elek commented on a change in pull request #1801:
URL: https://github.com/apache/ozone/pull/1801#discussion_r565224509
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java
##########
@@ -106,6 +132,37 @@ public void doGet(HttpServletRequest request,
HttpServletResponse response) {
return;
}
+ // Check ACL for dbCheckpoint only when global Ozone ACL is enable
+ if (om.getAclsEnabled()) {
+ final String remoteUser = request.getRemoteUser();
+ final java.security.Principal userPrincipal = request.getUserPrincipal();
+ if (userPrincipal == null) {
+ // Fallback to checking login user if userPrincipal is null.
+ // Note: In prod, a secure cluster would deploy Kerberos so this case
Review comment:
Kerberos may or may not be used for web endpoints in secure cluster.
There are multiple `AuthenticationHandler` which can be configured. Are you
sure that userPrincipal can never be null in real case? Based on the Javadoc of
`HttpServletRequest` `null` means un-authenticated. Wouldn't be more safe to
update the unit test instead of doing this check in the production code?
Is there any unit test which require this branch?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org
For additional commands, e-mail: issues-h...@ozone.apache.org
