[GitHub] [ozone] adoroszlai commented on a change in pull request #2254: HDDS-5236. Require block token for more operations

Sat, 22 May 2021 08:59:56 -0700 


adoroszlai commented on a change in pull request #2254:
URL: https://github.com/apache/ozone/pull/2254#discussion_r637420157



##########
File path: 
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/BlockTokenVerifier.java
##########
@@ -77,21 +75,20 @@ protected Object getService(ContainerCommandRequestProto 
cmd) {
 
   @Override
   protected void verify(OzoneBlockTokenIdentifier tokenId,
-      ContainerCommandRequestProto cmd) throws SCMSecurityException {
+      ContainerCommandRequestProtoOrBuilder cmd) throws SCMSecurityException {
 
-    ContainerProtos.Type type = cmd.getCmdType();
-    if (type == ReadChunk || type == GetBlock || type == GetSmallFile) {
-      if (!tokenId.getAccessModes().contains(READ)) {
-        throw new BlockTokenException("Block token with " + 
tokenId.getService()
-            + " doesn't have READ permission");
-      }
-    } else if (type == WriteChunk || type == PutBlock || type == PutSmallFile) 
{
-      if (!tokenId.getAccessModes().contains(WRITE)) {
-        throw new BlockTokenException("Block token with " + 
tokenId.getService()
-            + " doesn't have WRITE permission");
-      }
+    HddsProtos.BlockTokenSecretProto.AccessModeProto accessMode;
+    if (HddsUtils.isReadOnly(cmd)) {
+      accessMode = READ;
+    } else if (cmd.getCmdType() == DeleteBlock ||
+        cmd.getCmdType() == DeleteChunk) {
+      accessMode = DELETE;

Review comment:
       I do not _plan_ to work on debug CLI.  Maybe someone will find that 
useful to take initiative.  But checking for the token still prevents user from 
sending such command without auth.
   
   Regarding the further change I mentioned, I opened 
[HDDS-5264](https://issues.apache.org/jira/browse/HDDS-5264) and submitted 
another PR.  It turned out to be quite separate from this one, so on second 
thought I wanted to avoid mixing the two.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to