ss77892 commented on PR #9045:
URL: https://github.com/apache/ozone/pull/9045#issuecomment-3308948551
> For example, we can set only one node to have "ozone.administrators" set
so that only operation on that node will succeed. We then send an OM request
and ensure that all 3 nodes either accept it (if the "ozone.administrators" is
set in OM leader) or reject it (if the "ozone.administrators" is not set in OM
leader). We can compare the OM DB between the OM nodes. You can take a look at
`OzoneAdmins` usage in `OzoneManager`.
That's I have checked:
3 nodes (o1,o2,o3), o1 is the default leader. The only node that has
"ozone.administrators" is o1:
```
[root@o1 ~]# grep -1 ozone.administrator
/opt/ozone/ozone-2.1.0-SNAPSHOT/etc/hadoop/ozone-site.xml
<property>
<name>ozone.administrators</name>
<value>testuser</value>
----
[root@o2 ~]# grep -1 ozone.administrator
/opt/ozone/ozone-2.1.0-SNAPSHOT/etc/hadoop/ozone-site.xml
[root@o2 ~]#
-----
[root@o3 ~]# grep -1 ozone.administrator
/opt/ozone/ozone-2.1.0-SNAPSHOT/etc/hadoop/ozone-site.xml
[root@o3 ~]#
```
Now check that the vol2 is created successfully:
```
[testuser@o1 root]$ /usr/local/bin/ozone sh volume create /vol2/
2025-09-18 17:46:06,324 WARN util.NativeCodeLoader: Unable to load
native-hadoop library for your platform... using builtin-java classes where
applicable
2025-09-18 17:46:06,623 INFO rpc.RpcClient: Creating Volume: vol2, with
testuser as owner and space quota set to -1 bytes, counts quota set to -1
```
Now stop OM leader and confirm that the service has been stopped:
```
[root@o1 ~]# service ozone-om stop
Redirecting to /bin/systemctl stop ozone-om.service
[root@o1 ~]# service ozone-om status
Redirecting to /bin/systemctl status ozone-om.service
● ozone-om.service - Ozone OM Service
Active: failed (Result: exit-code) since Thu 2025-09-18 17:47:35 UTC;
12min ago
Process: 10442 ExecStop=/opt/ozone/ozone-2.1.0-SNAPSHOT/bin/ozone --daemon
stop om (code=exited, status=0/SUCCESS)
Main PID: 6500 (code=exited, status=143)
....
Sep 18 17:47:35 o1 systemd[1]: Stopped Ozone OM Service.
```
Creation of a new volume should fail now because the leader has been changed
to another node:
```
[testuser@o1 root]$ /usr/local/bin/ozone sh volume create /vol3
025-09-18 18:01:56,659 WARN util.NativeCodeLoader: Unable to load
native-hadoop library for your platform... using builtin-java classes where
applicable
2025-09-18 18:01:56,961 INFO rpc.RpcClient: Creating Volume: vol3, with
testuser as owner and space quota set to -1 bytes, counts quota set to -1
PERMISSION_DENIED User testuser doesn't have CREATE permission to access
volume Volume:vol3
```
Validate the audit logs for vol2/vol3 entries:
o1:
```
2025-09-18 17:46:06,665 | INFO | OMAudit | user=testuser | ip=10.88.252.12
| op=CREATE_VOLUME
{"admin":"testuser","owner":"testuser","volume":"vol2","creationTime":"1758217566626","modificationTime":"1758217566626","quotaInBytes":"-1","quotaInNamespace":"-1","usedNamespace":"0","objectID":"-9223372036854774528","updateID":"5","Transaction":"5"}
| ret=SUCCESS |
```
o2:
```
2025-09-18 17:46:09,199 | INFO | OMAudit | user=testuser | ip=10.88.252.12
| op=CREATE_VOLUME
{"admin":"testuser","owner":"testuser","volume":"vol2","creationTime":"1758217566626","modificationTime":"1758217566626","quotaInBytes":"-1","quotaInNamespace":"-1","usedNamespace":"0","objectID":"-9223372036854774528","updateID":"5","Transaction":"5"}
| ret=SUCCESS |
2025-09-18 18:01:56,964 | ERROR | OMAudit | user=testuser | ip=10.88.252.12
| op=CREATE_VOLUME {"volume":"vol3"} | ret=FAILURE |
org.apache.hadoop.ozone.om.exceptions.OMException: User testuser doesn't
have CREATE permission to access volume Volume:vol3
```
o3:
```
2025-09-18 17:46:09,198 | INFO | OMAudit | user=testuser | ip=10.88.252.12
| op=CREATE_VOLUME
{"admin":"testuser","owner":"testuser","volume":"vol2","creationTime":"1758217566626","modificationTime":"1758217566626","quotaInBytes":"-1","quotaInNamespace":"-1","usedNamespace":"0","objectID":"-9223372036854774528","updateID":"5","Transaction":"5"}
| ret=SUCCESS |
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
