From 036e727327646b1408caa30dbdbab45144586a24 Mon Sep 17 00:00:00 2001 From: Swaminathan Balachandran <47532440+swamirishi@users.noreply.github.com> Date: Sat, 16 Nov 2024 18:12:48 -0800 Subject: [PATCH] HDDS-11732. Fix ACL check on bucket resolution while reading from snapshot (#7446) Change-Id: I192219d1840ea9ddb06c2c177207cf870a7be8eb --- .../hadoop/ozone/om/OmSnapshotManager.java | 2 +- .../apache/hadoop/ozone/om/OzoneManager.java | 32 +++++++++++++++---- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshotManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshotManager.java index cf526351253..11330c7a3e1 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshotManager.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshotManager.java @@ -628,7 +628,7 @@ public ReferenceCounted getActiveFsMetadataOrSnapshot( // Updating the volumeName & bucketName in case the bucket is a linked bucket. We need to do this before a // permission check, since linked bucket permissions and source bucket permissions could be different. ResolvedBucket resolvedBucket = ozoneManager.resolveBucketLink(Pair.of(volumeName, - bucketName), false); + bucketName), false, false); volumeName = resolvedBucket.realVolume(); bucketName = resolvedBucket.realBucket(); return (ReferenceCounted) (ReferenceCounted) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java index 2facdaccd2f..b5ae80a02d8 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java @@ -4402,10 +4402,16 @@ public ResolvedBucket resolveBucketLink(Pair requested, } public ResolvedBucket resolveBucketLink(Pair requested, - boolean allowDanglingBuckets) + boolean allowDanglingBuckets) throws IOException { + return resolveBucketLink(requested, allowDanglingBuckets, isAclEnabled); + } + + public ResolvedBucket resolveBucketLink(Pair requested, + boolean allowDanglingBuckets, + boolean aclEnabled) throws IOException { OmBucketInfo resolved; - if (isAclEnabled) { + if (aclEnabled) { UserGroupInformation ugi = getRemoteUser(); if (getS3Auth() != null) { ugi = UserGroupInformation.createRemoteUser( @@ -4416,15 +4422,26 @@ public ResolvedBucket resolveBucketLink(Pair requested, ugi, remoteIp != null ? remoteIp : omRpcAddress.getAddress(), remoteIp != null ? remoteIp.getHostName() : - omRpcAddress.getHostName(), allowDanglingBuckets); + omRpcAddress.getHostName(), allowDanglingBuckets, aclEnabled); } else { resolved = resolveBucketLink(requested, new HashSet<>(), - null, null, null, allowDanglingBuckets); + null, null, null, allowDanglingBuckets, aclEnabled); } return new ResolvedBucket(requested.getLeft(), requested.getRight(), resolved); } + private OmBucketInfo resolveBucketLink( + Pair volumeAndBucket, + Set> visited, + UserGroupInformation userGroupInformation, + InetAddress remoteAddress, + String hostName, + boolean allowDanglingBuckets) throws IOException { + return resolveBucketLink(volumeAndBucket, visited, userGroupInformation, remoteAddress, hostName, + allowDanglingBuckets, isAclEnabled); + } + /** * Resolves bucket symlinks. Read permission is required for following links. * @@ -4442,7 +4459,8 @@ private OmBucketInfo resolveBucketLink( UserGroupInformation userGroupInformation, InetAddress remoteAddress, String hostName, - boolean allowDanglingBuckets) throws IOException { + boolean allowDanglingBuckets, + boolean aclEnabled) throws IOException { String volumeName = volumeAndBucket.getLeft(); String bucketName = volumeAndBucket.getRight(); @@ -4465,7 +4483,7 @@ private OmBucketInfo resolveBucketLink( DETECTED_LOOP_IN_BUCKET_LINKS); } - if (isAclEnabled) { + if (aclEnabled) { final ACLType type = ACLType.READ; checkAcls(ResourceType.BUCKET, StoreType.OZONE, type, volumeName, bucketName, null, userGroupInformation, @@ -4476,7 +4494,7 @@ private OmBucketInfo resolveBucketLink( return resolveBucketLink( Pair.of(info.getSourceVolume(), info.getSourceBucket()), visited, userGroupInformation, remoteAddress, hostName, - allowDanglingBuckets); + allowDanglingBuckets, aclEnabled); } @VisibleForTesting