sarvekshayr commented on code in PR #9653:
URL: https://github.com/apache/ozone/pull/9653#discussion_r3264156986
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeysDeleteRequest.java:
##########
@@ -88,6 +88,64 @@ public OMKeysDeleteRequest(OMRequest omRequest, BucketLayout
bucketLayout) {
super(omRequest, bucketLayout);
}
+ @Override
+ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
+ super.preExecute(ozoneManager);
+
+ DeleteKeysRequest deleteKeysRequest =
getOmRequest().getDeleteKeysRequest();
+ DeleteKeyArgs deleteKeyArgs = deleteKeysRequest.getDeleteKeys();
+
+ String volumeName = deleteKeyArgs.getVolumeName();
+ String bucketName = deleteKeyArgs.getBucketName();
+ List<String> keys = deleteKeyArgs.getKeysList();
+
+ // Resolve bucket link
+ ResolvedBucket resolvedBucketObj = ozoneManager.resolveBucketLink(
+ Pair.of(volumeName, bucketName));
+ String resolvedVolume = resolvedBucketObj.realVolume();
+ String resolvedBucket = resolvedBucketObj.realBucket();
+
+ // ACL check during preExecute - filter out keys that fail ACL check
+ List<String> keysPassingAcl = new ArrayList<>();
+ if (ozoneManager.getAclsEnabled()) {
+ for (String keyName : keys) {
+ try {
+ checkKeyAcls(ozoneManager, resolvedVolume, resolvedBucket, keyName,
+ IAccessAuthorizer.ACLType.DELETE, OzoneObj.ResourceType.KEY);
+ keysPassingAcl.add(keyName);
Review Comment:
Clients that rely solely on OM delete-keys response fields may no longer see
per-key ACL denials, which weakens observable failure semantics even though
audit may still capture them. This needs to be addressed.
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeysDeleteRequest.java:
##########
@@ -166,25 +224,11 @@ public OMClientResponse
validateAndUpdateCache(OzoneManager ozoneManager, Execut
continue;
}
- try {
- // check Acl
- long startNanosDeleteKeysAclCheckLatency = Time.monotonicNowNanos();
- checkKeyAcls(ozoneManager, volumeName, bucketName, keyName,
- IAccessAuthorizer.ACLType.DELETE, OzoneObj.ResourceType.KEY,
- volumeOwner);
- perfMetrics.setDeleteKeysAclCheckLatencyNs(Time.monotonicNowNanos()
- startNanosDeleteKeysAclCheckLatency);
Review Comment:
`deleteKeysAclCheckLatencyNs` metric is no longer updated after moving out
the ACL check from `validateAndUpdateCache()`. Let's restore the metric in
`OMKeysDeleteRequest.preExecute()`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
