozone.recon.ReconServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
@@ -45,10 +47,12 @@ public class ReconAdminFilter implements Filter {
LoggerFactory.getLogger(ReconAdminFilter.class);
private final ReconServer reconServer;
+ private final OzoneConfiguration conf;
@Inject
- ReconAdminFilter(ReconServer reconServer) {
+ ReconAdminFilter(ReconServer reconServer, OzoneConfiguration conf) {
this.reconServer = reconServer;
+ this.conf = conf;
}
@Override
@@ -98,6 +102,15 @@ public void doFilter(ServletRequest servletRequest,
public void destroy() { }
private boolean hasPermission(UserGroupInformation user) {
+ // Check authorization first - only check admin if authorization is enabled
+ if (!isAdminAuthorizationEnabled()) {
+ return true; // Authorization disabled, allow all
+ }
+
return reconServer.isAdmin(user);
}
+
+ private boolean isAdminAuthorizationEnabled() {
+ return OzoneSecurityUtil.isAuthorizationEnabled(conf);
+ }
}
diff --git
a/hadoop-ozone/recon/src/test/java/org/apache/hadoop/ozone/recon/api/filters/TestAdminFilter.java
b/hadoop-ozone/recon/src/test/java/org/apache/hadoop/ozone/recon/api/filters/TestAdminFilter.java
index c8c8797b198..75e06a00789 100644
---
a/hadoop-ozone/recon/src/test/java/org/apache/hadoop/ozone/recon/api/filters/TestAdminFilter.java
+++
b/hadoop-ozone/recon/src/test/java/org/apache/hadoop/ozone/recon/api/filters/TestAdminFilter.java
@@ -198,6 +198,7 @@ public void
testAdminFilterStarterUserPlusConfiguredAdmins() throws Exception {
private void testAdminFilterWithPrincipal(OzoneConfiguration conf,
String principalToUse, boolean shouldPass) throws Exception {
+ conf.setBoolean(OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY, true);
ReconServer mockReconServer = createMockReconServer(conf);
Principal mockPrincipal = mock(Principal.class);
@@ -208,7 +209,7 @@ private void
testAdminFilterWithPrincipal(OzoneConfiguration conf,
HttpServletResponse mockResponse = mock(HttpServletResponse.class);
FilterChain mockFilterChain = mock(FilterChain.class);
- ReconAdminFilter filter = new ReconAdminFilter(mockReconServer);
+ ReconAdminFilter filter = new ReconAdminFilter(mockReconServer, conf);
filter.init(null);
filter.doFilter(mockRequest, mockResponse, mockFilterChain);
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java
index 0130f31e9dd..889f466e7df 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java
@@ -27,6 +27,7 @@
import javax.ws.rs.ext.Provider;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.server.OzoneAdmins;
+import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
/**
@@ -46,6 +47,11 @@ public class S3SecretAdminFilter implements
ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestContext) throws
IOException {
+ // Skip check if authorization is disabled
+ if (!OzoneSecurityUtil.isAuthorizationEnabled(conf)) {
+ return;
+ }
+
final Principal userPrincipal =
requestContext.getSecurityContext().getUserPrincipal();
if (null != userPrincipal) {
UserGroupInformation user =
UserGroupInformation.createRemoteUser(userPrincipal.getName());
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
