From 613731b1904f48efc4ba52b181f36adcdad57ad2 Mon Sep 17 00:00:00 2001 From: Bharat Viswanadham Date: Thu, 22 Aug 2019 12:47:48 -0700 Subject: [PATCH 1/3] HDDS-1975. Implement default acls for bucket/volume/key for OM HA code. --- .../rpc/TestOzoneRpcClientAbstract.java | 9 -- .../ozone/om/request/OMClientRequest.java | 4 +- .../request/bucket/OMBucketCreateRequest.java | 32 +++++- .../om/request/file/OMFileCreateRequest.java | 6 +- .../request/key/OMAllocateBlockRequest.java | 8 +- .../om/request/key/OMKeyCommitRequest.java | 8 +- .../om/request/key/OMKeyCreateRequest.java | 16 ++- .../om/request/key/OMKeyDeleteRequest.java | 8 +- .../om/request/key/OMKeyRenameRequest.java | 8 +- .../ozone/om/request/key/OMKeyRequest.java | 99 ++++++++++++++++--- .../s3/bucket/S3BucketCreateRequest.java | 56 +++++++---- .../s3/bucket/S3BucketDeleteRequest.java | 8 -- .../S3InitiateMultipartUploadRequest.java | 8 -- .../S3MultipartUploadAbortRequest.java | 8 -- .../S3MultipartUploadCommitPartRequest.java | 8 -- .../S3MultipartUploadCompleteRequest.java | 8 -- 16 files changed, 171 insertions(+), 123 deletions(-) diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientAbstract.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientAbstract.java index 84d17adc4ab21..920cf04770e41 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientAbstract.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClientAbstract.java @@ -119,7 +119,6 @@ import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; -import static org.junit.Assume.assumeFalse; import org.junit.Ignore; import org.junit.Test; @@ -2221,8 +2220,6 @@ public void testListPartsWithInvalidUploadID() throws Exception { @Test public void testNativeAclsForVolume() throws Exception { - assumeFalse("Remove this once ACL HA is supported", - getClass().equals(TestOzoneRpcClientWithRatis.class)); String volumeName = UUID.randomUUID().toString(); store.createVolume(volumeName); @@ -2237,8 +2234,6 @@ public void testNativeAclsForVolume() throws Exception { @Test public void testNativeAclsForBucket() throws Exception { - assumeFalse("Remove this once ACL HA is supported", - getClass().equals(TestOzoneRpcClientWithRatis.class)); String volumeName = UUID.randomUUID().toString(); String bucketName = UUID.randomUUID().toString(); @@ -2299,8 +2294,6 @@ private void validateDefaultAcls(OzoneObj parentObj, OzoneObj childObj, @Test public void testNativeAclsForKey() throws Exception { - assumeFalse("Remove this once ACL HA is supported", - getClass().equals(TestOzoneRpcClientWithRatis.class)); String volumeName = UUID.randomUUID().toString(); String bucketName = UUID.randomUUID().toString(); String key1 = "dir1/dir2" + UUID.randomUUID().toString(); @@ -2363,8 +2356,6 @@ public void testNativeAclsForKey() throws Exception { @Test public void testNativeAclsForPrefix() throws Exception { - assumeFalse("Remove this once ACL HA is supported", - getClass().equals(TestOzoneRpcClientWithRatis.class)); String volumeName = UUID.randomUUID().toString(); String bucketName = UUID.randomUUID().toString(); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java index d4c9edd6df434..306527f2a4fcd 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java @@ -26,6 +26,7 @@ import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Preconditions; +import org.apache.commons.lang3.StringUtils; import org.apache.hadoop.ipc.ProtobufRpcEngine; import org.apache.hadoop.ozone.OzoneConsts; import org.apache.hadoop.ozone.audit.AuditAction; @@ -142,7 +143,8 @@ public void checkAcls(OzoneManager ozoneManager, */ @VisibleForTesting public UserGroupInformation createUGI() { - if (omRequest.hasUserInfo()) { + if (omRequest.hasUserInfo() && + !StringUtils.isBlank(omRequest.getUserInfo().getUserName())) { return UserGroupInformation.createRemoteUser( omRequest.getUserInfo().getUserName()); } else { diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java index 65a25acdf6003..fc0846f657a00 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java @@ -19,8 +19,12 @@ package org.apache.hadoop.ozone.om.request.bucket; import java.io.IOException; +import java.util.ArrayList; +import java.util.List; import com.google.common.base.Optional; +import org.apache.hadoop.ozone.OzoneAcl; +import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -146,8 +150,11 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, volumeName); acquiredBucketLock = metadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); + + OmVolumeArgs omVolumeArgs = + metadataManager.getVolumeTable().get(volumeKey); //Check if the volume exists - if (metadataManager.getVolumeTable().get(volumeKey) == null) { + if (omVolumeArgs == null) { LOG.debug("volume: {} not found ", volumeName); throw new OMException("Volume doesn't exist", OMException.ResultCodes.VOLUME_NOT_FOUND); @@ -160,6 +167,9 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMException.ResultCodes.BUCKET_ALREADY_EXISTS); } + // Add default acls from volume. + addDefaultAcls(omBucketInfo, omVolumeArgs); + // Update table cache. metadataManager.getBucketTable().addCacheEntry(new CacheKey<>(bucketKey), new CacheValue<>(Optional.of(omBucketInfo), transactionLogIndex)); @@ -205,6 +215,26 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, } + /** + * Add default acls for bucket. These acls are inherited from volume + * default acl list. + * @param omBucketInfo + * @param omVolumeArgs + */ + private void addDefaultAcls(OmBucketInfo omBucketInfo, + OmVolumeArgs omVolumeArgs) { + // Add default acls from volume. + List acls = new ArrayList<>(); + if (omBucketInfo.getAcls() != null) { + acls.addAll(omBucketInfo.getAcls()); + } + omVolumeArgs.getAclMap().getDefaultAclList().forEach( + defaultAcl -> acls.add( + OzoneAcl.fromProtobufWithAccessType(defaultAcl))); + omBucketInfo.setAcls(acls); + } + + private BucketInfo getBucketInfoFromRequest() { CreateBucketRequest createBucketRequest = getOmRequest().getCreateBucketRequest(); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java index c63bada7caec2..4bef422f8b475 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java @@ -265,20 +265,20 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, omKeyInfo = prepareKeyInfo(omMetadataManager, keyArgs, omMetadataManager.getOzoneKey(volumeName, bucketName, keyName), keyArgs.getDataSize(), locations, - encryptionInfo.orNull()); + encryptionInfo.orNull(), ozoneManager.getPrefixManager(), bucketInfo); omClientResponse = prepareCreateKeyResponse(keyArgs, omKeyInfo, locations, encryptionInfo.orNull(), exception, createFileRequest.getClientID(), transactionLogIndex, volumeName, bucketName, keyName, ozoneManager, - OMAction.CREATE_FILE); + OMAction.CREATE_FILE, ozoneManager.getPrefixManager(), bucketInfo); } catch (IOException ex) { exception = ex; omClientResponse = prepareCreateKeyResponse(keyArgs, omKeyInfo, locations, encryptionInfo.orNull(), exception, createFileRequest.getClientID(), transactionLogIndex, volumeName, bucketName, keyName, ozoneManager, - OMAction.CREATE_FILE); + OMAction.CREATE_FILE, ozoneManager.getPrefixManager(), null); } finally { if (omClientResponse != null) { omClientResponse.setFlushFuture( diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java index b1392dc9deeaf..963f037f27715 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java @@ -53,8 +53,6 @@ .OMRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMResponse; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; @@ -171,11 +169,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OmKeyInfo omKeyInfo = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, keyName); - } + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, false); OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager(); validateBucketAndVolume(omMetadataManager, volumeName, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java index f5f07e1eaf1ac..9aa5f712746fa 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java @@ -48,8 +48,6 @@ .KeyArgs; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMRequest; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; @@ -117,11 +115,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager(); try { // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, keyName); - } + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, false); List locationInfoList = commitKeyArgs .getKeyLocationsList().stream() diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java index 2a0c60140e4e7..613d761036529 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java @@ -47,8 +47,6 @@ .KeyArgs; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMRequest; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.UniqueId; @@ -164,11 +162,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, keyName); - } + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, false); acquireLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); @@ -184,17 +178,19 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, omKeyInfo = prepareKeyInfo(omMetadataManager, keyArgs, omMetadataManager.getOzoneKey(volumeName, bucketName, keyName), - keyArgs.getDataSize(), locations, encryptionInfo.orNull()); + keyArgs.getDataSize(), locations, encryptionInfo.orNull(), + ozoneManager.getPrefixManager(), bucketInfo); omClientResponse = prepareCreateKeyResponse(keyArgs, omKeyInfo, locations, encryptionInfo.orNull(), exception, createKeyRequest.getClientID(), transactionLogIndex, volumeName, - bucketName, keyName, ozoneManager, OMAction.ALLOCATE_KEY); + bucketName, keyName, ozoneManager, OMAction.ALLOCATE_KEY, + ozoneManager.getPrefixManager(), bucketInfo); } catch (IOException ex) { exception = ex; omClientResponse = prepareCreateKeyResponse(keyArgs, omKeyInfo, locations, encryptionInfo.orNull(), exception, createKeyRequest.getClientID(), transactionLogIndex, volumeName, bucketName, keyName, ozoneManager, - OMAction.ALLOCATE_KEY); + OMAction.ALLOCATE_KEY, ozoneManager.getPrefixManager(), null); } finally { if (omClientResponse != null) { omClientResponse.setFlushFuture( diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java index 772c4271954cd..40f940158f02f 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java @@ -43,8 +43,6 @@ .DeleteKeyResponse; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMRequest; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; @@ -111,11 +109,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.DELETE, - volumeName, bucketName, keyName); - } + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, true); String objectKey = omMetadataManager.getOzoneKey( volumeName, bucketName, keyName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java index da0129d8b58b2..cd1927b9df200 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java @@ -44,8 +44,6 @@ .RenameKeyRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .RenameKeyResponse; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.db.Table; import org.apache.hadoop.utils.db.cache.CacheKey; @@ -120,11 +118,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMException.ResultCodes.INVALID_KEY_NAME); } // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, fromKeyName); - } + checkKeyAcls(ozoneManager, volumeName, bucketName, fromKeyName, true); acquiredLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java index a32c0a789ff1b..bc7a58faeb003 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java @@ -32,12 +32,17 @@ import com.google.common.base.Optional; import com.google.common.base.Preconditions; +import org.apache.hadoop.ozone.OzoneAcl; +import org.apache.hadoop.ozone.om.PrefixManager; import org.apache.hadoop.ozone.om.helpers.BucketEncryptionKeyInfo; import org.apache.hadoop.ozone.om.helpers.OmBucketInfo; import org.apache.hadoop.ozone.om.helpers.OmKeyInfo; import org.apache.hadoop.ozone.om.helpers.OmKeyLocationInfo; import org.apache.hadoop.ozone.om.helpers.OmKeyLocationInfoGroup; +import org.apache.hadoop.ozone.om.helpers.OmPrefixInfo; import org.apache.hadoop.ozone.om.helpers.OzoneAclUtil; +import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; +import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -78,6 +83,7 @@ import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; +import static org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER; import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes .BUCKET_NOT_FOUND; import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes @@ -248,7 +254,9 @@ protected OMClientResponse prepareCreateKeyResponse(@Nonnull KeyArgs keyArgs, FileEncryptionInfo encryptionInfo, @Nullable IOException exception, long clientID, long transactionLogIndex, @Nonnull String volumeName, @Nonnull String bucketName, @Nonnull String keyName, - @Nonnull OzoneManager ozoneManager, @Nonnull OMAction omAction) { + @Nonnull OzoneManager ozoneManager, @Nonnull OMAction omAction, + @Nonnull PrefixManager prefixManager, + @Nullable OmBucketInfo omBucketInfo) { OMResponse.Builder omResponse = OMResponse.newBuilder() .setStatus(OzoneManagerProtocolProtos.Status.OK); @@ -263,7 +271,7 @@ protected OMClientResponse prepareCreateKeyResponse(@Nonnull KeyArgs keyArgs, // version 0 omKeyInfo = createKeyInfo(keyArgs, locations, keyArgs.getFactor(), keyArgs.getType(), keyArgs.getDataSize(), - encryptionInfo); + encryptionInfo, prefixManager, omBucketInfo); } long openVersion = omKeyInfo.getLatestVersionLocations().getVersion(); @@ -335,12 +343,15 @@ protected OMClientResponse prepareCreateKeyResponse(@Nonnull KeyArgs keyArgs, * Create OmKeyInfo object. * @return OmKeyInfo */ + @SuppressWarnings("parameterNumber") protected OmKeyInfo createKeyInfo(@Nonnull KeyArgs keyArgs, @Nonnull List locations, @Nonnull HddsProtos.ReplicationFactor factor, @Nonnull HddsProtos.ReplicationType type, long size, - @Nullable FileEncryptionInfo encInfo) { - OmKeyInfo.Builder builder = new OmKeyInfo.Builder() + @Nullable FileEncryptionInfo encInfo, + @Nonnull PrefixManager prefixManager, + @Nullable OmBucketInfo omBucketInfo) { + return new OmKeyInfo.Builder() .setVolumeName(keyArgs.getVolumeName()) .setBucketName(keyArgs.getBucketName()) .setKeyName(keyArgs.getKeyName()) @@ -351,11 +362,46 @@ protected OmKeyInfo createKeyInfo(@Nonnull KeyArgs keyArgs, .setDataSize(size) .setReplicationType(type) .setReplicationFactor(factor) - .setFileEncryptionInfo(encInfo); + .setFileEncryptionInfo(encInfo) + .setAcls(getAclsForKey(keyArgs, omBucketInfo, prefixManager)).build(); + } + + private List< OzoneAcl > getAclsForKey(KeyArgs keyArgs, + OmBucketInfo bucketInfo, PrefixManager prefixManager) { + List acls = new ArrayList<>(); + if(keyArgs.getAclsList() != null) { - builder.setAcls(OzoneAclUtil.fromProtobuf(keyArgs.getAclsList())); + acls.addAll(OzoneAclUtil.fromProtobuf(keyArgs.getAclsList())); + } + + // Inherit DEFAULT acls from prefix. + if(prefixManager != null) { + List< OmPrefixInfo > prefixList = prefixManager.getLongestPrefixPath( + OZONE_URI_DELIMITER + + keyArgs.getVolumeName() + OZONE_URI_DELIMITER + + keyArgs.getBucketName() + OZONE_URI_DELIMITER + + keyArgs.getKeyName()); + + if(prefixList.size() > 0) { + // Add all acls from direct parent to key. + OmPrefixInfo prefixInfo = prefixList.get(prefixList.size() - 1); + if(prefixInfo != null) { + if (OzoneAclUtil.inheritDefaultAcls(acls, prefixInfo.getAcls())) { + return acls; + } + } + } + } + + // Inherit DEFAULT acls from bucket only if DEFAULT acls for + // prefix are not set. + if (bucketInfo != null) { + if (OzoneAclUtil.inheritDefaultAcls(acls, bucketInfo.getAcls())) { + return acls; + } } - return builder.build(); + + return acls; } /** @@ -363,16 +409,18 @@ protected OmKeyInfo createKeyInfo(@Nonnull KeyArgs keyArgs, * @return OmKeyInfo * @throws IOException */ + @SuppressWarnings("parameternumber") protected OmKeyInfo prepareKeyInfo( @Nonnull OMMetadataManager omMetadataManager, @Nonnull KeyArgs keyArgs, @Nonnull String dbKeyName, long size, @Nonnull List locations, - @Nullable FileEncryptionInfo encInfo) + @Nullable FileEncryptionInfo encInfo, + @Nonnull PrefixManager prefixManager, @Nullable OmBucketInfo omBucketInfo) throws IOException { OmKeyInfo keyInfo = null; if (keyArgs.getIsMultipartKey()) { keyInfo = prepareMultipartKeyInfo(omMetadataManager, keyArgs, size, - locations, encInfo); + locations, encInfo, prefixManager, omBucketInfo); //TODO args.getMetadata } else if (omMetadataManager.getKeyTable().isExist(dbKeyName)) { // TODO: Need to be fixed, as when key already exists, we are @@ -400,7 +448,8 @@ private OmKeyInfo prepareMultipartKeyInfo( @Nonnull OMMetadataManager omMetadataManager, @Nonnull KeyArgs args, long size, @Nonnull List locations, - FileEncryptionInfo encInfo) throws IOException { + FileEncryptionInfo encInfo, @Nonnull PrefixManager prefixManager, + @Nullable OmBucketInfo omBucketInfo) throws IOException { HddsProtos.ReplicationFactor factor; HddsProtos.ReplicationType type; @@ -427,7 +476,8 @@ private OmKeyInfo prepareMultipartKeyInfo( } // For this upload part we don't need to check in KeyTable. As this // is not an actual key, it is a part of the key. - return createKeyInfo(args, locations, factor, type, size, encInfo); + return createKeyInfo(args, locations, factor, type, size, encInfo, + prefixManager, omBucketInfo); } @@ -447,4 +497,31 @@ private OMClientResponse createKeyErrorResponse(@Nonnull OMMetrics omMetrics, } } + /** + * Check Acls for the ozone object. + * @param ozoneManager + * @param volume + * @param bucket + * @param key + * @param checkKeyAccess + * @throws IOException + */ + protected void checkKeyAcls(OzoneManager ozoneManager, String volume, + String bucket, String key, boolean checkKeyAccess) throws IOException { + if (ozoneManager.getAclsEnabled()) { + // If checkKeyAccess is check only acls for KEY. + // As for Key Create/Commit/Allocate Block the entry for key will not + // be in Key table. + if (checkKeyAccess) { + checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, + OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, + volume, bucket, key); + } else { + checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, + OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, + volume, bucket, key); + } + } + } + } diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketCreateRequest.java index 1976a3d3c72a2..c7cb0f4ba23de 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketCreateRequest.java @@ -20,12 +20,15 @@ import java.io.IOException; import java.util.HashMap; +import java.util.List; import java.util.Map; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Optional; import com.google.common.base.Preconditions; +import org.apache.hadoop.ozone.OzoneAcl; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; +import org.apache.hadoop.security.UserGroupInformation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -56,8 +59,6 @@ .S3CreateVolumeInfo; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .VolumeList; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; @@ -151,12 +152,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, String volumeName = formatOzoneVolumeName(userName); OMClientResponse omClientResponse = null; try { - // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, - OzoneObj.StoreType.S3, IAccessAuthorizer.ACLType.CREATE, null, - s3BucketName, null); - } acquiredS3Lock = omMetadataManager.getLock().acquireLock(S3_BUCKET_LOCK, s3BucketName); @@ -202,7 +197,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, // check if ozone bucket exists, if it does not exist create ozone // bucket OmBucketInfo omBucketInfo = createBucket(omMetadataManager, volumeName, - s3BucketName, + s3BucketName, userName, s3CreateBucketRequest.getS3CreateVolumeInfo().getCreationTime(), transactionLogIndex); @@ -262,8 +257,8 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, private OmBucketInfo createBucket(OMMetadataManager omMetadataManager, - String volumeName, String s3BucketName, long creationTime, - long transactionLogIndex) throws IOException { + String volumeName, String s3BucketName, String userName, + long creationTime, long transactionLogIndex) throws IOException { // check if ozone bucket exists, if it does not exist create ozone // bucket boolean acquireBucketLock = false; @@ -275,7 +270,7 @@ private OmBucketInfo createBucket(OMMetadataManager omMetadataManager, String bucketKey = omMetadataManager.getBucketKey(volumeName, s3BucketName); if (!omMetadataManager.getBucketTable().isExist(bucketKey)) { - omBucketInfo = createOmBucketInfo(volumeName, s3BucketName, + omBucketInfo = createOmBucketInfo(volumeName, s3BucketName, userName, creationTime); // Add to bucket table cache. omMetadataManager.getBucketTable().addCacheEntry( @@ -329,12 +324,19 @@ public static String formatS3MappingName(String volumeName, * @return {@link OmVolumeArgs} */ private OmVolumeArgs createOmVolumeArgs(String volumeName, String userName, - long creationTime) { - return OmVolumeArgs.newBuilder() + long creationTime) throws IOException { + OmVolumeArgs.Builder builder = OmVolumeArgs.newBuilder() .setAdminName(S3_ADMIN_NAME).setVolume(volumeName) .setQuotaInBytes(OzoneConsts.MAX_QUOTA_IN_BYTES) .setOwnerName(userName) - .setCreationTime(creationTime).build(); + .setCreationTime(creationTime); + + // Set default acls. + for (OzoneAcl acl : getDefaultAcls(userName)) { + builder.addOzoneAcls(OzoneAcl.toProtobuf(acl)); + } + + return builder.build(); } /** @@ -346,13 +348,18 @@ private OmVolumeArgs createOmVolumeArgs(String volumeName, String userName, * @return {@link OmBucketInfo} */ private OmBucketInfo createOmBucketInfo(String volumeName, - String s3BucketName, long creationTime) { + String s3BucketName, String userName, long creationTime) { //TODO: Now S3Bucket API takes only bucketName as param. In future if we // support some configurable options we need to fix this. - return OmBucketInfo.newBuilder().setVolumeName(volumeName) - .setBucketName(s3BucketName).setIsVersionEnabled(Boolean.FALSE) - .setStorageType(StorageType.DEFAULT).setCreationTime(creationTime) - .build(); + OmBucketInfo.Builder builder = + OmBucketInfo.newBuilder().setVolumeName(volumeName) + .setBucketName(s3BucketName).setIsVersionEnabled(Boolean.FALSE) + .setStorageType(StorageType.DEFAULT).setCreationTime(creationTime); + + // Set default acls. + builder.setAcls(getDefaultAcls(userName)); + + return builder.build(); } /** @@ -368,5 +375,14 @@ private Map buildAuditMap(String userName, auditMap.put(s3BucketName, OzoneConsts.S3_BUCKET); return auditMap; } + + /** + * Get default acls. + * */ + private List getDefaultAcls(String userName) { + UserGroupInformation ugi = createUGI(); + return OzoneAcl.parseAcls("user:" + (ugi == null ? userName : + ugi.getUserName()) + ":a,user:" + S3_ADMIN_NAME + ":a"); + } } diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketDeleteRequest.java index 8e75a666472a8..04b96dca843f9 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketDeleteRequest.java @@ -43,8 +43,6 @@ .OMResponse; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .S3DeleteBucketRequest; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; @@ -107,12 +105,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager(); OMClientResponse omClientResponse = null; try { - // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, - OzoneObj.StoreType.S3, IAccessAuthorizer.ACLType.DELETE, null, - s3BucketName, null); - } acquiredS3Lock = omMetadataManager.getLock().acquireLock(S3_BUCKET_LOCK, s3BucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java index 181d79c104929..e4260381d5a24 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java @@ -36,8 +36,6 @@ import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.MultipartInfoInitiateResponse; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.UniqueId; import org.apache.hadoop.utils.db.cache.CacheKey; @@ -114,12 +112,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, .setSuccess(true); OMClientResponse omClientResponse = null; try { - // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, keyName); - } acquiredBucketLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java index 1f5c9638ccf72..d13603624d99c 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java @@ -44,8 +44,6 @@ .OMRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMResponse; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; @@ -98,12 +96,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, .setSuccess(true); OMClientResponse omClientResponse = null; try { - // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, keyName); - } acquiredLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java index 8bc4e5e2c7c4d..d90ec5a0e7711 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java @@ -40,8 +40,6 @@ .OMRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMResponse; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; @@ -111,12 +109,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, String multipartKey = null; OmMultipartKeyInfo multipartKeyInfo = null; try { - // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, keyName); - } acquiredLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java index cfcedc425fd31..154c39853a22e 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java @@ -41,8 +41,6 @@ .OMResponse; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .PartKeyInfo; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; @@ -107,12 +105,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, IOException exception = null; OmMultipartUploadList multipartUploadList = null; try { - // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, keyName); - } TreeMap partsMap = new TreeMap<>(); for (OzoneManagerProtocolProtos.Part part : partsList) { From b2ac4b07956582c04c17e8ef35d3d6de6a909ba8 Mon Sep 17 00:00:00 2001 From: Bharat Viswanadham Date: Fri, 23 Aug 2019 16:41:40 -0700 Subject: [PATCH 2/3] fix comments.: --- .../request/bucket/OMBucketCreateRequest.java | 11 ++++-- .../file/OMDirectoryCreateRequest.java | 6 +-- .../om/request/file/OMFileCreateRequest.java | 6 +-- .../request/key/OMAllocateBlockRequest.java | 2 +- .../om/request/key/OMKeyCommitRequest.java | 2 +- .../om/request/key/OMKeyCreateRequest.java | 2 +- .../om/request/key/OMKeyDeleteRequest.java | 2 +- .../om/request/key/OMKeyRenameRequest.java | 2 +- .../ozone/om/request/key/OMKeyRequest.java | 38 +++++++++++-------- .../s3/bucket/S3BucketCreateRequest.java | 1 + .../s3/bucket/S3BucketDeleteRequest.java | 2 +- .../S3InitiateMultipartUploadRequest.java | 2 +- .../S3MultipartUploadAbortRequest.java | 2 +- .../S3MultipartUploadCommitPartRequest.java | 2 +- .../S3MultipartUploadCompleteRequest.java | 2 +- 15 files changed, 44 insertions(+), 38 deletions(-) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java index fc0846f657a00..40600e08bc37d 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java @@ -21,10 +21,12 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; +import java.util.stream.Collectors; import com.google.common.base.Optional; import org.apache.hadoop.ozone.OzoneAcl; import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs; +import org.apache.hadoop.ozone.om.helpers.OzoneAclUtil; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -228,9 +230,12 @@ private void addDefaultAcls(OmBucketInfo omBucketInfo, if (omBucketInfo.getAcls() != null) { acls.addAll(omBucketInfo.getAcls()); } - omVolumeArgs.getAclMap().getDefaultAclList().forEach( - defaultAcl -> acls.add( - OzoneAcl.fromProtobufWithAccessType(defaultAcl))); + + List defaultVolumeAclList = omVolumeArgs.getAclMap() + .getDefaultAclList().stream().map(OzoneAcl::fromProtobuf) + .collect(Collectors.toList()); + + OzoneAclUtil.inheritDefaultAcls(acls, defaultVolumeAclList); omBucketInfo.setAcls(acls); } diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java index a85ea8b9f038b..70bf77e05f02e 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java @@ -129,11 +129,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, keyName); - } + checkBucketAcls(ozoneManager, volumeName, bucketName, keyName); // Check if this is the root of the filesystem. if (keyName.length() == 0) { diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java index 4bef422f8b475..7eb76ec843105 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java @@ -179,11 +179,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volumeName, bucketName, keyName); - } + checkBucketAcls(ozoneManager, volumeName, bucketName, keyName); // acquire lock acquiredLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java index 963f037f27715..05507e43013d4 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMAllocateBlockRequest.java @@ -169,7 +169,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OmKeyInfo omKeyInfo = null; try { // check Acl - checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, false); + checkBucketAcls(ozoneManager, volumeName, bucketName, keyName); OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager(); validateBucketAndVolume(omMetadataManager, volumeName, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java index 9aa5f712746fa..1057fc80e0d13 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCommitRequest.java @@ -115,7 +115,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager(); try { // check Acl - checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, false); + checkBucketAcls(ozoneManager, volumeName, bucketName, keyName); List locationInfoList = commitKeyArgs .getKeyLocationsList().stream() diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java index 613d761036529..2287459cc8036 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyCreateRequest.java @@ -162,7 +162,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMClientResponse omClientResponse = null; try { // check Acl - checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, false); + checkBucketAcls(ozoneManager, volumeName, bucketName, keyName); acquireLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java index 40f940158f02f..a7bf9830a4707 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyDeleteRequest.java @@ -109,7 +109,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMClientResponse omClientResponse = null; try { // check Acl - checkKeyAcls(ozoneManager, volumeName, bucketName, keyName, true); + checkKeyAcls(ozoneManager, volumeName, bucketName, keyName); String objectKey = omMetadataManager.getOzoneKey( volumeName, bucketName, keyName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java index cd1927b9df200..0b1faaad33059 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRenameRequest.java @@ -118,7 +118,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMException.ResultCodes.INVALID_KEY_NAME); } // check Acl - checkKeyAcls(ozoneManager, volumeName, bucketName, fromKeyName, true); + checkKeyAcls(ozoneManager, volumeName, bucketName, fromKeyName); acquiredLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java index bc7a58faeb003..c36a7da57baa5 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java @@ -498,29 +498,37 @@ private OMClientResponse createKeyErrorResponse(@Nonnull OMMetrics omMetrics, } /** - * Check Acls for the ozone object. + * Check Acls for the ozone bucket. + * @param ozoneManager + * @param volume + * @param bucket + * @param key + * @throws IOException + */ + protected void checkBucketAcls(OzoneManager ozoneManager, String volume, + String bucket, String key) throws IOException { + if (ozoneManager.getAclsEnabled()) { + checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, + OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, + volume, bucket, key); + } + } + + + /** + * Check Acls for the ozone key. * @param ozoneManager * @param volume * @param bucket * @param key - * @param checkKeyAccess * @throws IOException */ protected void checkKeyAcls(OzoneManager ozoneManager, String volume, - String bucket, String key, boolean checkKeyAccess) throws IOException { + String bucket, String key) throws IOException { if (ozoneManager.getAclsEnabled()) { - // If checkKeyAccess is check only acls for KEY. - // As for Key Create/Commit/Allocate Block the entry for key will not - // be in Key table. - if (checkKeyAccess) { - checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volume, bucket, key); - } else { - checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, - OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, - volume, bucket, key); - } + checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, + OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, + volume, bucket, key); } } diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketCreateRequest.java index c7cb0f4ba23de..1eb60bd89da20 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketCreateRequest.java @@ -153,6 +153,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMClientResponse omClientResponse = null; try { + // TODO to support S3 ACL later. acquiredS3Lock = omMetadataManager.getLock().acquireLock(S3_BUCKET_LOCK, s3BucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketDeleteRequest.java index 04b96dca843f9..5e0bebf2bb6c1 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/bucket/S3BucketDeleteRequest.java @@ -105,7 +105,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager(); OMClientResponse omClientResponse = null; try { - + // TODO to support S3 ACL later. acquiredS3Lock = omMetadataManager.getLock().acquireLock(S3_BUCKET_LOCK, s3BucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java index e4260381d5a24..25e10a0cf3623 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3InitiateMultipartUploadRequest.java @@ -112,7 +112,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, .setSuccess(true); OMClientResponse omClientResponse = null; try { - + // TODO to support S3 ACL later. acquiredBucketLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java index d13603624d99c..bf02904c8118f 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadAbortRequest.java @@ -96,7 +96,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, .setSuccess(true); OMClientResponse omClientResponse = null; try { - + // TODO to support S3 ACL later. acquiredLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java index d90ec5a0e7711..f42bf066dfc5c 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCommitPartRequest.java @@ -109,7 +109,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, String multipartKey = null; OmMultipartKeyInfo multipartKeyInfo = null; try { - + // TODO to support S3 ACL later. acquiredLock = omMetadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java index 154c39853a22e..8194320d03076 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/multipart/S3MultipartUploadCompleteRequest.java @@ -105,7 +105,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, IOException exception = null; OmMultipartUploadList multipartUploadList = null; try { - + // TODO to support S3 ACL later. TreeMap partsMap = new TreeMap<>(); for (OzoneManagerProtocolProtos.Part part : partsList) { partsMap.put(part.getPartNumber(), part.getPartName()); From 3726a7c9cc26a321e944f3ec7513e75aca545c3e Mon Sep 17 00:00:00 2001 From: Bharat Viswanadham Date: Fri, 23 Aug 2019 16:42:35 -0700 Subject: [PATCH 3/3] clean unused imports. --- .../hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java | 2 -- .../hadoop/ozone/om/request/file/OMFileCreateRequest.java | 2 -- 2 files changed, 4 deletions(-) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java index 70bf77e05f02e..5b9de22285adf 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java @@ -57,8 +57,6 @@ .OMRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMResponse; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.db.cache.CacheKey; import org.apache.hadoop.utils.db.cache.CacheValue; diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java index 7eb76ec843105..eba9ce33b6c68 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMFileCreateRequest.java @@ -53,8 +53,6 @@ .KeyArgs; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos .OMRequest; -import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; -import org.apache.hadoop.ozone.security.acl.OzoneObj; import org.apache.hadoop.util.Time; import org.apache.hadoop.utils.UniqueId; import org.apache.hadoop.utils.db.Table;