HDDS-8653. Let directory inherit parent default ACLs

[whbing]

What changes were proposed in this pull request?

Let directory inherit bucket default ACLs

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-8653

Please replace this section with the link to the Apache JIRA)

How was this patch tested?

Tested CLI commands in ozone compose environment.

# use hadoop admin user to execute
schema=hadoop1
vol=vol1

# CASE 1: TEST FSO
buk=bucket-fso
ozone sh bucket create ${vol}/${buk} --layout FILE_SYSTEM_OPTIMIZED
ozone sh bucket addacl -a=user:user1:rwl[DEFAULT] ${vol}/${buk}
# missing dir case
ozone fs -mkdir -p ofs://${schema}/${vol}/${buk}/d1/d2
ozone sh key getacl ${vol}/${buk}/d1
[ {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "DEFAULT",
  "aclList" : [ "READ", "WRITE", "LIST" ]
}, {
  "type" : "USER",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]
ozone sh key getacl ${vol}/${buk}/d1/d2
[ {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "DEFAULT",
  "aclList" : [ "READ", "WRITE", "LIST" ]
}, {
  "type" : "USER",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]
# file acl
ozone fs -put file ofs://${schema}/${vol}/${buk}/d1/d2/f1
ozone sh key getacl ${vol}/${buk}/d1/d2/f1
[ {
  "type" : "USER",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "ACCESS",
  "aclList" : [ "READ", "WRITE", "LIST" ]
} ]

# test dir exist
ozone fs -mkdir ofs://${schema}/${vol}/${buk}/d1/d2/d3
ozone sh key addacl -a=user:user2:rw[DEFAULT] ${vol}/${buk}/d1/d2/d3
ozone sh key getacl ${vol}/${buk}/d1/d2/d3
[ {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "DEFAULT",
  "aclList" : [ "READ", "WRITE", "LIST" ]
}, {
  "type" : "USER",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "USER",
  "name" : "user2",
  "aclScope" : "DEFAULT",
  "aclList" : [ "READ", "WRITE" ]
} ]
ozone fs -put file ofs://${schema}/${vol}/${buk}/d1/d2/d3/f2
ozone sh key getacl ${vol}/${buk}/d1/d2/d3/f2
[ {
  "type" : "USER",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "ACCESS",
  "aclList" : [ "READ", "WRITE", "LIST" ]
}, {
  "type" : "USER",
  "name" : "user2",
  "aclScope" : "ACCESS",
  "aclList" : [ "READ", "WRITE" ]
} ]
# test ozone client
ozone sh key put ${vol}/${buk}/d1/d2/d3/f3 file
ozone sh key getacl ${vol}/${buk}/d1/d2/d3/f3
[ {
  "type" : "USER",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "ACCESS",
  "aclList" : [ "READ", "WRITE", "LIST" ]
}, {
  "type" : "USER",
  "name" : "user2",
  "aclScope" : "ACCESS",
  "aclList" : [ "READ", "WRITE" ]
} ]

# ----------

# CASE 2: TEST LEGACY
buk=bucket-lg
ozone sh bucket create ${vol}/${buk} --layout LEGACY
# same cli as above (dir endwith / ), and get the same result

[adoroszlai]

Thanks @whbing for reporting the problem and working on it.

TestRecursiveAclWithFSO is failing, please check.

Please also add tests to verify the new behavior.

[adoroszlai]

Thanks @whbing for updating the patch.

[whbing]

I started a disscuss in #4752. Will update commit after disscussing.

[whbing]

Currently implemented logic:
all node(dir/file) has its owner acls as well as inherited acls.

The logic of acl inheritance is as follows

1. FSO: subdir or leaf file inherit direct parent's DEFAULT acl, subdir keeps DEFAULT scope and file keeps ACCESS scope
2. LEGACY: subdir (endwith /) inherit direct parent's DEFAULT acl and keeps DEFAULT scope, leaf file inherit bucket DEFAULT acls (because can't get the parent info temporarily, maybe can optimize it in subsequent PR)
3. OBS: no dir, inherit from bucket DEFAULT acls.

The benefits of the above changes are:

1. Unified inheritance rules for subdirs and files. For example, READ_GROUP[DEFAULT] acl is given to a bucket, which can be inherited to children for easy authentication.
2. LEGACY and OBS also try to be consistent with FSO to reduce the complexity of understanding.
3. It is good for recursion acl-checking (maybe there will be a new PR combined with prefix in the future for more optimized authentication).

[whbing]

ci passed in : https://github.com/whbing/ozone/actions/runs/5172606799
The results tested CLI commands in my compose environment are at the top of this page.
Thanks for taking the time to review ! 😁

[adoroszlai]

@ChenSammi @fapifta please review

[sumitagrawl]

@whbing Thanks for working for this, having few comments.

IMO,

• getting inheritDefaultAcl can be done at place where creating Directory, instead of passing filtered defaultAcl, similar to OmKeyRequest.getAclsForKey used in FileInfo create
• This flow is for creating missing parent directory.

[sumitagrawl]

filterDefaultScope is not done for omBucketInfo.getAcls() present at line no 197, so if no parent dir, only bucket, then will take all acls from bucket

[sumitagrawl]

IMO, instead of changing PathInfo, it can filter Default at time of Directory / file creation. FileInfo creation, its handled. But directory creation for all flow, this needs handle.

[sumitagrawl]

method itself will inherit only default acl, it seems no need set again toDefaultScope() and this method may not be useful

[whbing]

method itself will inherit only default acl, it seems no need set again toDefaultScope() and this method may not be useful

@sumitagrawl The current convention is ACLs which the directory inherits necessary to keep DEFAULT scope, except leaf file. I added toDefaultScope without changing the basis inheritDefaultAcls method. How do you think about it? Thanks.

[whbing]

@sumitagrawl Thanks for review ! I will try to make some optimizations based on your comments, and then reply to you.

[whbing]

ci passed in： https://github.com/whbing/ozone/actions/runs/5291548464
@sumitagrawl Code updated as suggested. PTAL If you have the time, thanks !

[whbing]

Class organized as follows. (OMFileRequest can be considered as a tool class). All create related classes are adapted.

[sumitagrawl]

@whbing Thanks for fixing the previous comments, few new comments are there, please handle.

[ChenSammi]

Currently implemented logic: all node(dir/file) has its owner acls as well as inherited acls.

The logic of acl inheritance is as follows

1. `FSO`: subdir or leaf file inherit direct parent's DEFAULT acl, subdir keeps DEFAULT scope and file keeps ACCESS scope

2. `LEGACY`: subdir (endwith /) inherit direct parent's DEFAULT acl and keeps DEFAULT scope, leaf file inherit bucket DEFAULT acls (because can't get the parent info temporarily, maybe can optimize it in subsequent PR)

3. `OBS`: no dir, inherit from bucket DEFAULT acls.

@whbing , it's good to have a summary here. I have one question about "LEGACY" bucket. Say there are two subdirs under bucket1, one is dir1/, another is dir1/dir2/. Bucket has one DEFAULT ACL1, dir1/ has one DEFAULT ACL2(prefix ACL), will dir1/dir2/ inherits both ACL1 and ACL2?

[whbing]

Currently implemented logic: all node(dir/file) has its owner acls as well as inherited acls.
The logic of acl inheritance is as follows

1. `FSO`: subdir or leaf file inherit direct parent's DEFAULT acl, subdir keeps DEFAULT scope and file keeps ACCESS scope

2. `LEGACY`: subdir (endwith /) inherit direct parent's DEFAULT acl and keeps DEFAULT scope, leaf file inherit bucket DEFAULT acls (because can't get the parent info temporarily, maybe can optimize it in subsequent PR)

3. `OBS`: no dir, inherit from bucket DEFAULT acls.

@whbing , it's good to have a summary here. I have one question about "LEGACY" bucket. Say there are two subdirs under bucket1, one is dir1/, another is dir1/dir2/. Bucket has one DEFAULT ACL1, dir1/ has one DEFAULT ACL2(prefix ACL), will dir1/dir2/ inherits both ACL1 and ACL2?

I think it is:

1. FSO or Legacy with EnableFileSystem: inherit the latest parent dir's DEFAULT acls. If latest parent dir has no DEFAULT acls, just inherit bucket acls and the ancestor is not traced.
2. OBS or Legacy with DisableFileSystem: inherit the the bucket DEFAULT acls.

In normal cases, inheritance starts with the DEFAULT of the bucket. If the middle dir is changed, the sub-node should only follow the behavior of the latest parent dir. I guess so.

How about that logic?
The relevant codes in: OMKeyRequest#getAclsForKey and OMKeyRequest#getAclsForDir

[whbing]

ci passed in my branch with last commit: https://github.com/whbing/ozone/actions/runs/5532904297

[sumitagrawl]

@whbing Thanks for working over this, LGTM+1

[whbing]

I think it is:

1. FSO or Legacy with EnableFileSystem: inherit the latest parent dir's DEFAULT acls. If latest parent dir has no DEFAULT acls, just inherit bucket acls and the ancestor is not traced.
2. OBS or Legacy with DisableFileSystem: inherit the the bucket DEFAULT acls.

In normal cases, inheritance starts with the DEFAULT of the bucket. If the middle dir is changed, the sub-node should only follow the behavior of the latest parent dir. I guess so.

How about that logic? The relevant codes in: OMKeyRequest#getAclsForKey and OMKeyRequest#getAclsForDir

By the way, I can add this logic to content/security/SecurityAcls.md if no problem.

[whbing]

@sumitagrawl @ChenSammi The documentation was supplemented based on the previous commit. Other code logic has not changed. If you have time, PTAK, thanks !

[whbing]

Ci passed in branch. please help triger ci, thanks. @ChenSammi @sumitagrawl

[whbing]

Failed Test TestOzoneFileSystem.testListStatusOnKeyNameContainDelimiter seems unrelated and cannot be reproduced. I have run the unit tests multiple times and they are passing. Maybe we can trigger the UT again.

[ChenSammi]

Thank you @whbing for the contribution.