ss77892 opened a new pull request, #10330: URL: https://github.com/apache/ozone/pull/10330
## Summary - Move ACL authorization checks for **key** bulk operations (`DeleteKeys`, `RenameKeys`) from `validateAndUpdateCache` to `preExecute` - Move ACL checks for key and prefix ACL operations (`OMKeyAclRequest`, `OMKeyAclRequestWithFSO`, `OMPrefixAclRequest`, and FSO add/remove/set variants) from `validateAndUpdateCache` to `preExecute` - For bulk operations, keys denied by ACL are collected in new proto fields (`aclDeniedKeys` / `aclDeniedRenameKeys`) and removed from the batch, so permitted keys in the same request can still be processed - Proto: add `aclDeniedKeys` to `DeleteKeyArgs` and `aclDeniedRenameKeys` to `RenameKeysArgs` ## Motivation When ACL enforcement happens inside `validateAndUpdateCache`, the request has already been written to the Ratis log on all OM peers. Moving the check to `preExecute` (which runs only on the leader, before log submission) prevents unauthorized requests from polluting the log and ensures consistent ACL rejection across HA leader changes. ## Test plan - [ ] Unit tests pass for key/prefix request handlers - [ ] Integration test `TestOMHALeaderSpecificACLEnforcement` covers key operations (in a follow-up PR) ## Related Part of HDDS-13855. See also: - Volume requests (separate PR) - Bucket requests (separate PR) Made with [Cursor](https://cursor.com) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
