This is an automated email from the ASF dual-hosted git repository.
swamirishi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 036e727327 HDDS-11732. Fix ACL check on bucket resolution while
reading from snapshot (#7446)
036e727327 is described below
commit 036e727327646b1408caa30dbdbab45144586a24
Author: Swaminathan Balachandran <[email protected]>
AuthorDate: Sat Nov 16 18:12:48 2024 -0800
HDDS-11732. Fix ACL check on bucket resolution while reading from snapshot
(#7446)
Change-Id: I192219d1840ea9ddb06c2c177207cf870a7be8eb
---
.../apache/hadoop/ozone/om/OmSnapshotManager.java | 2 +-
.../org/apache/hadoop/ozone/om/OzoneManager.java | 32 +++++++++++++++++-----
2 files changed, 26 insertions(+), 8 deletions(-)
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshotManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshotManager.java
index cf52635125..11330c7a3e 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshotManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshotManager.java
@@ -628,7 +628,7 @@ public final class OmSnapshotManager implements
AutoCloseable {
// Updating the volumeName & bucketName in case the bucket is a linked
bucket. We need to do this before a
// permission check, since linked bucket permissions and source bucket
permissions could be different.
ResolvedBucket resolvedBucket =
ozoneManager.resolveBucketLink(Pair.of(volumeName,
- bucketName), false);
+ bucketName), false, false);
volumeName = resolvedBucket.realVolume();
bucketName = resolvedBucket.realBucket();
return (ReferenceCounted<IOmMetadataReader>) (ReferenceCounted<?>)
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 2facdaccd2..b5ae80a02d 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -4402,10 +4402,16 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
}
public ResolvedBucket resolveBucketLink(Pair<String, String> requested,
- boolean allowDanglingBuckets)
+ boolean allowDanglingBuckets) throws
IOException {
+ return resolveBucketLink(requested, allowDanglingBuckets, isAclEnabled);
+ }
+
+ public ResolvedBucket resolveBucketLink(Pair<String, String> requested,
+ boolean allowDanglingBuckets,
+ boolean aclEnabled)
throws IOException {
OmBucketInfo resolved;
- if (isAclEnabled) {
+ if (aclEnabled) {
UserGroupInformation ugi = getRemoteUser();
if (getS3Auth() != null) {
ugi = UserGroupInformation.createRemoteUser(
@@ -4416,15 +4422,26 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
ugi,
remoteIp != null ? remoteIp : omRpcAddress.getAddress(),
remoteIp != null ? remoteIp.getHostName() :
- omRpcAddress.getHostName(), allowDanglingBuckets);
+ omRpcAddress.getHostName(), allowDanglingBuckets, aclEnabled);
} else {
resolved = resolveBucketLink(requested, new HashSet<>(),
- null, null, null, allowDanglingBuckets);
+ null, null, null, allowDanglingBuckets, aclEnabled);
}
return new ResolvedBucket(requested.getLeft(), requested.getRight(),
resolved);
}
+ private OmBucketInfo resolveBucketLink(
+ Pair<String, String> volumeAndBucket,
+ Set<Pair<String, String>> visited,
+ UserGroupInformation userGroupInformation,
+ InetAddress remoteAddress,
+ String hostName,
+ boolean allowDanglingBuckets) throws IOException {
+ return resolveBucketLink(volumeAndBucket, visited, userGroupInformation,
remoteAddress, hostName,
+ allowDanglingBuckets, isAclEnabled);
+ }
+
/**
* Resolves bucket symlinks. Read permission is required for following links.
*
@@ -4442,7 +4459,8 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
UserGroupInformation userGroupInformation,
InetAddress remoteAddress,
String hostName,
- boolean allowDanglingBuckets) throws IOException {
+ boolean allowDanglingBuckets,
+ boolean aclEnabled) throws IOException {
String volumeName = volumeAndBucket.getLeft();
String bucketName = volumeAndBucket.getRight();
@@ -4465,7 +4483,7 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
DETECTED_LOOP_IN_BUCKET_LINKS);
}
- if (isAclEnabled) {
+ if (aclEnabled) {
final ACLType type = ACLType.READ;
checkAcls(ResourceType.BUCKET, StoreType.OZONE, type,
volumeName, bucketName, null, userGroupInformation,
@@ -4476,7 +4494,7 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
return resolveBucketLink(
Pair.of(info.getSourceVolume(), info.getSourceBucket()),
visited, userGroupInformation, remoteAddress, hostName,
- allowDanglingBuckets);
+ allowDanglingBuckets, aclEnabled);
}
@VisibleForTesting
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
