[GitHub] [ozone] elek commented on a change in pull request #1801: HDDS-4704. Add permission check in OMDBCheckpointServlet

GitBox Wed, 27 Jan 2021 03:19:05 -0800


elek commented on a change in pull request #1801:
URL: https://github.com/apache/ozone/pull/1801#discussion_r565226595




##########
File path: 
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
##########
@@ -84,11 +88,33 @@ public void init() throws ServletException {
         OMConfigKeys.OZONE_DB_CHECKPOINT_TRANSFER_RATE_KEY,
         OMConfigKeys.OZONE_DB_CHECKPOINT_TRANSFER_RATE_DEFAULT);
 
+    // TODO: Add servlet
+//    getServletContext().addServlet(OMDBCheckpointAuthorizedServlet);
+
     if (transferBandwidth > 0) {
       throttler = new DataTransferThrottler(transferBandwidth);
     }
   }
 
+  private boolean checkAcls(String username) {

Review comment:
       NIT: For me the name is confusing. We check the admin permission not the 
ACLs. (But it's just a personal opinion)

##########
File path: 
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
##########
@@ -106,6 +132,37 @@ public void doGet(HttpServletRequest request, 
HttpServletResponse response) {
       return;
     }
 
+    // Check ACL for dbCheckpoint only when global Ozone ACL is enable
+    if (om.getAclsEnabled()) {
+      final String remoteUser = request.getRemoteUser();
+      final java.security.Principal userPrincipal = request.getUserPrincipal();
+      if (userPrincipal == null) {
+        // Fallback to checking login user if userPrincipal is null.
+        // Note: In prod, a secure cluster would deploy Kerberos so this case

Review comment:
       Kerberos may or may not be used for web endpoints in secure cluster. 
There are multiple `AuthenticationHandler` which can be configured. Are you 
sure that userPrincipal can never be null in real case? Based on the Javadoc of 
`HttpServletRequest` `null` means un-authenticated. Wouldn't be more safe to 
update the unit test instead of doing this check in the producation code?
   
   Is there any unit test which request this branch?

##########
File path: 
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
##########
@@ -106,6 +132,37 @@ public void doGet(HttpServletRequest request, 
HttpServletResponse response) {
       return;
     }
 
+    // Check ACL for dbCheckpoint only when global Ozone ACL is enable
+    if (om.getAclsEnabled()) {
+      final String remoteUser = request.getRemoteUser();
+      final java.security.Principal userPrincipal = request.getUserPrincipal();
+      if (userPrincipal == null) {
+        // Fallback to checking login user if userPrincipal is null.
+        // Note: In prod, a secure cluster would deploy Kerberos so this case
+        // shouldn't be hit. This is here for UT and dev testing.
+        if (!checkAcls(remoteUser)) {
+          LOG.error("Permission denied: Current login user '{}' has not been "
+              + "authenticated to access /dbCheckpoint.", remoteUser);
+          response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+          return;
+        } else {
+          LOG.info("Granted login user '{}' access to /dbCheckpoint.",
+              remoteUser);
+        }
+      } else {
+        final String userPrincipalName = userPrincipal.getName();
+        if (!checkAcls(userPrincipalName)) {
+          LOG.error("Permission denied: User principal '{}' doesn't have the "
+              + "permission to access /dbCheckpoint.", userPrincipalName);
+          response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+          return;
+        } else {
+          LOG.info("Granted user principal '{}' access to /dbCheckpoint.",

Review comment:
       I am not sure if we need this info level log. If you think it's required 
for security, we can add audit log event.

##########
File path: 
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
##########
@@ -84,11 +88,33 @@ public void init() throws ServletException {
         OMConfigKeys.OZONE_DB_CHECKPOINT_TRANSFER_RATE_KEY,
         OMConfigKeys.OZONE_DB_CHECKPOINT_TRANSFER_RATE_DEFAULT);
 
+    // TODO: Add servlet

Review comment:
       Do we need this?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org
For additional commands, e-mail: issues-h...@ozone.apache.org

[GitHub] [ozone] elek commented on a change in pull request #1801: HDDS-4704. Add permission check in OMDBCheckpointServlet

Reply via email to