Example 1 with ACCESS
use of org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS in project ozone by apache.
the class TestOzoneRpcClientAbstract method validateOzoneAccessAcl.
/**
* Helper function to validate ozone Acl for given object.
* @param ozObj
*/
private void validateOzoneAccessAcl(OzoneObj ozObj) throws IOException {
// Get acls for volume.
List<OzoneAcl> expectedAcls = getAclList(new OzoneConfiguration());
// Case:1 Add new acl permission to existing acl.
if (expectedAcls.size() > 0) {
OzoneAcl oldAcl = expectedAcls.get(0);
OzoneAcl newAcl = new OzoneAcl(oldAcl.getType(), oldAcl.getName(), ACLType.READ_ACL, oldAcl.getAclScope());
// Verify that operation successful.
assertTrue(store.addAcl(ozObj, newAcl));
assertEquals(expectedAcls.size(), store.getAcl(ozObj).size());
final Optional<OzoneAcl> readAcl = store.getAcl(ozObj).stream().filter(acl -> acl.getName().equals(newAcl.getName()) && acl.getType().equals(newAcl.getType())).findFirst();
assertTrue("New acl expected but not found.", readAcl.isPresent());
assertTrue("READ_ACL should exist in current acls:" + readAcl.get(), readAcl.get().getAclList().contains(ACLType.READ_ACL));
// Case:2 Remove newly added acl permission.
assertTrue(store.removeAcl(ozObj, newAcl));
assertEquals(expectedAcls.size(), store.getAcl(ozObj).size());
final Optional<OzoneAcl> nonReadAcl = store.getAcl(ozObj).stream().filter(acl -> acl.getName().equals(newAcl.getName()) && acl.getType().equals(newAcl.getType())).findFirst();
assertTrue("New acl expected but not found.", nonReadAcl.isPresent());
assertFalse("READ_ACL should not exist in current acls:" + nonReadAcl.get(), nonReadAcl.get().getAclList().contains(ACLType.READ_ACL));
} else {
fail("Default acl should not be empty.");
}
List<OzoneAcl> keyAcls = store.getAcl(ozObj);
expectedAcls.forEach(a -> assertTrue(keyAcls.contains(a)));
// Remove all acl's.
for (OzoneAcl a : expectedAcls) {
store.removeAcl(ozObj, a);
}
List<OzoneAcl> newAcls = store.getAcl(ozObj);
assertEquals(0, newAcls.size());
// Add acl's and then call getAcl.
int aclCount = 0;
for (OzoneAcl a : expectedAcls) {
aclCount++;
assertTrue(store.addAcl(ozObj, a));
assertEquals(aclCount, store.getAcl(ozObj).size());
}
newAcls = store.getAcl(ozObj);
assertEquals(expectedAcls.size(), newAcls.size());
List<OzoneAcl> finalNewAcls = newAcls;
expectedAcls.forEach(a -> assertTrue(finalNewAcls.contains(a)));
// Reset acl's.
OzoneAcl ua = new OzoneAcl(USER, "userx", ACLType.READ_ACL, ACCESS);
OzoneAcl ug = new OzoneAcl(GROUP, "userx", ACLType.ALL, ACCESS);
store.setAcl(ozObj, Arrays.asList(ua, ug));
newAcls = store.getAcl(ozObj);
assertEquals(2, newAcls.size());
assertTrue(newAcls.contains(ua));
assertTrue(newAcls.contains(ug));
}
Also used :
Arrays(java.util.Arrays)
BlockUtils(org.apache.hadoop.ozone.container.keyvalue.helpers.BlockUtils)
OmMultipartCommitUploadPartInfo(org.apache.hadoop.ozone.om.helpers.OmMultipartCommitUploadPartInfo)
PARTIAL_RENAME(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.PARTIAL_RENAME)
OzoneChecksumException(org.apache.hadoop.ozone.common.OzoneChecksumException)
MiniOzoneCluster(org.apache.hadoop.ozone.MiniOzoneCluster)
OzoneTestUtils(org.apache.hadoop.ozone.OzoneTestUtils)
RATIS(org.apache.hadoop.hdds.client.ReplicationType.RATIS)
StringUtils(org.apache.commons.lang3.StringUtils)
BlockIterator(org.apache.hadoop.ozone.container.common.interfaces.BlockIterator)
OzoneQuota(org.apache.hadoop.hdds.client.OzoneQuota)
Map(java.util.Map)
GB(org.apache.hadoop.ozone.OzoneConsts.GB)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
ObjectStore(org.apache.hadoop.ozone.client.ObjectStore)
OzoneClientFactory(org.apache.hadoop.ozone.client.OzoneClientFactory)
CountDownLatch(java.util.concurrent.CountDownLatch)
ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)
Assert.assertFalse(org.junit.Assert.assertFalse)
OzoneOutputStream(org.apache.hadoop.ozone.client.io.OzoneOutputStream)
DEFAULT_OM_UPDATE_ID(org.apache.hadoop.ozone.OzoneConsts.DEFAULT_OM_UPDATE_ID)
FixMethodOrder(org.junit.FixMethodOrder)
StorageContainerLocationProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.scm.protocolPB.StorageContainerLocationProtocolClientSideTranslatorPB)
OzoneClient(org.apache.hadoop.ozone.client.OzoneClient)
OzoneClientException(org.apache.hadoop.ozone.client.OzoneClientException)
OzoneInputStream(org.apache.hadoop.ozone.client.io.OzoneInputStream)
RandomUtils(org.apache.commons.lang3.RandomUtils)
OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration)
OzoneKey(org.apache.hadoop.ozone.client.OzoneKey)
HddsDatanodeService(org.apache.hadoop.ozone.HddsDatanodeService)
OzoneManager(org.apache.hadoop.ozone.om.OzoneManager)
ArrayList(java.util.ArrayList)
LinkedHashMap(java.util.LinkedHashMap)
BlockData(org.apache.hadoop.ozone.container.common.helpers.BlockData)
ACCESS(org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS)
DEBUG(org.slf4j.event.Level.DEBUG)
BucketArgs(org.apache.hadoop.ozone.client.BucketArgs)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
ONE(org.apache.hadoop.hdds.client.ReplicationFactor.ONE)
GROUP(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.GROUP)
OmMultipartInfo(org.apache.hadoop.ozone.om.helpers.OmMultipartInfo)
ReplicationConfig(org.apache.hadoop.hdds.client.ReplicationConfig)
DatanodeDetails(org.apache.hadoop.hdds.protocol.DatanodeDetails)
Assert.assertTrue(org.junit.Assert.assertTrue)
IOException(java.io.IOException)
ContainerID(org.apache.hadoop.hdds.scm.container.ContainerID)
FileUtils(org.apache.commons.io.FileUtils)
Test(org.junit.Test)
Container(org.apache.hadoop.ozone.container.common.interfaces.Container)
OzoneConsts(org.apache.hadoop.ozone.OzoneConsts)
File(java.io.File)
Assert.assertNotEquals(org.junit.Assert.assertNotEquals)
XceiverClientGrpc(org.apache.hadoop.hdds.scm.XceiverClientGrpc)
OMFailoverProxyProvider(org.apache.hadoop.ozone.om.ha.OMFailoverProxyProvider)
TreeMap(java.util.TreeMap)
OZONE_SCM_BLOCK_SIZE_DEFAULT(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SCM_BLOCK_SIZE_DEFAULT)
OMProxyInfo(org.apache.hadoop.ozone.om.ha.OMProxyInfo)
Assert(org.junit.Assert)
Assert.assertEquals(org.junit.Assert.assertEquals)
OMMetadataManager(org.apache.hadoop.ozone.om.OMMetadataManager)
OmFailoverProxyUtil(org.apache.hadoop.ozone.om.OmFailoverProxyUtil)
MethodSorters(org.junit.runners.MethodSorters)
HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos)
DEFAULT(org.apache.hadoop.ozone.OzoneAcl.AclScope.DEFAULT)
OmKeyArgs(org.apache.hadoop.ozone.om.helpers.OmKeyArgs)
READ(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.READ)
OzoneClientConfig(org.apache.hadoop.hdds.scm.OzoneClientConfig)
OZONE_SCM_BLOCK_SIZE(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SCM_BLOCK_SIZE)
KEY_NOT_FOUND(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.KEY_NOT_FOUND)
OzoneKeyLocation(org.apache.hadoop.ozone.client.OzoneKeyLocation)
KeyValueContainerData(org.apache.hadoop.ozone.container.keyvalue.KeyValueContainerData)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
BucketLayout(org.apache.hadoop.ozone.om.helpers.BucketLayout)
OzoneVolume(org.apache.hadoop.ozone.client.OzoneVolume)
NO_SUCH_MULTIPART_UPLOAD_ERROR(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.NO_SUCH_MULTIPART_UPLOAD_ERROR)
Assert.fail(org.junit.Assert.fail)
VolumeArgs(org.apache.hadoop.ozone.client.VolumeArgs)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
ReferenceCountedDB(org.apache.hadoop.ozone.container.common.utils.ReferenceCountedDB)
USER(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER)
StorageUnit(org.apache.hadoop.conf.StorageUnit)
MAX_TRXN_ID(org.apache.hadoop.ozone.OmUtils.MAX_TRXN_ID)
UUID(java.util.UUID)
Instant(java.time.Instant)
ReplicationType(org.apache.hadoop.hdds.client.ReplicationType)
List(java.util.List)
OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)
OMException(org.apache.hadoop.ozone.om.exceptions.OMException)
OmMultipartUploadCompleteInfo(org.apache.hadoop.ozone.om.helpers.OmMultipartUploadCompleteInfo)
OzoneObj(org.apache.hadoop.ozone.security.acl.OzoneObj)
Optional(java.util.Optional)
RandomStringUtils(org.apache.commons.lang3.RandomStringUtils)
StorageType(org.apache.hadoop.hdds.protocol.StorageType)
ContainerInfo(org.apache.hadoop.hdds.scm.container.ContainerInfo)
GenericTestUtils(org.apache.ozone.test.GenericTestUtils)
ClientProtocol(org.apache.hadoop.ozone.client.protocol.ClientProtocol)
WRITE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.WRITE)
THREE(org.apache.hadoop.hdds.client.ReplicationFactor.THREE)
HashMap(java.util.HashMap)
ContainerProtos(org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos)
OmUtils(org.apache.hadoop.ozone.OmUtils)
ResultCodes(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes)
OzoneBucket(org.apache.hadoop.ozone.client.OzoneBucket)
OmKeyInfo(org.apache.hadoop.ozone.om.helpers.OmKeyInfo)
OmKeyLocationInfo(org.apache.hadoop.ozone.om.helpers.OmKeyLocationInfo)
OzoneKeyDetails(org.apache.hadoop.ozone.client.OzoneKeyDetails)
StorageContainerManager(org.apache.hadoop.hdds.scm.server.StorageContainerManager)
LambdaTestUtils(org.apache.ozone.test.LambdaTestUtils)
KeyValueContainerLocationUtil(org.apache.hadoop.ozone.container.keyvalue.helpers.KeyValueContainerLocationUtil)
Iterator(java.util.Iterator)
UTF_8(java.nio.charset.StandardCharsets.UTF_8)
Assert.assertNotNull(org.junit.Assert.assertNotNull)
OzoneAclConfig(org.apache.hadoop.ozone.security.acl.OzoneAclConfig)
Pipeline(org.apache.hadoop.hdds.scm.pipeline.Pipeline)
ReplicationFactor(org.apache.hadoop.hdds.client.ReplicationFactor)
OmVolumeArgs(org.apache.hadoop.ozone.om.helpers.OmVolumeArgs)
TimeUnit(java.util.concurrent.TimeUnit)
RepeatedOmKeyInfo(org.apache.hadoop.ozone.om.helpers.RepeatedOmKeyInfo)
OmKeyLocationInfoGroup(org.apache.hadoop.ozone.om.helpers.OmKeyLocationInfoGroup)
HddsClientUtils(org.apache.hadoop.hdds.scm.client.HddsClientUtils)
OzoneMultipartUploadPartListParts(org.apache.hadoop.ozone.client.OzoneMultipartUploadPartListParts)
BitSet(java.util.BitSet)
StringUtils.string2Bytes(org.apache.hadoop.hdds.StringUtils.string2Bytes)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration)
Example 2 with ACCESS
use of org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS in project ozone by apache.
the class TestOzoneNativeAuthorizer method resetAclsAndValidateAccess.
private void resetAclsAndValidateAccess(OzoneObj obj, ACLIdentityType accessType, OzoneManagerProtocol aclImplementor) throws IOException {
List<OzoneAcl> acls;
String user = testUgi.getUserName();
String group = (testUgi.getGroups().size() > 0) ? testUgi.getGroups().get(0) : "";
RequestContext.Builder builder = new RequestContext.Builder().setClientUgi(testUgi).setAclType(accessType);
// Get all acls.
List<ACLType> allAcls = Arrays.stream(ACLType.values()).collect(Collectors.toList());
/**
* 1. Reset default acls to an acl.
* 2. Test if user/group has access only to it.
* 3. Add remaining acls one by one and then test
* if user/group has access to them.
*/
for (ACLType a1 : allAcls) {
OzoneAcl newAcl = new OzoneAcl(accessType, getAclName(accessType), a1, ACCESS);
// Reset acls to only one right.
if (obj.getResourceType() == VOLUME) {
setVolumeAcl(Collections.singletonList(newAcl));
} else if (obj.getResourceType() == BUCKET) {
setBucketAcl(Collections.singletonList(newAcl));
} else {
aclImplementor.setAcl(obj, Collections.singletonList(newAcl));
}
// Fetch current acls and validate.
acls = aclImplementor.getAcl(obj);
assertTrue(acls.size() == 1);
assertTrue(acls.contains(newAcl));
// Special handling for ALL.
if (a1.equals(ALL)) {
validateAll(obj, builder);
continue;
}
// Special handling for NONE.
if (a1.equals(NONE)) {
validateNone(obj, builder);
continue;
}
String msg = "Acl to check:" + a1 + " accessType:" + accessType + " path:" + obj.getPath();
if (a1.equals(CREATE) && obj.getResourceType().equals(VOLUME)) {
assertEquals(msg, nativeAuthorizer.getOzoneAdmins().contains(user), nativeAuthorizer.checkAccess(obj, builder.setAclRights(a1).build()));
} else {
assertEquals(msg, expectedAclResult, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a1).build()));
}
List<ACLType> aclsToBeValidated = Arrays.stream(ACLType.values()).collect(Collectors.toList());
List<ACLType> aclsToBeAdded = Arrays.stream(ACLType.values()).collect(Collectors.toList());
aclsToBeValidated.remove(NONE);
// Do not validate "WRITE" since write acl type requires object to be
// present in OpenKeyTable.
aclsToBeValidated.remove(WRITE);
aclsToBeValidated.remove(a1);
aclsToBeAdded.remove(NONE);
aclsToBeAdded.remove(ALL);
// AclType "CREATE" is skipped from access check on objects
// since the object will not exist during access check.
aclsToBeAdded.remove(CREATE);
// AclType "WRITE" is removed from being tested here,
// because object must always be present in OpenKeyTable for write
// acl requests. But, here the objects are already committed
// and will move to keyTable.
aclsToBeAdded.remove(WRITE);
// Fetch acls again.
for (ACLType a2 : aclsToBeAdded) {
if (!a2.equals(a1)) {
acls = aclImplementor.getAcl(obj);
List right = acls.stream().map(a -> a.getAclList()).collect(Collectors.toList());
assertFalse("Did not expect client to have " + a2 + " acl. " + "Current acls found:" + right + ". Type:" + accessType + "," + " name:" + (accessType == USER ? user : group), nativeAuthorizer.checkAccess(obj, builder.setAclRights(a2).build()));
// Randomize next type.
int type = RandomUtils.nextInt(0, 3);
ACLIdentityType identityType = ACLIdentityType.values()[type];
// Add remaining acls one by one and then check access.
OzoneAcl addAcl = new OzoneAcl(identityType, getAclName(identityType), a2, ACCESS);
// only DB not cache.
if (obj.getResourceType() == VOLUME) {
addVolumeAcl(addAcl);
} else if (obj.getResourceType() == BUCKET) {
addBucketAcl(addAcl);
} else {
aclImplementor.addAcl(obj, addAcl);
}
// Fetch acls again.
acls = aclImplementor.getAcl(obj);
boolean a2AclFound = false;
boolean a1AclFound = false;
for (OzoneAcl acl : acls) {
if (acl.getAclList().contains(a2)) {
a2AclFound = true;
}
if (acl.getAclList().contains(a1)) {
a1AclFound = true;
}
}
assertTrue("Current acls :" + acls + ". " + "Type:" + accessType + ", name:" + (accessType == USER ? user : group) + " acl:" + a2, a2AclFound);
assertTrue("Expected client to have " + a1 + " acl. Current acls " + "found:" + acls + ". Type:" + accessType + ", name:" + (accessType == USER ? user : group), a1AclFound);
assertEquals("Current acls " + acls + ". Expect acl:" + a2 + " to be set? " + expectedAclResult + " accessType:" + accessType, expectedAclResult, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a2).build()));
aclsToBeValidated.remove(a2);
for (ACLType a3 : aclsToBeValidated) {
if (!a3.equals(a1) && !a3.equals(a2) && !a3.equals(CREATE)) {
assertFalse("User shouldn't have right " + a3 + ". " + "Current acl rights for user:" + a1 + "," + a2, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a3).build()));
}
}
}
}
}
}
Also used :
HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos)
Arrays(java.util.Arrays)
VolumeManager(org.apache.hadoop.ozone.om.VolumeManager)
OMRequestTestUtils(org.apache.hadoop.ozone.om.request.OMRequestTestUtils)
OzoneManagerProtocol(org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol)
OmKeyArgs(org.apache.hadoop.ozone.om.helpers.OmKeyArgs)
VOLUME(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.VOLUME)
Optional(com.google.common.base.Optional)
CacheValue(org.apache.hadoop.hdds.utils.db.cache.CacheValue)
ALL(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
Parameterized(org.junit.runners.Parameterized)
USER(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER)
OZONE_METADATA_DIRS(org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS)
OmBucketInfo(org.apache.hadoop.ozone.om.helpers.OmBucketInfo)
BucketManager(org.apache.hadoop.ozone.om.BucketManager)
Collection(java.util.Collection)
Collectors(java.util.stream.Collectors)
List(java.util.List)
ANONYMOUS(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.ANONYMOUS)
PrefixManager(org.apache.hadoop.ozone.om.PrefixManager)
OMException(org.apache.hadoop.ozone.om.exceptions.OMException)
ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)
OmTestManagers(org.apache.hadoop.ozone.om.OmTestManagers)
Assert.assertFalse(org.junit.Assert.assertFalse)
OZONE_ACL_AUTHORIZER_CLASS_NATIVE(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE)
GenericTestUtils(org.apache.ozone.test.GenericTestUtils)
CREATE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.CREATE)
RandomUtils(org.apache.commons.lang3.RandomUtils)
OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration)
OZONE_ADMINISTRATORS(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS)
OZONE_URI_DELIMITER(org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER)
BeforeClass(org.junit.BeforeClass)
OZONE(org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE)
KeyManager(org.apache.hadoop.ozone.om.KeyManager)
WRITE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.WRITE)
RunWith(org.junit.runner.RunWith)
ArrayList(java.util.ArrayList)
ACCESS(org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS)
BUCKET(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
OzoneAclUtil(org.apache.hadoop.ozone.om.helpers.OzoneAclUtil)
NONE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.NONE)
PREFIX(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.PREFIX)
GROUP(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.GROUP)
OpenKeySession(org.apache.hadoop.ozone.om.helpers.OpenKeySession)
Assert.assertTrue(org.junit.Assert.assertTrue)
Test(org.junit.Test)
IOException(java.io.IOException)
WORLD(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.WORLD)
OmVolumeArgs(org.apache.hadoop.ozone.om.helpers.OmVolumeArgs)
File(java.io.File)
KEY(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY)
StandaloneReplicationConfig(org.apache.hadoop.hdds.client.StandaloneReplicationConfig)
CacheKey(org.apache.hadoop.hdds.utils.db.cache.CacheKey)
OZONE_ACL_AUTHORIZER_CLASS(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS)
Collections(java.util.Collections)
ACLIdentityType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType)
Assert.assertEquals(org.junit.Assert.assertEquals)
OMMetadataManager(org.apache.hadoop.ozone.om.OMMetadataManager)
ACLIdentityType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType)
ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
List(java.util.List)
ArrayList(java.util.ArrayList)
Example 3 with ACCESS
use of org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS in project ozone by apache.
the class TestOzoneRpcClientAbstract method testMultipartUploadWithACL.
@Test
public void testMultipartUploadWithACL() throws Exception {
String volumeName = UUID.randomUUID().toString();
String bucketName = UUID.randomUUID().toString();
String keyName = UUID.randomUUID().toString();
store.createVolume(volumeName);
OzoneVolume volume = store.getVolume(volumeName);
volume.createBucket(bucketName);
OzoneBucket bucket = volume.getBucket(bucketName);
// Add ACL on Bucket
OzoneAcl acl1 = new OzoneAcl(USER, "Monday", ACLType.ALL, DEFAULT);
OzoneAcl acl2 = new OzoneAcl(USER, "Friday", ACLType.ALL, DEFAULT);
OzoneAcl acl3 = new OzoneAcl(USER, "Jan", ACLType.ALL, ACCESS);
OzoneAcl acl4 = new OzoneAcl(USER, "Feb", ACLType.ALL, ACCESS);
bucket.addAcl(acl1);
bucket.addAcl(acl2);
bucket.addAcl(acl3);
bucket.addAcl(acl4);
doMultipartUpload(bucket, keyName, (byte) 98);
OzoneObj keyObj = OzoneObjInfo.Builder.newBuilder().setBucketName(bucketName).setVolumeName(volumeName).setKeyName(keyName).setResType(OzoneObj.ResourceType.KEY).setStoreType(OzoneObj.StoreType.OZONE).build();
List<OzoneAcl> aclList = store.getAcl(keyObj);
// key should inherit bucket's DEFAULT type acl
Assert.assertTrue(aclList.stream().anyMatch(acl -> acl.getName().equals(acl1.getName())));
Assert.assertTrue(aclList.stream().anyMatch(acl -> acl.getName().equals(acl2.getName())));
// kye should not inherit bucket's ACCESS type acl
Assert.assertFalse(aclList.stream().anyMatch(acl -> acl.getName().equals(acl3.getName())));
Assert.assertFalse(aclList.stream().anyMatch(acl -> acl.getName().equals(acl4.getName())));
// User without permission should fail to upload the object
String userName = "test-user";
UserGroupInformation remoteUser = UserGroupInformation.createRemoteUser(userName);
OzoneClient client = remoteUser.doAs((PrivilegedExceptionAction<OzoneClient>) () -> {
return OzoneClientFactory.getRpcClient(cluster.getConf());
});
OzoneAcl acl5 = new OzoneAcl(USER, userName, ACLType.READ, DEFAULT);
OzoneAcl acl6 = new OzoneAcl(USER, userName, ACLType.READ, ACCESS);
OzoneObj volumeObj = OzoneObjInfo.Builder.newBuilder().setVolumeName(volumeName).setStoreType(OzoneObj.StoreType.OZONE).setResType(OzoneObj.ResourceType.VOLUME).build();
OzoneObj bucketObj = OzoneObjInfo.Builder.newBuilder().setVolumeName(volumeName).setBucketName(bucketName).setStoreType(OzoneObj.StoreType.OZONE).setResType(OzoneObj.ResourceType.BUCKET).build();
store.addAcl(volumeObj, acl5);
store.addAcl(volumeObj, acl6);
store.addAcl(bucketObj, acl5);
store.addAcl(bucketObj, acl6);
// User without permission cannot start multi-upload
String keyName2 = UUID.randomUUID().toString();
OzoneBucket bucket2 = client.getObjectStore().getVolume(volumeName).getBucket(bucketName);
try {
initiateMultipartUpload(bucket2, keyName2, ReplicationType.RATIS, THREE);
fail("User without permission should fail");
} catch (Exception e) {
assertTrue(e instanceof OMException);
assertEquals(ResultCodes.PERMISSION_DENIED, ((OMException) e).getResult());
}
// Add create permission for user, and try multi-upload init again
OzoneAcl acl7 = new OzoneAcl(USER, userName, ACLType.CREATE, DEFAULT);
OzoneAcl acl8 = new OzoneAcl(USER, userName, ACLType.CREATE, ACCESS);
OzoneAcl acl9 = new OzoneAcl(USER, userName, WRITE, DEFAULT);
OzoneAcl acl10 = new OzoneAcl(USER, userName, WRITE, ACCESS);
store.addAcl(volumeObj, acl7);
store.addAcl(volumeObj, acl8);
store.addAcl(volumeObj, acl9);
store.addAcl(volumeObj, acl10);
store.addAcl(bucketObj, acl7);
store.addAcl(bucketObj, acl8);
store.addAcl(bucketObj, acl9);
store.addAcl(bucketObj, acl10);
String uploadId = initiateMultipartUpload(bucket2, keyName2, ReplicationType.RATIS, THREE);
// Upload part
byte[] data = generateData(OzoneConsts.OM_MULTIPART_MIN_SIZE, (byte) 1);
String partName = uploadPart(bucket, keyName2, uploadId, 1, data);
Map<Integer, String> partsMap = new TreeMap<>();
partsMap.put(1, partName);
// Complete multipart upload request
completeMultipartUpload(bucket2, keyName2, uploadId, partsMap);
// User without permission cannot read multi-uploaded object
try {
OzoneInputStream inputStream = bucket2.readKey(keyName);
fail("User without permission should fail");
} catch (Exception e) {
assertTrue(e instanceof OMException);
assertEquals(ResultCodes.PERMISSION_DENIED, ((OMException) e).getResult());
}
}
Also used :
OzoneObj(org.apache.hadoop.ozone.security.acl.OzoneObj)
Arrays(java.util.Arrays)
BlockUtils(org.apache.hadoop.ozone.container.keyvalue.helpers.BlockUtils)
OmMultipartCommitUploadPartInfo(org.apache.hadoop.ozone.om.helpers.OmMultipartCommitUploadPartInfo)
PARTIAL_RENAME(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.PARTIAL_RENAME)
OzoneChecksumException(org.apache.hadoop.ozone.common.OzoneChecksumException)
MiniOzoneCluster(org.apache.hadoop.ozone.MiniOzoneCluster)
OzoneTestUtils(org.apache.hadoop.ozone.OzoneTestUtils)
RATIS(org.apache.hadoop.hdds.client.ReplicationType.RATIS)
StringUtils(org.apache.commons.lang3.StringUtils)
BlockIterator(org.apache.hadoop.ozone.container.common.interfaces.BlockIterator)
OzoneQuota(org.apache.hadoop.hdds.client.OzoneQuota)
Map(java.util.Map)
GB(org.apache.hadoop.ozone.OzoneConsts.GB)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
ObjectStore(org.apache.hadoop.ozone.client.ObjectStore)
OzoneClientFactory(org.apache.hadoop.ozone.client.OzoneClientFactory)
CountDownLatch(java.util.concurrent.CountDownLatch)
ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)
Assert.assertFalse(org.junit.Assert.assertFalse)
OzoneOutputStream(org.apache.hadoop.ozone.client.io.OzoneOutputStream)
DEFAULT_OM_UPDATE_ID(org.apache.hadoop.ozone.OzoneConsts.DEFAULT_OM_UPDATE_ID)
FixMethodOrder(org.junit.FixMethodOrder)
StorageContainerLocationProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.scm.protocolPB.StorageContainerLocationProtocolClientSideTranslatorPB)
OzoneClient(org.apache.hadoop.ozone.client.OzoneClient)
OzoneClientException(org.apache.hadoop.ozone.client.OzoneClientException)
OzoneInputStream(org.apache.hadoop.ozone.client.io.OzoneInputStream)
RandomUtils(org.apache.commons.lang3.RandomUtils)
OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration)
OzoneKey(org.apache.hadoop.ozone.client.OzoneKey)
HddsDatanodeService(org.apache.hadoop.ozone.HddsDatanodeService)
OzoneManager(org.apache.hadoop.ozone.om.OzoneManager)
ArrayList(java.util.ArrayList)
LinkedHashMap(java.util.LinkedHashMap)
BlockData(org.apache.hadoop.ozone.container.common.helpers.BlockData)
ACCESS(org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS)
DEBUG(org.slf4j.event.Level.DEBUG)
BucketArgs(org.apache.hadoop.ozone.client.BucketArgs)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
ONE(org.apache.hadoop.hdds.client.ReplicationFactor.ONE)
GROUP(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.GROUP)
OmMultipartInfo(org.apache.hadoop.ozone.om.helpers.OmMultipartInfo)
ReplicationConfig(org.apache.hadoop.hdds.client.ReplicationConfig)
DatanodeDetails(org.apache.hadoop.hdds.protocol.DatanodeDetails)
Assert.assertTrue(org.junit.Assert.assertTrue)
IOException(java.io.IOException)
ContainerID(org.apache.hadoop.hdds.scm.container.ContainerID)
FileUtils(org.apache.commons.io.FileUtils)
Test(org.junit.Test)
Container(org.apache.hadoop.ozone.container.common.interfaces.Container)
OzoneConsts(org.apache.hadoop.ozone.OzoneConsts)
File(java.io.File)
Assert.assertNotEquals(org.junit.Assert.assertNotEquals)
XceiverClientGrpc(org.apache.hadoop.hdds.scm.XceiverClientGrpc)
OMFailoverProxyProvider(org.apache.hadoop.ozone.om.ha.OMFailoverProxyProvider)
TreeMap(java.util.TreeMap)
OZONE_SCM_BLOCK_SIZE_DEFAULT(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SCM_BLOCK_SIZE_DEFAULT)
OMProxyInfo(org.apache.hadoop.ozone.om.ha.OMProxyInfo)
Assert(org.junit.Assert)
Assert.assertEquals(org.junit.Assert.assertEquals)
OMMetadataManager(org.apache.hadoop.ozone.om.OMMetadataManager)
OmFailoverProxyUtil(org.apache.hadoop.ozone.om.OmFailoverProxyUtil)
MethodSorters(org.junit.runners.MethodSorters)
HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos)
DEFAULT(org.apache.hadoop.ozone.OzoneAcl.AclScope.DEFAULT)
OmKeyArgs(org.apache.hadoop.ozone.om.helpers.OmKeyArgs)
READ(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.READ)
OzoneClientConfig(org.apache.hadoop.hdds.scm.OzoneClientConfig)
OZONE_SCM_BLOCK_SIZE(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SCM_BLOCK_SIZE)
KEY_NOT_FOUND(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.KEY_NOT_FOUND)
OzoneKeyLocation(org.apache.hadoop.ozone.client.OzoneKeyLocation)
KeyValueContainerData(org.apache.hadoop.ozone.container.keyvalue.KeyValueContainerData)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
BucketLayout(org.apache.hadoop.ozone.om.helpers.BucketLayout)
OzoneVolume(org.apache.hadoop.ozone.client.OzoneVolume)
NO_SUCH_MULTIPART_UPLOAD_ERROR(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.NO_SUCH_MULTIPART_UPLOAD_ERROR)
Assert.fail(org.junit.Assert.fail)
VolumeArgs(org.apache.hadoop.ozone.client.VolumeArgs)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
ReferenceCountedDB(org.apache.hadoop.ozone.container.common.utils.ReferenceCountedDB)
USER(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER)
StorageUnit(org.apache.hadoop.conf.StorageUnit)
MAX_TRXN_ID(org.apache.hadoop.ozone.OmUtils.MAX_TRXN_ID)
UUID(java.util.UUID)
Instant(java.time.Instant)
ReplicationType(org.apache.hadoop.hdds.client.ReplicationType)
List(java.util.List)
OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)
OMException(org.apache.hadoop.ozone.om.exceptions.OMException)
OmMultipartUploadCompleteInfo(org.apache.hadoop.ozone.om.helpers.OmMultipartUploadCompleteInfo)
OzoneObj(org.apache.hadoop.ozone.security.acl.OzoneObj)
Optional(java.util.Optional)
RandomStringUtils(org.apache.commons.lang3.RandomStringUtils)
StorageType(org.apache.hadoop.hdds.protocol.StorageType)
ContainerInfo(org.apache.hadoop.hdds.scm.container.ContainerInfo)
GenericTestUtils(org.apache.ozone.test.GenericTestUtils)
ClientProtocol(org.apache.hadoop.ozone.client.protocol.ClientProtocol)
WRITE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.WRITE)
THREE(org.apache.hadoop.hdds.client.ReplicationFactor.THREE)
HashMap(java.util.HashMap)
ContainerProtos(org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos)
OmUtils(org.apache.hadoop.ozone.OmUtils)
ResultCodes(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes)
OzoneBucket(org.apache.hadoop.ozone.client.OzoneBucket)
OmKeyInfo(org.apache.hadoop.ozone.om.helpers.OmKeyInfo)
OmKeyLocationInfo(org.apache.hadoop.ozone.om.helpers.OmKeyLocationInfo)
OzoneKeyDetails(org.apache.hadoop.ozone.client.OzoneKeyDetails)
StorageContainerManager(org.apache.hadoop.hdds.scm.server.StorageContainerManager)
LambdaTestUtils(org.apache.ozone.test.LambdaTestUtils)
KeyValueContainerLocationUtil(org.apache.hadoop.ozone.container.keyvalue.helpers.KeyValueContainerLocationUtil)
Iterator(java.util.Iterator)
UTF_8(java.nio.charset.StandardCharsets.UTF_8)
Assert.assertNotNull(org.junit.Assert.assertNotNull)
OzoneAclConfig(org.apache.hadoop.ozone.security.acl.OzoneAclConfig)
Pipeline(org.apache.hadoop.hdds.scm.pipeline.Pipeline)
ReplicationFactor(org.apache.hadoop.hdds.client.ReplicationFactor)
OmVolumeArgs(org.apache.hadoop.ozone.om.helpers.OmVolumeArgs)
TimeUnit(java.util.concurrent.TimeUnit)
RepeatedOmKeyInfo(org.apache.hadoop.ozone.om.helpers.RepeatedOmKeyInfo)
OmKeyLocationInfoGroup(org.apache.hadoop.ozone.om.helpers.OmKeyLocationInfoGroup)
HddsClientUtils(org.apache.hadoop.hdds.scm.client.HddsClientUtils)
OzoneMultipartUploadPartListParts(org.apache.hadoop.ozone.client.OzoneMultipartUploadPartListParts)
BitSet(java.util.BitSet)
StringUtils.string2Bytes(org.apache.hadoop.hdds.StringUtils.string2Bytes)
OzoneInputStream(org.apache.hadoop.ozone.client.io.OzoneInputStream)
OzoneClient(org.apache.hadoop.ozone.client.OzoneClient)
TreeMap(java.util.TreeMap)
OzoneChecksumException(org.apache.hadoop.ozone.common.OzoneChecksumException)
OzoneClientException(org.apache.hadoop.ozone.client.OzoneClientException)
IOException(java.io.IOException)
OMException(org.apache.hadoop.ozone.om.exceptions.OMException)
OzoneVolume(org.apache.hadoop.ozone.client.OzoneVolume)
OzoneBucket(org.apache.hadoop.ozone.client.OzoneBucket)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
OMException(org.apache.hadoop.ozone.om.exceptions.OMException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Aggregations
File (java.io.File)3
IOException (java.io.IOException)3
ArrayList (java.util.ArrayList)3
Arrays (java.util.Arrays)3
List (java.util.List)3
RandomUtils (org.apache.commons.lang3.RandomUtils)3
OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)3
HddsProtos (org.apache.hadoop.hdds.protocol.proto.HddsProtos)3
UTF_8 (java.nio.charset.StandardCharsets.UTF_8)2
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2
Instant (java.time.Instant)2
BitSet (java.util.BitSet)2
HashMap (java.util.HashMap)2
Iterator (java.util.Iterator)2
LinkedHashMap (java.util.LinkedHashMap)2
Map (java.util.Map)2
Optional (java.util.Optional)2
TreeMap (java.util.TreeMap)2
UUID (java.util.UUID)2
CountDownLatch (java.util.concurrent.CountDownLatch)2
