[GitHub] [hadoop] dchitlangia commented on a change in pull request #1204: HDDS-1768. Audit xxxAcl methods in OzoneManager
dchitlangia commented on a change in pull request #1204: HDDS-1768. Audit xxxAcl methods in OzoneManager URL: https://github.com/apache/hadoop/pull/1204#discussion_r313704529 ## File path: hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientForAclAuditLog.java ## @@ -0,0 +1,268 @@ +package org.apache.hadoop.ozone.client.rpc; + +import org.apache.commons.io.FileUtils; +import org.apache.commons.lang3.RandomStringUtils; +import org.apache.hadoop.hdds.conf.OzoneConfiguration; +import org.apache.hadoop.hdds.scm.protocolPB.StorageContainerLocationProtocolClientSideTranslatorPB; +import org.apache.hadoop.ozone.MiniOzoneCluster; +import org.apache.hadoop.ozone.OzoneAcl; +import org.apache.hadoop.ozone.audit.AuditEventStatus; +import org.apache.hadoop.ozone.audit.OMAction; +import org.apache.hadoop.ozone.client.ObjectStore; +import org.apache.hadoop.ozone.client.OzoneClient; +import org.apache.hadoop.ozone.client.OzoneClientFactory; +import org.apache.hadoop.ozone.client.OzoneVolume; +import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; +import org.apache.hadoop.ozone.security.acl.OzoneObjInfo; +import org.apache.hadoop.security.UserGroupInformation; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.FixMethodOrder; +import org.junit.Test; +import org.junit.runners.MethodSorters; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.File; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; +import java.util.UUID; + +import static org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_WILDCARD; +import static org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.VOLUME; +import static org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE; +import static org.junit.Assert.assertTrue; + +/** + * This class is to test audit logs for xxxACL APIs of Ozone Client. + */ +@FixMethodOrder(MethodSorters.NAME_ASCENDING) +public class TestOzoneRpcClientForAclAuditLog { + + static final Logger LOG = + LoggerFactory.getLogger(TestOzoneRpcClientForAclAuditLog.class); + private static UserGroupInformation ugi; + private static final OzoneAcl USER_ACL = + new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, + "johndoe", IAccessAuthorizer.ACLType.ALL, ACCESS); + private static final OzoneAcl USER_ACL_2 = + new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, + "jane", IAccessAuthorizer.ACLType.ALL, ACCESS); + private static List aclListToAdd = new ArrayList<>(); + private static MiniOzoneCluster cluster = null; + private static OzoneClient ozClient = null; + private static ObjectStore store = null; + private static StorageContainerLocationProtocolClientSideTranslatorPB + storageContainerLocationClient; + private static String scmId = UUID.randomUUID().toString(); + + + /** + * Create a MiniOzoneCluster for testing. + * + * Ozone is made active by setting OZONE_ENABLED = true + * + * @throws IOException + */ + @BeforeClass + public static void init() throws Exception { +System.setProperty("log4j.configurationFile", "log4j2.properties"); +ugi = UserGroupInformation.getCurrentUser(); +OzoneConfiguration conf = new OzoneConfiguration(); +conf.setBoolean(OZONE_ACL_ENABLED, true); +conf.set(OZONE_ADMINISTRATORS, OZONE_ADMINISTRATORS_WILDCARD); +conf.set(OZONE_ACL_AUTHORIZER_CLASS, +OZONE_ACL_AUTHORIZER_CLASS_NATIVE); +startCluster(conf); +aclListToAdd.add(USER_ACL); +aclListToAdd.add(USER_ACL_2); + } + + private /** Review comment: Done. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] dchitlangia commented on a change in pull request #1204: HDDS-1768. Audit xxxAcl methods in OzoneManager
dchitlangia commented on a change in pull request #1204: HDDS-1768. Audit xxxAcl methods in OzoneManager URL: https://github.com/apache/hadoop/pull/1204#discussion_r313704529 ## File path: hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientForAclAuditLog.java ## @@ -0,0 +1,268 @@ +package org.apache.hadoop.ozone.client.rpc; + +import org.apache.commons.io.FileUtils; +import org.apache.commons.lang3.RandomStringUtils; +import org.apache.hadoop.hdds.conf.OzoneConfiguration; +import org.apache.hadoop.hdds.scm.protocolPB.StorageContainerLocationProtocolClientSideTranslatorPB; +import org.apache.hadoop.ozone.MiniOzoneCluster; +import org.apache.hadoop.ozone.OzoneAcl; +import org.apache.hadoop.ozone.audit.AuditEventStatus; +import org.apache.hadoop.ozone.audit.OMAction; +import org.apache.hadoop.ozone.client.ObjectStore; +import org.apache.hadoop.ozone.client.OzoneClient; +import org.apache.hadoop.ozone.client.OzoneClientFactory; +import org.apache.hadoop.ozone.client.OzoneVolume; +import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; +import org.apache.hadoop.ozone.security.acl.OzoneObjInfo; +import org.apache.hadoop.security.UserGroupInformation; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.FixMethodOrder; +import org.junit.Test; +import org.junit.runners.MethodSorters; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.File; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; +import java.util.UUID; + +import static org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_WILDCARD; +import static org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.VOLUME; +import static org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE; +import static org.junit.Assert.assertTrue; + +/** + * This class is to test audit logs for xxxACL APIs of Ozone Client. + */ +@FixMethodOrder(MethodSorters.NAME_ASCENDING) +public class TestOzoneRpcClientForAclAuditLog { + + static final Logger LOG = + LoggerFactory.getLogger(TestOzoneRpcClientForAclAuditLog.class); + private static UserGroupInformation ugi; + private static final OzoneAcl USER_ACL = + new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, + "johndoe", IAccessAuthorizer.ACLType.ALL, ACCESS); + private static final OzoneAcl USER_ACL_2 = + new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, + "jane", IAccessAuthorizer.ACLType.ALL, ACCESS); + private static List aclListToAdd = new ArrayList<>(); + private static MiniOzoneCluster cluster = null; + private static OzoneClient ozClient = null; + private static ObjectStore store = null; + private static StorageContainerLocationProtocolClientSideTranslatorPB + storageContainerLocationClient; + private static String scmId = UUID.randomUUID().toString(); + + + /** + * Create a MiniOzoneCluster for testing. + * + * Ozone is made active by setting OZONE_ENABLED = true + * + * @throws IOException + */ + @BeforeClass + public static void init() throws Exception { +System.setProperty("log4j.configurationFile", "log4j2.properties"); +ugi = UserGroupInformation.getCurrentUser(); +OzoneConfiguration conf = new OzoneConfiguration(); +conf.setBoolean(OZONE_ACL_ENABLED, true); +conf.set(OZONE_ADMINISTRATORS, OZONE_ADMINISTRATORS_WILDCARD); +conf.set(OZONE_ACL_AUTHORIZER_CLASS, +OZONE_ACL_AUTHORIZER_CLASS_NATIVE); +startCluster(conf); +aclListToAdd.add(USER_ACL); +aclListToAdd.add(USER_ACL_2); + } + + private /** Review comment: Done. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[GitHub] [hadoop] dchitlangia commented on a change in pull request #1204: HDDS-1768. Audit xxxAcl methods in OzoneManager
dchitlangia commented on a change in pull request #1204: HDDS-1768. Audit xxxAcl methods in OzoneManager URL: https://github.com/apache/hadoop/pull/1204#discussion_r313697013 ## File path: hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java ## @@ -2999,23 +3016,36 @@ public OmKeyInfo lookupFile(OmKeyArgs args) throws IOException { */ @Override public boolean addAcl(OzoneObj obj, OzoneAcl acl) throws IOException { -if(isAclEnabled) { - checkAcls(obj.getResourceType(), obj.getStoreType(), ACLType.WRITE_ACL, - obj.getVolumeName(), obj.getBucketName(), obj.getKeyName()); -} -// TODO: Audit ACL operation. -switch (obj.getResourceType()) { -case VOLUME: - return volumeManager.addAcl(obj, acl); -case BUCKET: - return bucketManager.addAcl(obj, acl); -case KEY: - return keyManager.addAcl(obj, acl); -case PREFIX: - return prefixManager.addAcl(obj, acl); -default: - throw new OMException("Unexpected resource type: " + - obj.getResourceType(), INVALID_REQUEST); +boolean auditSuccess = true; + +try{ + if(isAclEnabled) { +checkAcls(obj.getResourceType(), obj.getStoreType(), ACLType.WRITE_ACL, +obj.getVolumeName(), obj.getBucketName(), obj.getKeyName()); + } + switch (obj.getResourceType()) { + case VOLUME: +return volumeManager.addAcl(obj, acl); + case BUCKET: +return bucketManager.addAcl(obj, acl); + case KEY: +return keyManager.addAcl(obj, acl); + case PREFIX: +return prefixManager.addAcl(obj, acl); + default: +throw new OMException("Unexpected resource type: " + +obj.getResourceType(), INVALID_REQUEST); + } +} catch(Exception ex) { + auditSuccess = false; + auditAcl(obj, Arrays.asList(acl), OMAction.ADD_ACL, Review comment: @bharatviswa504 I think we can skip this one as throughout this class we are following this approach of using auditSuccess, mostly for code readability/correctness. I think we can discuss with @anuengineer on this. If he is onboard with this change then we can change it across OM, SCM, DN for audit log. Since that will be a big enough change, we can do that in separate jira. Does that sound good? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org