New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HDDS-3056. Allow users to list volumes they have access to, and optionally allow all users to list all volumes #696
Conversation
@elek @xiaoyuyao Would you take a look? Thanks. Essentially what this does is removing the admin check in I believe this shouldn't impose security risks other than intentionally "leaking" all volume names (for now). What do you security experts think? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @smengcl for working on this.
The code change looks good.
I do not have details about the conversation with Arpit/Sanjay you mentioned thus I am not merging this PR yet. As far as security is concerned, listing all volumes is a functionality suited for system admins. If I am not supposed to have access to read the contents of some volumes what benefit will I achieve by being able to list those volumes? Thus I am not able to understand what value this change brings to ozone or the user experience.
Thanks for the comment Dinesh. You concern is totally valid. One motivation/background of this change is that in So there is also a Now there is a visual glitch when listing. Since the volume Yes there is this security implication behind this. I discussed with @xiaoyuyao a bit about this today. |
Discussed with @arp7 @xiaoyuyao @dineshchitlangia . Our conclusion is that we want to allow users who have access to some volumes to be able to list them. We will add a new config param in I'll repurposing this jira. TODOs:
|
4bdeafd should've accomplished the "optionally allow all users to list all volumes" part. I'll add test for that later. As for the "Allow users to list volumes they have access to" part, first I was trying to write the code in So eventually I decide to implement the logic in -- This might lead to higher memory consumption when there are a lot of volumes existing in OM. But it requires a bit more change to mitigate this. I might try to put some of the listing iterator logic in |
Rebased onto latest master to include the acceptance test failure fix HDDS-3284. |
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java
Outdated
Show resolved
Hide resolved
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
Outdated
Show resolved
Hide resolved
List<OmVolumeArgs> listOfAllVolumes = volumeManager.listVolumes( | ||
null, prefix, prevKey, maxKeys); | ||
// Filter all volumes by ACL LIST permission of UGI | ||
return listOfAllVolumes.stream().filter(v -> v.getAclMap() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use accessAuthorizer.checkAccess
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
Outdated
Show resolved
Hide resolved
...zone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/ListVolumeHandler.java
Outdated
Show resolved
Hide resolved
Will add the integration test soon. |
Looks like this need a rebase after HDDS-2691. |
Just added integration tests. But it seems only one cluster can be launched in one test class. |
Rebased. |
Rebased again because of HDDS-3340 (class |
I'm able to dig a bit into the root cause of the timeout in the new integration test I added. Turns out, when a mini ozone cluster launches for a second time in the same test class. In This eventually causes I am able to confirm my discovery by setting a breakpoint inside If I only run My questions:
Pinging for some help @bharatviswa504 @elek |
I just posted #806, might be related to the issue. |
#806 is merged. will rebase this PR. |
just rebased. somehow all the integration tests are timing out on my machine so I can't verify locally if the problem is fixed by #806. we'll see. |
Even after reverting the lock change the acceptance test still fails. |
Acceptance failure is related to HDDS-3456. Or we can commit since the failures are unrelated. What do you think? @xiaoyuyao |
Please don't commit with unrelated failures. These may hide other, related failures, as we've seen in the past. Please review #844 instead. ;) |
Sure thing. Let's wait for #844 merge. Then I'll do a rebase. :) |
…ll volumes via Ozone shell.
…lume.listall.allowed
…LL_ALLOWED_DEFAULT
…om timeout due to (suspected) RocksDB not being cleaned up during each mini cluster launch and setup.
Rebased as HDDS-3456 is committed. |
Got a green run after the rebase. Will commit shortly. Thanks @xiaoyuyao and @dineshchitlangia for the review. |
What changes were proposed in this pull request?
Optionally allow non-admin users to list all volumes.
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-3056
How was this patch tested?
NOTE: The info below might be a bit out-dated. Need to double check.
Tested manually in ozonesecure docker-compose.
testuser
is an admin user (listed inozone.administrators
),testuser2
is a non-admin user.ozone sh volume list
ozone sh volume list --all
ozone.om.volume.listall.allowed
istrue
; iffalse
, only admins can list all volumes, non-admin will getOmException
withPERMISSION_DENIED
.After the patch (non-admin can list all volumes)
For comparison, before the patch (non-admin can't list all volumes)