ss77892 opened a new pull request, #10328: URL: https://github.com/apache/ozone/pull/10328
## Summary - Move ACL authorization checks for **volume** operations (`DeleteVolume`, `SetVolumeOwner`, `SetVolumeQuota`) from `validateAndUpdateCache` to `preExecute` - Move ACL checks for volume ACL operations (`AddAcl`, `RemoveAcl`, `SetAcl`) from `validateAndUpdateCache` to `preExecute` - Add audit logging for preExecute ACL failures so rejections are recorded even before the Ratis log entry is written ## Motivation When ACL enforcement happens inside `validateAndUpdateCache`, the request has already been written to the Ratis log on all OM peers. Moving the check to `preExecute` (which runs only on the leader, before log submission) prevents unauthorized requests from polluting the log and ensures consistent ACL rejection across HA leader changes. ## Test plan - [ ] Unit tests pass for volume request handlers - [ ] Integration test `TestOMHALeaderSpecificACLEnforcement` covers volume operations (in a follow-up PR) ## Related Part of HDDS-13855. See also: - Bucket requests (separate PR) - Key + Prefix requests (separate PR) Made with [Cursor](https://cursor.com) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
