use of org.apache.hadoop.ozone.security.acl.RequestContext in project ozone by apache.
the class TestKeyManagerImpl method testCheckAccessForFileKey.
@Test
public void testCheckAccessForFileKey() throws Exception {
// GIVEN
OmKeyArgs keyArgs = createBuilder().setKeyName("testdir/deep/NOTICE.txt").build();
OpenKeySession keySession = writeClient.createFile(keyArgs, false, true);
keyArgs.setLocationInfoList(keySession.getKeyInfo().getLatestVersionLocations().getLocationList());
writeClient.commitKey(keyArgs, keySession.getId());
reset(mockScmContainerClient);
OzoneObj fileKey = OzoneObjInfo.Builder.fromKeyArgs(keyArgs).setStoreType(OzoneObj.StoreType.OZONE).build();
RequestContext context = currentUserReads();
// WHEN
boolean access = keyManager.checkAccess(fileKey, context);
// THEN
Assert.assertTrue(access);
verify(mockScmContainerClient, never()).getContainerWithPipelineBatch(any());
}
use of org.apache.hadoop.ozone.security.acl.RequestContext in project ozone by apache.
the class OzoneManager method checkAcls.
/**
* CheckAcls for the ozone object.
*
* @return true if permission granted, false if permission denied.
* @throws OMException ResultCodes.PERMISSION_DENIED if permission denied
* and throwOnPermissionDenied set to true.
*/
@SuppressWarnings("parameternumber")
public boolean checkAcls(ResourceType resType, StoreType storeType, ACLType aclType, String vol, String bucket, String key, UserGroupInformation ugi, InetAddress remoteAddress, String hostName, boolean throwIfPermissionDenied, String owner) throws OMException {
OzoneObj obj = OzoneObjInfo.Builder.newBuilder().setResType(resType).setStoreType(storeType).setVolumeName(vol).setBucketName(bucket).setKeyName(key).build();
RequestContext context = RequestContext.newBuilder().setClientUgi(ugi).setIp(remoteAddress).setHost(hostName).setAclType(ACLIdentityType.USER).setAclRights(aclType).setOwnerName(owner).build();
return checkAcls(obj, context, throwIfPermissionDenied);
}
use of org.apache.hadoop.ozone.security.acl.RequestContext in project ozone by apache.
the class OMClientRequest method checkACLsWithFSO.
/**
* Check Acls for the ozone key.
* @param ozoneManager
* @param volumeName
* @param bucketName
* @param keyName
* @throws IOException
*/
protected void checkACLsWithFSO(OzoneManager ozoneManager, String volumeName, String bucketName, String keyName, IAccessAuthorizer.ACLType aclType) throws IOException {
// TODO: Presently not populating sub-paths under a single bucket
// lock. Need to revisit this to handle any concurrent operations
// along with this.
OzonePrefixPathImpl pathViewer = new OzonePrefixPathImpl(volumeName, bucketName, keyName, ozoneManager.getKeyManager());
OzoneObj obj = OzoneObjInfo.Builder.newBuilder().setResType(OzoneObj.ResourceType.KEY).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName(volumeName).setBucketName(bucketName).setKeyName(keyName).setOzonePrefixPath(pathViewer).build();
RequestContext.Builder contextBuilder = RequestContext.newBuilder().setAclRights(aclType).setRecursiveAccessCheck(pathViewer.isCheckRecursiveAccess());
// check Acl
if (ozoneManager.getAclsEnabled()) {
String volumeOwner = ozoneManager.getVolumeOwner(obj.getVolumeName(), contextBuilder.getAclRights(), obj.getResourceType());
String bucketOwner = ozoneManager.getBucketOwner(obj.getVolumeName(), obj.getBucketName(), contextBuilder.getAclRights(), obj.getResourceType());
UserGroupInformation currentUser = createUGI();
contextBuilder.setClientUgi(currentUser);
contextBuilder.setIp(getRemoteAddress());
contextBuilder.setHost(getHostName());
contextBuilder.setAclType(IAccessAuthorizer.ACLIdentityType.USER);
boolean isVolOwner = isOwner(currentUser, volumeOwner);
IAccessAuthorizer.ACLType parentAclRight = aclType;
if (isVolOwner) {
contextBuilder.setOwnerName(volumeOwner);
} else {
contextBuilder.setOwnerName(bucketOwner);
}
if (ozoneManager.isNativeAuthorizerEnabled()) {
if (aclType == IAccessAuthorizer.ACLType.CREATE || aclType == IAccessAuthorizer.ACLType.DELETE || aclType == IAccessAuthorizer.ACLType.WRITE_ACL) {
parentAclRight = IAccessAuthorizer.ACLType.WRITE;
} else if (aclType == IAccessAuthorizer.ACLType.READ_ACL || aclType == IAccessAuthorizer.ACLType.LIST) {
parentAclRight = IAccessAuthorizer.ACLType.READ;
}
} else {
parentAclRight = IAccessAuthorizer.ACLType.READ;
}
OzoneObj volumeObj = OzoneObjInfo.Builder.newBuilder().setResType(OzoneObj.ResourceType.VOLUME).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName(volumeName).setBucketName(bucketName).setKeyName(keyName).build();
RequestContext volumeContext = RequestContext.newBuilder().setClientUgi(currentUser).setIp(getRemoteAddress()).setHost(getHostName()).setAclType(IAccessAuthorizer.ACLIdentityType.USER).setAclRights(parentAclRight).setOwnerName(volumeOwner).build();
ozoneManager.checkAcls(volumeObj, volumeContext, true);
ozoneManager.checkAcls(obj, contextBuilder.build(), true);
}
}
Aggregations