From 5d7f2b128d22a61873d11a851daffc05b79a5788 Mon Sep 17 00:00:00 2001 From: Gargi Jaiswal Date: Mon, 9 Feb 2026 17:29:03 +0530 Subject: [PATCH 1/8] add ozone.authorisation.enabled and separate checks for non object and objects in ozone --- .../apache/hadoop/ozone/OzoneConfigKeys.java | 4 ++ .../hadoop/ozone/OzoneSecurityUtil.java | 16 ++++++++ .../src/main/resources/ozone-default.xml | 14 +++++++ .../hadoop/ozone/HddsDatanodeService.java | 6 +++ .../hadoop/hdds/server/OzoneAdmins.java | 3 ++ .../hdds/utils/DBCheckpointServlet.java | 14 +++---- .../scm/server/SCMDBCheckpointServlet.java | 10 ++--- .../scm/server/StorageContainerManager.java | 25 ++++++++++++ .../ozone/om/OMDBCheckpointServlet.java | 10 ++--- .../OMDBCheckpointServletInodeBasedXfer.java | 2 +- .../ozone/om/OMMultiTenantManagerImpl.java | 4 ++ .../hadoop/ozone/om/OmMetadataReader.java | 2 +- .../apache/hadoop/ozone/om/OzoneManager.java | 40 +++++++++++++++++-- .../om/ratis/OzoneManagerStateMachine.java | 2 +- .../ozone/om/request/OMClientRequest.java | 2 +- .../request/bucket/OMBucketCreateRequest.java | 2 +- .../request/bucket/OMBucketDeleteRequest.java | 2 +- .../bucket/OMBucketSetOwnerRequest.java | 2 +- .../bucket/OMBucketSetPropertyRequest.java | 20 +++++----- .../bucket/acl/OMBucketAclRequest.java | 2 +- .../ozone/om/request/key/OMKeyRequest.java | 6 +-- .../om/request/key/OMKeySetTimesRequest.java | 2 +- .../om/request/key/acl/OMKeyAclRequest.java | 2 +- .../key/acl/OMKeyAclRequestWithFSO.java | 2 +- .../key/acl/prefix/OMPrefixAclRequest.java | 2 +- .../s3/tenant/OMTenantCreateRequest.java | 2 +- .../s3/tenant/OMTenantDeleteRequest.java | 2 +- .../snapshot/OMSnapshotCreateRequest.java | 12 +++--- .../snapshot/OMSnapshotDeleteRequest.java | 12 +++--- .../snapshot/OMSnapshotRenameRequest.java | 12 +++--- .../upgrade/OMCancelPrepareRequest.java | 2 +- .../upgrade/OMFinalizeUpgradeRequest.java | 2 +- .../request/volume/OMQuotaRepairRequest.java | 2 +- .../request/volume/OMVolumeCreateRequest.java | 2 +- .../request/volume/OMVolumeDeleteRequest.java | 2 +- .../volume/OMVolumeSetOwnerRequest.java | 2 +- .../volume/OMVolumeSetQuotaRequest.java | 2 +- .../volume/acl/OMVolumeAclRequest.java | 2 +- .../OMAdminProtocolServerSideImpl.java | 3 +- .../security/acl/OzoneAuthorizerFactory.java | 2 +- .../ozone/recon/ReconRestServletModule.java | 8 +--- .../recon/api/filters/ReconAdminFilter.java | 10 +++++ .../ozone/s3secret/S3SecretAdminFilter.java | 6 +++ 43 files changed, 204 insertions(+), 77 deletions(-) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java index 2179414af384..74bad2c7967d 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java @@ -469,6 +469,10 @@ public final class OzoneConfigKeys { "ozone.acl.enabled"; public static final boolean OZONE_ACL_ENABLED_DEFAULT = false; + public static final String OZONE_AUTHORIZATION_ENABLED = + "ozone.authorization.enabled"; + public static final boolean OZONE_AUTHORIZATION_ENABLED_DEFAULT = + true; public static final String OZONE_S3_VOLUME_NAME = "ozone.s3g.volume.name"; public static final String OZONE_S3_VOLUME_NAME_DEFAULT = diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java index 76ce8ebd917d..46cadb0de951 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java @@ -17,6 +17,8 @@ package org.apache.hadoop.ozone; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_KEY; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT; @@ -71,6 +73,20 @@ public static boolean isHttpSecurityEnabled(ConfigurationSource conf) { OZONE_HTTP_SECURITY_ENABLED_DEFAULT); } + /** + * Check if authorization checks should be performed in Ozone. + * Authorization is only effective when security is enabled. + * This controls both admin privilege checks and ACL checks. + * + * @param conf Configuration source + * @return true if authorization checks should be performed + */ + public static boolean isAuthorizationEnabled(ConfigurationSource conf) { + return isSecurityEnabled(conf) && + conf.getBoolean(OZONE_AUTHORIZATION_ENABLED, + OZONE_AUTHORIZATION_ENABLED_DEFAULT); + } + /** * Returns Keys status. * diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index d076e1e78d33..4a0fb3362eb9 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -2376,6 +2376,20 @@ OZONE, SECURITY, ACL Key to enable/disable ozone acls. + + ozone.authorization.enabled + true + OZONE, SECURITY, AUTHORIZATION + + Master switch to enable/disable authorization checks in Ozone + (admin privilege checks and ACL checks). + This property only takes effect when ozone.security.enabled is true. + When true: admin privilege checks are always performed, and object + ACL checks are controlled by ozone.acl.enabled. + When false: no authorization checks are performed. + Default is true to align with HDFS's dfs.permissions.enabled behavior. + + ozone.om.kerberos.keytab.file /etc/security/keytabs/OM.keytab diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java index 2df26ca6e268..51856b5deca7 100644 --- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java +++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java @@ -93,6 +93,7 @@ import org.apache.hadoop.ozone.container.common.volume.MutableVolumeSet; import org.apache.hadoop.ozone.container.common.volume.StorageVolume; import org.apache.hadoop.ozone.container.diskbalancer.DiskBalancerProtocolServer; +import org.apache.hadoop.ozone.OzoneSecurityUtil; import org.apache.hadoop.ozone.util.OzoneNetUtils; import org.apache.hadoop.ozone.util.ShutdownHookManager; import org.apache.hadoop.security.SecurityUtil; @@ -670,6 +671,11 @@ public boolean isStopped() { */ private void checkAdminPrivilege(String operation) throws IOException { + // Skip check if authorization is disabled + if (!OzoneSecurityUtil.isAuthorizationEnabled(conf)) { + return; + } + final UserGroupInformation ugi = getRemoteUser(); admins.checkAdminUserPrivilege(ugi); } diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java index cf4cf2af550f..440196a1be1d 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java @@ -34,6 +34,7 @@ import java.util.LinkedHashSet; import java.util.Set; import org.apache.hadoop.hdds.conf.OzoneConfiguration; +import org.apache.hadoop.ozone.OzoneSecurityUtil; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.StringUtils; @@ -103,6 +104,8 @@ public static OzoneAdmins getReadonlyAdmins( /** * Check ozone admin privilege, throws exception if not admin. + * Note: This method does NOT check if authorization is enabled. + * Callers should check authorization before calling this method. */ public void checkAdminUserPrivilege(UserGroupInformation ugi) throws AccessControlException { diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java index 38e986583800..45e26144b9fe 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java @@ -73,14 +73,14 @@ public class DBCheckpointServlet extends HttpServlet private transient DBStore dbStore; private transient DBCheckpointMetrics dbMetrics; - private boolean aclEnabled; + private boolean authorizationEnabled; private boolean isSpnegoEnabled; private transient OzoneAdmins admins; private transient BootstrapStateHandler.Lock lock; private transient File bootstrapTempData; public void initialize(DBStore store, DBCheckpointMetrics metrics, - boolean omAclEnabled, + boolean authorizationEnabled, Collection allowedAdminUsers, Collection allowedAdminGroups, boolean isSpnegoAuthEnabled) @@ -94,7 +94,7 @@ public void initialize(DBStore store, DBCheckpointMetrics metrics, throw new ServletException("DB Store is null"); } - this.aclEnabled = omAclEnabled; + this.authorizationEnabled = authorizationEnabled; this.admins = new OzoneAdmins(allowedAdminUsers, allowedAdminGroups); this.isSpnegoEnabled = isSpnegoAuthEnabled; lock = new NoOpLock(); @@ -129,9 +129,9 @@ public File getBootstrapTempData() { } private boolean hasPermission(UserGroupInformation user) { - // Check ACL for dbCheckpoint only when global Ozone ACL and SPNEGO is + // Check admin access for dbCheckpoint only when authorization and SPNEGO is // enabled - if (aclEnabled && isSpnegoEnabled) { + if (authorizationEnabled && isSpnegoEnabled) { return admins.isAdmin(user); } else { return true; @@ -165,8 +165,8 @@ private void generateSnapshotCheckpoint(HttpServletRequest request, return; } - // Check ACL for dbCheckpoint only when global Ozone ACL is enabled - if (aclEnabled) { + // Check authorization for dbCheckpoint only when authorization is enabled + if (authorizationEnabled) { final java.security.Principal userPrincipal = request.getUserPrincipal(); if (userPrincipal == null) { final String remoteUser = request.getRemoteUser(); diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMDBCheckpointServlet.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMDBCheckpointServlet.java index 5c90409efd8d..04cb600d8107 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMDBCheckpointServlet.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMDBCheckpointServlet.java @@ -27,10 +27,10 @@ /** * Provides the current checkpoint Snapshot of the SCM DB. (tar.gz) * - * When Ozone ACL is enabled (`ozone.acl.enabled`=`true`), only users/principals - * configured in `ozone.administrator` (along with the user that starts OM, - * which automatically becomes an Ozone administrator but not necessarily in - * the config) are allowed to access this endpoint. + * When Ozone authorization is enabled (`ozone.authorization.enabled`=`true`), + * only users/principals configured in `ozone.administrator` (along with the + * user that starts SCM, which automatically becomes an Ozone administrator + * but not necessarily in the config) are allowed to access this endpoint. * * If Kerberos is enabled, the principal should be appended to * `ozone.administrator`, e.g. `scm/scm@EXAMPLE.COM` @@ -56,7 +56,7 @@ public void init() throws ServletException { initialize(scm.getScmMetadataStore().getStore(), scm.getMetrics().getDBCheckpointMetrics(), - false, + scm.isAdminAuthorizationEnabled(), Collections.emptyList(), Collections.emptyList(), false); diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java index 74fc70f6ce87..5fef37ef5025 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java @@ -24,6 +24,8 @@ import static org.apache.hadoop.hdds.utils.HddsServerUtil.getRemoteUser; import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_READONLY_ADMINISTRATORS; import static org.apache.hadoop.ozone.OzoneConsts.SCM_ROOT_CA_COMPONENT_NAME; import static org.apache.hadoop.ozone.OzoneConsts.SCM_SUB_CA_PREFIX; @@ -284,6 +286,8 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl private ContainerTokenSecretManager containerTokenMgr; private OzoneConfiguration configuration; + private final boolean isSecurityEnabled; + private final boolean isAuthorizationEnabled; private SCMContainerMetrics scmContainerMetrics; private SCMContainerPlacementMetrics placementMetrics; private PlacementPolicy containerPlacementPolicy; @@ -356,6 +360,12 @@ private StorageContainerManager(OzoneConfiguration conf, scmHANodeDetails = SCMHANodeDetails.loadSCMHAConfig(conf, scmStorageConfig); configuration = conf; + this.isSecurityEnabled = OzoneSecurityUtil.isSecurityEnabled(conf); + this.isAuthorizationEnabled = conf.getBoolean( + OZONE_AUTHORIZATION_ENABLED, + OZONE_AUTHORIZATION_ENABLED_DEFAULT); + LOG.info("SCM Security enabled: {}, Authorization enabled: {}", + isSecurityEnabled, isAuthorizationEnabled); initMetrics(); initPerfMetrics(); @@ -1918,8 +1928,23 @@ private void checkAdminAccess(String op) throws IOException { checkAdminAccess(getRemoteUser(), false); } + /** + * Check if admin privilege authorization should be enforced. + * This controls system-level admin operations (upgrades, decommission, etc.) + * + * @return true if admin authorization checks should be performed + */ + public boolean isAdminAuthorizationEnabled() { + return OzoneSecurityUtil.isAuthorizationEnabled(configuration); + } + public void checkAdminAccess(UserGroupInformation remoteUser, boolean isRead) throws IOException { + // Skip check if authorization is disabled + if (!isAdminAuthorizationEnabled()) { + return; + } + if (remoteUser != null && !scmAdmins.isAdmin(remoteUser)) { if (!isRead || !scmReadOnlyAdmins.isAdmin(remoteUser)) { throw new AccessControlException( diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java index a90ee336b001..db5de6b5b8ec 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServlet.java @@ -81,10 +81,10 @@ /** * Provides the current checkpoint Snapshot of the OM DB. (tar.gz) * - * When Ozone ACL is enabled (`ozone.acl.enabled`=`true`), only users/principals - * configured in `ozone.administrator` (along with the user that starts OM, - * which automatically becomes an Ozone administrator but not necessarily in - * the config) are allowed to access this endpoint. + * When Ozone authorization is enabled (`ozone.authorization.enabled`=`true`), + * only users/principals configured in `ozone.administrator` (along with the user + * that starts OM, which automatically becomes an Ozone administrator but not + * necessarily in the config) are allowed to access this endpoint. * * If Kerberos is enabled, the principal should be appended to * `ozone.administrator`, e.g. `scm/scm@EXAMPLE.COM` @@ -125,7 +125,7 @@ public void init() throws ServletException { initialize(om.getMetadataManager().getStore(), om.getMetrics().getDBCheckpointMetrics(), - om.getAclsEnabled(), + om.isAdminAuthorizationEnabled(), allowedUsers, allowedGroups, om.isSpnegoEnabled()); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServletInodeBasedXfer.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServletInodeBasedXfer.java index c41f28d0f251..e60ec13ad647 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServletInodeBasedXfer.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMDBCheckpointServletInodeBasedXfer.java @@ -131,7 +131,7 @@ public void init() throws ServletException { initialize(om.getMetadataManager().getStore(), om.getMetrics().getDBCheckpointMetrics(), - om.getAclsEnabled(), + om.isAdminAuthorizationEnabled(), allowedUsers, allowedGroups, om.isSpnegoEnabled()); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java index ff0066f712ff..f2449a3c68e4 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java @@ -897,6 +897,10 @@ private void loadTenantCacheFromDB() { @Override public void checkAdmin() throws OMException { + // Skip check if authorization is disabled + if (!ozoneManager.isAdminAuthorizationEnabled()) { + return; + } final UserGroupInformation ugi = ProtobufRpcEngine.Server.getRemoteUser(); if (!ozoneManager.isAdmin(ugi)) { diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java index a5ba074156ee..9de63914f7d0 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java @@ -98,7 +98,7 @@ public OmMetadataReader(KeyManager keyManager, this.volumeManager = ozoneManager.getVolumeManager(); this.prefixManager = prefixManager; this.ozoneManager = ozoneManager; - this.isAclEnabled = ozoneManager.getAclsEnabled(); + this.isAclEnabled = ozoneManager.isObjectAclEnabled(); this.log = log; this.audit = audit; this.metrics = omMetadataReaderMetrics; diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java index b48d8fbe40fc..a2d84a27ad2d 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java @@ -32,6 +32,8 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_FLEXIBLE_FQDN_RESOLUTION_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_FLEXIBLE_FQDN_RESOLUTION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_KEY_PREALLOCATION_BLOCKS_MAX; @@ -426,6 +428,7 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl new ObjectMapper().readerFor(OmMetricsInfo.class); private static final int SHUTDOWN_HOOK_PRIORITY = 30; private final File omMetaDir; + private boolean isAuthorizationEnabled; private boolean isAclEnabled; private final boolean isSpnegoEnabled; private final SecurityConfig secConfig; @@ -864,8 +867,13 @@ public String getThreadNamePrefix() { * require. */ private void setInstanceVariablesFromConf() { + this.isAuthorizationEnabled = configuration.getBoolean( + OZONE_AUTHORIZATION_ENABLED, + OZONE_AUTHORIZATION_ENABLED_DEFAULT); this.isAclEnabled = configuration.getBoolean(OZONE_ACL_ENABLED, OZONE_ACL_ENABLED_DEFAULT); + LOG.info("Authorization enabled: {}, ACL enabled: {}", + isAuthorizationEnabled, isAclEnabled); } /** @@ -2749,6 +2757,26 @@ public boolean checkAcls(ResourceType resType, StoreType storeType, return omMetadataReader.checkAcls(obj, context, throwIfPermissionDenied); } + /** + * Check if admin privilege authorization should be enforced. + * This controls system-level admin operations (upgrades, decommission, etc.) + * + * @return true if admin authorization checks should be performed + */ + public boolean isAdminAuthorizationEnabled() { + return OzoneSecurityUtil.isAuthorizationEnabled(configuration); + } + + /** + * Check if object ACL checks should be enforced. + * This controls volume/bucket/key level permissions. + * + * @return true if object ACL checks should be performed + */ + public boolean isObjectAclEnabled() { + return isAdminAuthorizationEnabled() && getAclsEnabled(); + } + /** * Return true if Ozone acl's are enabled, else false. * @@ -3526,7 +3554,7 @@ public boolean triggerRangerBGSync(boolean noWait) throws IOException { final UserGroupInformation ugi = getRemoteUser(); // Check Ozone admin privilege - if (!isAdmin(ugi)) { + if (isAdminAuthorizationEnabled() && !isAdmin(ugi)) { throw new OMException("Only Ozone admins are allowed to trigger " + "Ranger background sync manually", PERMISSION_DENIED); } @@ -3566,7 +3594,7 @@ public boolean triggerSnapshotDefrag(boolean noWait) throws IOException { final UserGroupInformation ugi = getRemoteUser(); // Check Ozone admin privilege - if (!isAdmin(ugi)) { + if (isAdminAuthorizationEnabled() && !isAdmin(ugi)) { throw new OMException("Only Ozone admins are allowed to trigger " + "snapshot defragmentation manually", PERMISSION_DENIED); } @@ -3623,7 +3651,7 @@ public TenantStateList listTenant() throws IOException { metrics.incNumTenantLists(); final UserGroupInformation ugi = getRemoteUser(); - if (!isAdmin(ugi)) { + if (isAdminAuthorizationEnabled() && !isAdmin(ugi)) { final OMException omEx = new OMException( "Only Ozone admins are allowed to list tenants.", PERMISSION_DENIED); AUDIT.logReadFailure(buildAuditMessageForFailure( @@ -4591,8 +4619,14 @@ public boolean isAdmin(UserGroupInformation callerUgi) { /** * Check ozone admin privilege, throws exception if not admin. + * Only checks admin privilege if authorization is enabled. */ private void checkAdminUserPrivilege(String operation) throws IOException { + // Skip check if authorization is disabled + if (!isAdminAuthorizationEnabled()) { + return; + } + final UserGroupInformation ugi = getRemoteUser(); if (!isAdmin(ugi)) { throw new OMException("Only Ozone admins are allowed to " + operation, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java index a3ad217ceef7..667cfb83150d 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerStateMachine.java @@ -354,7 +354,7 @@ public TransactionContext preAppendTransaction(TransactionContext trx) UserGroupInformation userGroupInformation = UserGroupInformation.createRemoteUser( request.getUserInfo().getUserName()); - if (ozoneManager.getAclsEnabled() + if (ozoneManager.isAdminAuthorizationEnabled() && !ozoneManager.isAdmin(userGroupInformation)) { String message = "Access denied for user " + userGroupInformation + ". Superuser privilege is required to prepare upgrade/downgrade."; diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java index fdb1f30a7cb2..be63e3966740 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java @@ -283,7 +283,7 @@ protected void checkACLsWithFSO(OzoneManager ozoneManager, String volumeName, .setRecursiveAccessCheck(pathViewer.isCheckRecursiveAccess()); // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { String volumeOwner = ozoneManager.getVolumeOwner( obj.getVolumeName(), contextBuilder.getAclRights(), obj.getResourceType()); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java index 718f329aaaff..4e7516c07015 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java @@ -102,7 +102,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { OmUtils.validateBucketName(bucketInfo.getBucketName(), strict); // ACL check during preExecute - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.CREATE, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java index 3c5f028bb5d9..3b58e4c419c7 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java @@ -102,7 +102,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.DELETE, volumeName, bucketName, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetOwnerRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetOwnerRequest.java index 6d0c90cdca29..c7dbd437c272 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetOwnerRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetOwnerRequest.java @@ -110,7 +110,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volumeName, bucketName, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java index a88e5fb73334..3fa453642e59 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java @@ -133,7 +133,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAclPermission(ozoneManager, volumeName, bucketName); } @@ -252,14 +252,16 @@ private void checkAclPermission( OzoneManager ozoneManager, String volumeName, String bucketName) throws IOException { if (ozoneManager.getAccessAuthorizer().isNative()) { - UserGroupInformation ugi = createUGIForApi(); - String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName, - IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET); - if (!ozoneManager.isAdmin(ugi) && - !ozoneManager.isOwner(ugi, bucketOwner)) { - throw new OMException( - "Bucket properties are allowed to changed by Admin and Owner", - OMException.ResultCodes.PERMISSION_DENIED); + if (ozoneManager.isAdminAuthorizationEnabled()) { + UserGroupInformation ugi = createUGIForApi(); + String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName, + IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET); + if (!ozoneManager.isAdmin(ugi) && + !ozoneManager.isOwner(ugi, bucketOwner)) { + throw new OMException( + "Bucket properties are allowed to changed by Admin and Owner", + OMException.ResultCodes.PERMISSION_DENIED); + } } } else { // ranger acl checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java index 6faac1a24dc3..cb0428c7fa58 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java @@ -88,7 +88,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut bucket = resolvedBucket.realBucket(); // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, bucket, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java index 7df2619e9e46..05de930f66d2 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java @@ -621,7 +621,7 @@ protected OmKeyInfo.Builder dirKeyInfoBuilderNoACL(String keyName, KeyArgs keyAr protected void checkBucketAcls(OzoneManager ozoneManager, String volume, String bucket, String key, IAccessAuthorizer.ACLType aclType) throws IOException { - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, aclType, volume, bucket, key); @@ -642,7 +642,7 @@ protected void checkKeyAcls(OzoneManager ozoneManager, String volume, String bucket, String key, IAccessAuthorizer.ACLType aclType, OzoneObj.ResourceType resourceType) throws IOException { - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, resourceType, OzoneObj.StoreType.OZONE, aclType, volume, bucket, key); } @@ -663,7 +663,7 @@ protected void checkKeyAcls(OzoneManager ozoneManager, String volume, String bucket, String key, IAccessAuthorizer.ACLType aclType, OzoneObj.ResourceType resourceType, String volumeOwner) throws IOException { - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, resourceType, OzoneObj.StoreType.OZONE, aclType, volume, bucket, key, volumeOwner, ozoneManager.getBucketOwner(volume, bucket, aclType, resourceType)); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeySetTimesRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeySetTimesRequest.java index eef06ef2b41e..d79874399332 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeySetTimesRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeySetTimesRequest.java @@ -79,7 +79,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { OzoneManagerProtocolProtos.KeyArgs newKeyArgs = resolveBucketLink(ozoneManager, keyArgs); // ACL check during preExecute - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java index 35e06de92ee2..f910bb4a60af 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java @@ -88,7 +88,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut key = objectParser.getKey(); // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, bucket, key); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java index f9c8602e0a43..fe1109fe35d1 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java @@ -82,7 +82,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut key = objectParser.getKey(); // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, bucket, key); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/prefix/OMPrefixAclRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/prefix/OMPrefixAclRequest.java index 5549c1f21b9f..6d13ffddc7bb 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/prefix/OMPrefixAclRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/prefix/OMPrefixAclRequest.java @@ -77,7 +77,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut prefixPath = resolvedPrefixObj.getPath(); // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.PREFIX, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, resolvedPrefixObj.getVolumeName(), resolvedPrefixObj.getBucketName(), diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java index ecb5a19f343b..7a0c15a29c2d 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java @@ -143,7 +143,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { .getVolumeKey(volumeName); // ACL check during preExecute (align with other create requests) - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.CREATE, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java index c49525271a7c..9af5fdb00b05 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java @@ -113,7 +113,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { } // Perform ACL check during preExecute (WRITE_ACL on volume if applicable) - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotCreateRequest.java index 07a8aeed3139..77858c0a50b5 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotCreateRequest.java @@ -113,11 +113,13 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { UserGroupInformation ugi = createUGIForApi(); String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName, IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET); - if (!ozoneManager.isAdmin(ugi) && - !ozoneManager.isOwner(ugi, bucketOwner)) { - throw new OMException( - "Only bucket owners and Ozone admins can create snapshots", - OMException.ResultCodes.PERMISSION_DENIED); + if (ozoneManager.isAdminAuthorizationEnabled()) { + if (!ozoneManager.isAdmin(ugi) && + !ozoneManager.isOwner(ugi, bucketOwner)) { + throw new OMException( + "Only bucket owners and Ozone admins can create snapshots", + OMException.ResultCodes.PERMISSION_DENIED); + } } // verify snapshot limit ozoneManager.getOmSnapshotManager().snapshotLimitCheck(); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotDeleteRequest.java index 3f8bae61c530..9313bc815d9b 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotDeleteRequest.java @@ -92,11 +92,13 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { UserGroupInformation ugi = createUGIForApi(); String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName, IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET); - if (!ozoneManager.isAdmin(ugi) && - !ozoneManager.isOwner(ugi, bucketOwner)) { - throw new OMException( - "Only bucket owners and Ozone admins can delete snapshots", - OMException.ResultCodes.PERMISSION_DENIED); + if (ozoneManager.isAdminAuthorizationEnabled()) { + if (!ozoneManager.isAdmin(ugi) && + !ozoneManager.isOwner(ugi, bucketOwner)) { + throw new OMException( + "Only bucket owners and Ozone admins can delete snapshots", + OMException.ResultCodes.PERMISSION_DENIED); + } } // Set deletion time here so OM leader and follower would have the diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotRenameRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotRenameRequest.java index 7a4cdc640dce..2d9bd5c21ab1 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotRenameRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/snapshot/OMSnapshotRenameRequest.java @@ -88,11 +88,13 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { UserGroupInformation ugi = createUGIForApi(); String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName, IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET); - if (!ozoneManager.isAdmin(ugi) && - !ozoneManager.isOwner(ugi, bucketOwner)) { - throw new OMException( - "Only bucket owners and Ozone admins can rename snapshots", - OMException.ResultCodes.PERMISSION_DENIED); + if (ozoneManager.isAdminAuthorizationEnabled()) { + if (!ozoneManager.isAdmin(ugi) && + !ozoneManager.isOwner(ugi, bucketOwner)) { + throw new OMException( + "Only bucket owners and Ozone admins can rename snapshots", + OMException.ResultCodes.PERMISSION_DENIED); + } } // Set rename time here so OM leader and follower would have the diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMCancelPrepareRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMCancelPrepareRequest.java index efbdf6bcd189..2a9d36940e64 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMCancelPrepareRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMCancelPrepareRequest.java @@ -66,7 +66,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut try { UserGroupInformation ugi = createUGIForApi(); - if (ozoneManager.getAclsEnabled() && !ozoneManager.isAdmin(ugi)) { + if (ozoneManager.isAdminAuthorizationEnabled() && !ozoneManager.isAdmin(ugi)) { throw new OMException("Access denied for user " + ugi + ". " + "Superuser privilege is required to cancel ozone manager " + diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java index b37d1ee6d1dc..e401af95d582 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/upgrade/OMFinalizeUpgradeRequest.java @@ -68,7 +68,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut Exception exception = null; try { - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isAdminAuthorizationEnabled()) { UserGroupInformation ugi = createUGIForApi(); if (!ozoneManager.isAdmin(ugi)) { throw new OMException("Access denied for user " + ugi + ". " diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMQuotaRepairRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMQuotaRepairRequest.java index b4c05a1263ed..08b38cb2174b 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMQuotaRepairRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMQuotaRepairRequest.java @@ -62,7 +62,7 @@ public OMQuotaRepairRequest(OMRequest omRequest) { @Override public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { UserGroupInformation ugi = createUGIForApi(); - if (ozoneManager.getAclsEnabled() && !ozoneManager.isAdmin(ugi)) { + if (ozoneManager.isAdminAuthorizationEnabled() && !ozoneManager.isAdmin(ugi)) { throw new OMException("Access denied for user " + ugi + ". Admin privilege is required for quota repair.", OMException.ResultCodes.ACCESS_DENIED); } diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java index 3348037a62db..8745f9b59c00 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java @@ -74,7 +74,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { ozoneManager.isStrictS3()); // ACL check during preExecute - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.CREATE, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeDeleteRequest.java index ba32fe542c98..b67c20c23643 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeDeleteRequest.java @@ -81,7 +81,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.DELETE, volume, null, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetOwnerRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetOwnerRequest.java index 02c3b7874e99..e5f287e4338c 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetOwnerRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetOwnerRequest.java @@ -109,7 +109,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, null, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetQuotaRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetQuotaRequest.java index c93e8cbeb6c3..687110b4e9e0 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetQuotaRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetQuotaRequest.java @@ -110,7 +110,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, volume, null, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/acl/OMVolumeAclRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/acl/OMVolumeAclRequest.java index 23b522ad77a6..e34e8bbedfa9 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/acl/OMVolumeAclRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/acl/OMVolumeAclRequest.java @@ -72,7 +72,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut Result result; try { // check Acl - if (ozoneManager.getAclsEnabled()) { + if (ozoneManager.isObjectAclEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, null, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OMAdminProtocolServerSideImpl.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OMAdminProtocolServerSideImpl.java index 8184b39642e4..bd3da0c92d81 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OMAdminProtocolServerSideImpl.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OMAdminProtocolServerSideImpl.java @@ -97,7 +97,8 @@ public DecommissionOMResponse decommission(RpcController controller, } try { - if (!ozoneManager.isAdmin(getRemoteUser())) { + if (ozoneManager.isAdminAuthorizationEnabled() && + !ozoneManager.isAdmin(getRemoteUser())) { throw new OMException("Only administrators are authorized to perform decommission.", PERMISSION_DENIED); } omRatisServer.removeOMFromRatisRing(decommNode); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java index 0a45cd789a2d..23038502d92f 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java @@ -71,7 +71,7 @@ private static IAccessAuthorizer create(OzoneManager om, KeyManager km, PrefixMa } private static IAccessAuthorizer createImpl(OzoneManager om, KeyManager km, PrefixManager pm) { - if (!om.getAclsEnabled()) { + if (!om.isObjectAclEnabled()) { return OzoneAccessAuthorizer.get(); } diff --git a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconRestServletModule.java b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconRestServletModule.java index 9ec9621ed329..d3b631cac3f6 100644 --- a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconRestServletModule.java +++ b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconRestServletModule.java @@ -17,9 +17,6 @@ package org.apache.hadoop.ozone.recon; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED_DEFAULT; - import com.google.inject.Injector; import com.google.inject.Scopes; import com.google.inject.servlet.ServletModule; @@ -118,9 +115,8 @@ private void addFilters(String basePath, Set adminSubPaths) { LOG.debug("Added authentication filter to path {}", authPath); } - boolean aclEnabled = conf.getBoolean(OZONE_ACL_ENABLED, - OZONE_ACL_ENABLED_DEFAULT); - if (aclEnabled) { + boolean authorizationEnabled = OzoneSecurityUtil.isAuthorizationEnabled(conf); + if (authorizationEnabled) { for (String path: adminSubPaths) { String adminPath = UriBuilder.fromPath(basePath).path(path + "*").build().toString(); diff --git a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java index 546a0b1949b2..5a67fa5c98a2 100644 --- a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java +++ b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java @@ -34,6 +34,7 @@ import org.apache.hadoop.hdds.recon.ReconConfigKeys; import org.apache.hadoop.hdds.server.OzoneAdmins; import org.apache.hadoop.ozone.OzoneConfigKeys; +import org.apache.hadoop.ozone.OzoneSecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -100,6 +101,11 @@ public void doFilter(ServletRequest servletRequest, public void destroy() { } private boolean hasPermission(UserGroupInformation user) { + // Check authorization first - only check admin if authorization is enabled + if (!isAdminAuthorizationEnabled()) { + return true; // Authorization disabled, allow all + } + Collection admins = conf.getStringCollection(OzoneConfigKeys.OZONE_ADMINISTRATORS); admins.addAll( @@ -111,4 +117,8 @@ private boolean hasPermission(UserGroupInformation user) { ReconConfigKeys.OZONE_RECON_ADMINISTRATORS_GROUPS)); return new OzoneAdmins(admins, adminGroups).isAdmin(user); } + + private boolean isAdminAuthorizationEnabled() { + return OzoneSecurityUtil.isAuthorizationEnabled(conf); + } } diff --git a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java index 0130f31e9dd3..889f466e7dfb 100644 --- a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java +++ b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java @@ -27,6 +27,7 @@ import javax.ws.rs.ext.Provider; import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.server.OzoneAdmins; +import org.apache.hadoop.ozone.OzoneSecurityUtil; import org.apache.hadoop.security.UserGroupInformation; /** @@ -46,6 +47,11 @@ public class S3SecretAdminFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext requestContext) throws IOException { + // Skip check if authorization is disabled + if (!OzoneSecurityUtil.isAuthorizationEnabled(conf)) { + return; + } + final Principal userPrincipal = requestContext.getSecurityContext().getUserPrincipal(); if (null != userPrincipal) { UserGroupInformation user = UserGroupInformation.createRemoteUser(userPrincipal.getName()); From 248e0075923a78a5de506aa7f89a3e8aa4933bb2 Mon Sep 17 00:00:00 2001 From: Gargi Jaiswal Date: Mon, 9 Feb 2026 19:41:30 +0530 Subject: [PATCH 2/8] update tests related to acl and admin checks --- .../java/org/apache/hadoop/ozone/HddsDatanodeService.java | 1 - .../java/org/apache/hadoop/hdds/server/OzoneAdmins.java | 1 - .../org/apache/hadoop/hdds/utils/DBCheckpointServlet.java | 4 ++-- .../apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java | 6 ++++-- .../ozone/om/TestOMHALeaderSpecificACLEnforcement.java | 3 +++ .../test/java/org/apache/hadoop/ozone/om/TestOmAcls.java | 2 ++ .../ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java | 2 ++ .../main/java/org/apache/hadoop/ozone/om/OzoneManager.java | 6 ++++++ .../hadoop/ozone/security/acl/OzoneAuthorizerFactory.java | 2 +- .../ozone/om/request/bucket/TestOMBucketCreateRequest.java | 2 +- .../om/request/s3/tenant/TestOMTenantCreateRequest.java | 2 +- .../om/request/s3/tenant/TestOMTenantDeleteRequest.java | 2 +- .../ozone/om/request/volume/TestOMVolumeCreateRequest.java | 2 +- .../ozone/security/acl/TestOzoneAuthorizerFactory.java | 2 ++ 14 files changed, 26 insertions(+), 11 deletions(-) diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java index 51856b5deca7..925c2ae7ee76 100644 --- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java +++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java @@ -93,7 +93,6 @@ import org.apache.hadoop.ozone.container.common.volume.MutableVolumeSet; import org.apache.hadoop.ozone.container.common.volume.StorageVolume; import org.apache.hadoop.ozone.container.diskbalancer.DiskBalancerProtocolServer; -import org.apache.hadoop.ozone.OzoneSecurityUtil; import org.apache.hadoop.ozone.util.OzoneNetUtils; import org.apache.hadoop.ozone.util.ShutdownHookManager; import org.apache.hadoop.security.SecurityUtil; diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java index 440196a1be1d..cfbb189212fe 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneAdmins.java @@ -34,7 +34,6 @@ import java.util.LinkedHashSet; import java.util.Set; import org.apache.hadoop.hdds.conf.OzoneConfiguration; -import org.apache.hadoop.ozone.OzoneSecurityUtil; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.StringUtils; diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java index 45e26144b9fe..a133e5188a2d 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/DBCheckpointServlet.java @@ -80,7 +80,7 @@ public class DBCheckpointServlet extends HttpServlet private transient File bootstrapTempData; public void initialize(DBStore store, DBCheckpointMetrics metrics, - boolean authorizationEnabled, + boolean isAuthorizationEnabled, Collection allowedAdminUsers, Collection allowedAdminGroups, boolean isSpnegoAuthEnabled) @@ -94,7 +94,7 @@ public void initialize(DBStore store, DBCheckpointMetrics metrics, throw new ServletException("DB Store is null"); } - this.authorizationEnabled = authorizationEnabled; + this.authorizationEnabled = isAuthorizationEnabled; this.admins = new OzoneAdmins(allowedAdminUsers, allowedAdminGroups); this.isSpnegoEnabled = isSpnegoAuthEnabled; lock = new NoOpLock(); diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java index df15d50e1506..7720e16a7832 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java @@ -260,7 +260,7 @@ private void testEndpoint(String method) throws Exception { doCallRealMethod().when(omDbCheckpointServletMock).initialize( om.getMetadataManager().getStore(), om.getMetrics().getDBCheckpointMetrics(), - om.getAclsEnabled(), + om.isAdminAuthorizationEnabled(), om.getOmAdminUsernames(), om.getOmAdminGroups(), om.isSpnegoEnabled()); @@ -300,7 +300,7 @@ private void testDoPostWithInvalidContentType() throws Exception { doCallRealMethod().when(omDbCheckpointServletMock).initialize( om.getMetadataManager().getStore(), om.getMetrics().getDBCheckpointMetrics(), - om.getAclsEnabled(), + om.isAdminAuthorizationEnabled(), om.getOmAdminUsernames(), om.getOmAdminGroups(), om.isSpnegoEnabled()); @@ -320,6 +320,8 @@ private void testDoPostWithInvalidContentType() throws Exception { @Test void testSpnegoEnabled() throws Exception { + // Enable test security mode to allow authorization checks without Kerberos + OzoneManager.setTestSecureOmFlag(true); conf.setBoolean(OZONE_ACL_ENABLED, true); conf.set(OZONE_ADMINISTRATORS, ""); conf.set(OZONE_OM_HTTP_AUTH_TYPE, "kerberos"); diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java index d84e0e863f1d..caef0d15a1bd 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java @@ -187,6 +187,9 @@ private void setupCluster() throws Exception { private OzoneConfiguration createBaseConfiguration() throws IOException { OzoneConfiguration conf = new OzoneConfiguration(); + // Enable test security mode to allow ACL testing without Kerberos + OzoneManager.setTestSecureOmFlag(true); + // Enable ACL for proper permission testing conf.setBoolean(OZONE_ACL_ENABLED, true); diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java index 350cc09c7bab..8ae47ad0cd95 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java @@ -73,6 +73,8 @@ public class TestOmAcls { @BeforeAll public static void init() throws Exception { OzoneConfiguration conf = new OzoneConfiguration(); + // Enable test security mode to allow ACL testing without Kerberos + OzoneManager.setTestSecureOmFlag(true); conf.setBoolean(OZONE_ACL_ENABLED, true); conf.setClass(OZONE_ACL_AUTHORIZER_CLASS, OzoneAccessAuthorizerTest.class, IAccessAuthorizer.class); diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java index 455f1430d997..5d91a57ccd07 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java @@ -107,6 +107,8 @@ public class TestOzoneManagerSnapshotAcl { public static void init() throws Exception { UserGroupInformation.setLoginUser(ADMIN_UGI); final OzoneConfiguration conf = new OzoneConfiguration(); + // Enable test security mode to allow ACL testing without Kerberos + OzoneManager.setTestSecureOmFlag(true); conf.setBoolean(OZONE_ACL_ENABLED, true); conf.set(OZONE_ACL_AUTHORIZER_CLASS, OZONE_ACL_AUTHORIZER_CLASS_NATIVE); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java index a2d84a27ad2d..0f4d31e40e90 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java @@ -2764,6 +2764,12 @@ public boolean checkAcls(ResourceType resType, StoreType storeType, * @return true if admin authorization checks should be performed */ public boolean isAdminAuthorizationEnabled() { + // ONLY IN TESTS: Allow authorization testing without Kerberos + if (testSecureOmFlag) { + return isAuthorizationEnabled; // Skip security check + } + + // require full security + authorization return OzoneSecurityUtil.isAuthorizationEnabled(configuration); } diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java index 23038502d92f..0a45cd789a2d 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java @@ -71,7 +71,7 @@ private static IAccessAuthorizer create(OzoneManager om, KeyManager km, PrefixMa } private static IAccessAuthorizer createImpl(OzoneManager om, KeyManager km, PrefixManager pm) { - if (!om.isObjectAclEnabled()) { + if (!om.getAclsEnabled()) { return OzoneAccessAuthorizer.get(); } diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketCreateRequest.java index 49bf00b1f8f2..c6c8c698ce8e 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketCreateRequest.java @@ -164,7 +164,7 @@ public void preExecutePermissionDeniedWhenAclEnabled() { String bucketName = UUID.randomUUID().toString(); // Enable ACLs so preExecute path performs ACL checks - when(ozoneManager.getAclsEnabled()).thenReturn(true); + when(ozoneManager.isObjectAclEnabled()).thenReturn(true); OMRequest originalRequest = newCreateBucketRequest( newBucketInfoBuilder(bucketName, volumeName)).build(); diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantCreateRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantCreateRequest.java index 36529d01064c..5d244eaa8b08 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantCreateRequest.java @@ -276,7 +276,7 @@ private void doPreExecute(String tenantId) throws Exception { @Test public void preExecutePermissionDeniedWhenAclEnabled() throws Exception { - when(ozoneManager.getAclsEnabled()).thenReturn(true); + when(ozoneManager.isObjectAclEnabled()).thenReturn(true); final String tenantId = UUID.randomUUID().toString(); OMRequest originalRequest = diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantDeleteRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantDeleteRequest.java index 6de4f1d8446d..fa73d8b31301 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantDeleteRequest.java @@ -113,7 +113,7 @@ public void tearDown() { @Test public void preExecutePermissionDeniedWhenAclEnabled() throws Exception { - when(ozoneManager.getAclsEnabled()).thenReturn(true); + when(ozoneManager.isObjectAclEnabled()).thenReturn(true); final String tenantId = UUID.randomUUID().toString(); final String volumeName = tenantId; diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/volume/TestOMVolumeCreateRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/volume/TestOMVolumeCreateRequest.java index 628e163a6afb..f3a17293144a 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/volume/TestOMVolumeCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/volume/TestOMVolumeCreateRequest.java @@ -221,7 +221,7 @@ public void preExecutePermissionDeniedWhenAclEnabled() throws Exception { String adminName = UUID.randomUUID().toString(); String ownerName = UUID.randomUUID().toString(); - when(ozoneManager.getAclsEnabled()).thenReturn(true); + when(ozoneManager.isObjectAclEnabled()).thenReturn(true); OMRequest originalRequest = createVolumeRequest(volumeName, adminName, ownerName, "world::a"); diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java index bb40fe4166ca..a920bb0dd3ce 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java @@ -173,6 +173,8 @@ private static OzoneManager omMock(OzoneConfiguration conf, .thenReturn(conf); when(om.getAclsEnabled()) .thenReturn(aclEnabled); + when(om.isObjectAclEnabled()) + .thenReturn(aclEnabled); return om; } From 7e510167e060485ae9471cd2ac1e60e2f1f5a314 Mon Sep 17 00:00:00 2001 From: Gargi Jaiswal Date: Mon, 2 Mar 2026 16:18:19 +0530 Subject: [PATCH 3/8] fix reconAdminFilter after master merge --- .../ozone/recon/api/filters/ReconAdminFilter.java | 12 ++++++++---- .../ozone/recon/api/filters/TestAdminFilter.java | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java index 45e7ea94ee95..5cc82f384583 100644 --- a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java +++ b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/api/filters/ReconAdminFilter.java @@ -30,9 +30,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.hadoop.hdds.conf.OzoneConfiguration; -import org.apache.hadoop.hdds.recon.ReconConfigKeys; -import org.apache.hadoop.hdds.server.OzoneAdmins; -import org.apache.hadoop.ozone.OzoneConfigKeys; import org.apache.hadoop.ozone.OzoneSecurityUtil; import org.apache.hadoop.ozone.recon.ReconServer; import org.apache.hadoop.security.UserGroupInformation; @@ -50,10 +47,12 @@ public class ReconAdminFilter implements Filter { LoggerFactory.getLogger(ReconAdminFilter.class); private final ReconServer reconServer; + private final OzoneConfiguration conf; @Inject - ReconAdminFilter(ReconServer reconServer) { + ReconAdminFilter(ReconServer reconServer, OzoneConfiguration conf) { this.reconServer = reconServer; + this.conf = conf; } @Override @@ -103,6 +102,11 @@ public void doFilter(ServletRequest servletRequest, public void destroy() { } private boolean hasPermission(UserGroupInformation user) { + // Check authorization first - only check admin if authorization is enabled + if (!isAdminAuthorizationEnabled()) { + return true; // Authorization disabled, allow all + } + return reconServer.isAdmin(user); } diff --git a/hadoop-ozone/recon/src/test/java/org/apache/hadoop/ozone/recon/api/filters/TestAdminFilter.java b/hadoop-ozone/recon/src/test/java/org/apache/hadoop/ozone/recon/api/filters/TestAdminFilter.java index d1940798e23c..75e06a007898 100644 --- a/hadoop-ozone/recon/src/test/java/org/apache/hadoop/ozone/recon/api/filters/TestAdminFilter.java +++ b/hadoop-ozone/recon/src/test/java/org/apache/hadoop/ozone/recon/api/filters/TestAdminFilter.java @@ -209,7 +209,7 @@ private void testAdminFilterWithPrincipal(OzoneConfiguration conf, HttpServletResponse mockResponse = mock(HttpServletResponse.class); FilterChain mockFilterChain = mock(FilterChain.class); - ReconAdminFilter filter = new ReconAdminFilter(mockReconServer); + ReconAdminFilter filter = new ReconAdminFilter(mockReconServer, conf); filter.init(null); filter.doFilter(mockRequest, mockResponse, mockFilterChain); From d6b67d33caf5581201fa9a52490fa9ececd4d842 Mon Sep 17 00:00:00 2001 From: Gargi Jaiswal Date: Mon, 2 Mar 2026 20:07:20 +0530 Subject: [PATCH 4/8] Fix TestContainerStateMachine failur --- .../hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java index d799556a6f91..36d7a80aeea9 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerStateMachine.java @@ -223,7 +223,7 @@ public void testPreAppendTransactionAclDenied() { OzoneConfiguration conf = new OzoneConfiguration(); OzoneManagerPrepareState ps = new OzoneManagerPrepareState(conf); when(om.getPrepareState()).thenReturn(ps); - when(om.getAclsEnabled()).thenReturn(true); + when(om.isAdminAuthorizationEnabled()).thenReturn(true); when(om.isAdmin(any(UserGroupInformation.class))).thenReturn(false); OMRequest prepareRequest = OMRequest.newBuilder() From 2a857747ef2f04fe83e193fc1360e55f9bdb0b00 Mon Sep 17 00:00:00 2001 From: Gargi Jaiswal Date: Tue, 3 Mar 2026 18:01:57 +0530 Subject: [PATCH 5/8] move authorisation to securityconfig and add a config for tests without kerberos --- .../hadoop/hdds/security/SecurityConfig.java | 24 ++++++++++ .../apache/hadoop/ozone/OzoneConfigKeys.java | 13 ++++-- .../hadoop/ozone/OzoneSecurityUtil.java | 9 +++- .../src/main/resources/ozone-default.xml | 2 +- .../hadoop/ozone/HddsDatanodeService.java | 2 +- .../ozone/container/common/SCMTestUtils.java | 2 + .../scm/server/StorageContainerManager.java | 28 +----------- .../server/TestSCMClientProtocolServer.java | 2 - .../hdds/scm/TestStorageContainerManager.java | 3 +- .../ozone/client/rpc/TestOzoneRpcClient.java | 5 ++- .../ozone/om/TestAddRemoveOzoneManager.java | 13 ++++-- .../ozone/om/TestOMDbCheckpointServlet.java | 4 +- .../TestOMHALeaderSpecificACLEnforcement.java | 4 +- .../apache/hadoop/ozone/om/TestOmAcls.java | 4 +- .../snapshot/TestOzoneManagerSnapshotAcl.java | 4 +- .../java/org/apache/ozone/test/AclTests.java | 15 +------ .../apache/hadoop/ozone/om/OzoneManager.java | 45 +++++++------------ 17 files changed, 87 insertions(+), 92 deletions(-) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java index 645b3e0b663a..d6661bce7847 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java @@ -71,8 +71,12 @@ import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_SIGNATURE_ALGO; import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_SIGNATURE_ALGO_DEFAULT; import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT; import java.io.IOException; import java.nio.file.Path; @@ -136,6 +140,7 @@ public class SecurityConfig { private final Duration rootCaCertificatePollingInterval; private final boolean autoCARotationEnabled; private final Duration expiredCertificateCheckInterval; + private final boolean authorizationEnabled; /** * Constructs a SecurityConfig. @@ -200,6 +205,14 @@ public SecurityConfig(ConfigurationSource configuration) { OZONE_SECURITY_ENABLED_KEY, OZONE_SECURITY_ENABLED_DEFAULT); + // Authorization is only effective when security is enabled, unless test mode is enabled + boolean testAuthorizationEnabled = configuration.getBoolean( + OZONE_TEST_AUTHORIZATION_ENABLED, + OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT); + this.authorizationEnabled = (isSecurityEnabled || testAuthorizationEnabled) && + configuration.getBoolean(OZONE_AUTHORIZATION_ENABLED, + OZONE_AUTHORIZATION_ENABLED_DEFAULT); + String certDurationString = configuration.get(HDDS_X509_DEFAULT_DURATION, HDDS_X509_DEFAULT_DURATION_DEFAULT); @@ -608,4 +621,15 @@ public boolean useTestCert() { public boolean isTokenEnabled() { return blockTokenEnabled || containerTokenEnabled; } + + /** + * Check if authorization checks should be performed in Ozone. + * Authorization is only effective when security is enabled, unless test mode is enabled. + * This controls both admin privilege checks and ACL checks. + * + * @return true if authorization checks should be performed + */ + public boolean isAuthorizationEnabled() { + return authorizationEnabled; + } } diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java index 8ef68e48e67c..1ff88a03e53b 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java @@ -469,10 +469,15 @@ public final class OzoneConfigKeys { "ozone.acl.enabled"; public static final boolean OZONE_ACL_ENABLED_DEFAULT = false; - public static final String OZONE_AUTHORIZATION_ENABLED = - "ozone.authorization.enabled"; - public static final boolean OZONE_AUTHORIZATION_ENABLED_DEFAULT = - true; + public static final String OZONE_AUTHORIZATION_ENABLED = "ozone.authorization.enabled"; + public static final boolean OZONE_AUTHORIZATION_ENABLED_DEFAULT = true; + /** + * Test-only configuration property to enable authorization checks without + * requiring full security (Kerberos) setup. This is for testing purposes + * only and should not be used in production. + */ + public static final String OZONE_TEST_AUTHORIZATION_ENABLED = "ozone.test.authorization.enabled"; + public static final boolean OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT = false; public static final String OZONE_S3_VOLUME_NAME = "ozone.s3g.volume.name"; public static final String OZONE_S3_VOLUME_NAME_DEFAULT = diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java index e6560f6c6dd8..a42ec94653ef 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java @@ -23,6 +23,8 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_KEY; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT; import java.io.File; import java.io.IOException; @@ -64,14 +66,17 @@ public static boolean isHttpSecurityEnabled(ConfigurationSource conf) { /** * Check if authorization checks should be performed in Ozone. - * Authorization is only effective when security is enabled. + * Authorization is only effective when security is enabled, unless test mode is enabled. * This controls both admin privilege checks and ACL checks. * * @param conf Configuration source * @return true if authorization checks should be performed */ public static boolean isAuthorizationEnabled(ConfigurationSource conf) { - return isSecurityEnabled(conf) && + // Check if test mode is enabled (allows authorization without full security) + boolean testAuthorizationEnabled = conf.getBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, + OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT); + return (isSecurityEnabled(conf) || testAuthorizationEnabled) && conf.getBoolean(OZONE_AUTHORIZATION_ENABLED, OZONE_AUTHORIZATION_ENABLED_DEFAULT); } diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index ded3b664f5e3..afbb718ecdf3 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -2387,7 +2387,7 @@ When true: admin privilege checks are always performed, and object ACL checks are controlled by ozone.acl.enabled. When false: no authorization checks are performed. - Default is true to align with HDFS's dfs.permissions.enabled behavior. + Default is true. diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java index f7110fcb70d1..f899b8633577 100644 --- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java +++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java @@ -670,7 +670,7 @@ public boolean isStopped() { private void checkAdminPrivilege(String operation) throws IOException { // Skip check if authorization is disabled - if (!OzoneSecurityUtil.isAuthorizationEnabled(conf)) { + if (secConf == null || !secConf.isAuthorizationEnabled()) { return; } diff --git a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java index 11fa95734fd2..afc0adcd209a 100644 --- a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java +++ b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java @@ -17,6 +17,7 @@ package org.apache.hadoop.ozone.container.common; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.junit.jupiter.api.Assertions.assertTrue; import static org.mockito.Mockito.mock; @@ -137,6 +138,7 @@ public static OzoneConfiguration getConf(File testDir) { conf.setClass(SpaceUsageCheckFactory.Conf.configKeyForClassName(), MockSpaceUsageCheckFactory.None.class, SpaceUsageCheckFactory.class); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); return conf; } diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java index ef4a60b7697c..f521909faa74 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java @@ -24,8 +24,6 @@ import static org.apache.hadoop.hdds.utils.HddsServerUtil.getRemoteUser; import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_READONLY_ADMINISTRATORS; import static org.apache.hadoop.ozone.OzoneConsts.SCM_ROOT_CA_COMPONENT_NAME; import static org.apache.hadoop.ozone.OzoneConsts.SCM_SUB_CA_PREFIX; @@ -223,13 +221,6 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl private static final Logger LOG = LoggerFactory .getLogger(StorageContainerManager.class); - /** - * Test-only flag to enable authorization checks without full Kerberos security. - * When true, isAdminAuthorizationEnabled() returns the authorization config - * value, allowing tests to verify admin checks without Kerberos setup. - */ - private static boolean testSecureScmFlag = false; - /** * SCM metrics. */ @@ -294,8 +285,6 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl private ContainerTokenSecretManager containerTokenMgr; private OzoneConfiguration configuration; - private final boolean isSecurityEnabled; - private final boolean isAuthorizationEnabled; private SCMContainerMetrics scmContainerMetrics; private SCMContainerPlacementMetrics placementMetrics; private PlacementPolicy containerPlacementPolicy; @@ -368,12 +357,6 @@ private StorageContainerManager(OzoneConfiguration conf, scmHANodeDetails = SCMHANodeDetails.loadSCMHAConfig(conf, scmStorageConfig); configuration = conf; - this.isSecurityEnabled = OzoneSecurityUtil.isSecurityEnabled(conf); - this.isAuthorizationEnabled = conf.getBoolean( - OZONE_AUTHORIZATION_ENABLED, - OZONE_AUTHORIZATION_ENABLED_DEFAULT); - LOG.info("SCM Security enabled: {}, Authorization enabled: {}", - isSecurityEnabled, isAuthorizationEnabled); initMetrics(); initPerfMetrics(); @@ -1976,16 +1959,7 @@ private void checkAdminAccess(String op) throws IOException { * @return true if admin authorization checks should be performed */ public boolean isAdminAuthorizationEnabled() { - // ONLY IN TESTS: Allow authorization testing without Kerberos - if (testSecureScmFlag) { - return isAuthorizationEnabled; - } - return OzoneSecurityUtil.isAuthorizationEnabled(configuration); - } - - @VisibleForTesting - public static void setTestSecureScmFlag(boolean flag) { - testSecureScmFlag = flag; + return securityConfig != null && securityConfig.isAuthorizationEnabled(); } public void checkAdminAccess(UserGroupInformation remoteUser, boolean isRead) diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/server/TestSCMClientProtocolServer.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/server/TestSCMClientProtocolServer.java index 0f087e39e89f..9402218014ce 100644 --- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/server/TestSCMClientProtocolServer.java +++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/server/TestSCMClientProtocolServer.java @@ -63,7 +63,6 @@ public class TestSCMClientProtocolServer { @BeforeEach void setUp(@TempDir File testDir) throws Exception { - StorageContainerManager.setTestSecureScmFlag(true); OzoneConfiguration config = SCMTestUtils.getConf(testDir); SCMConfigurator configurator = new SCMConfigurator(); configurator.setSCMHAManager(SCMHAManagerStub.getInstance(true)); @@ -84,7 +83,6 @@ public void tearDown() throws Exception { scm.stop(); scm.join(); } - StorageContainerManager.setTestSecureScmFlag(false); } /** diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java index 9e815ea5ffe4..63c53aff2e65 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java @@ -25,6 +25,7 @@ import static org.apache.hadoop.hdds.scm.HddsTestUtils.mockRemoteUser; import static org.apache.hadoop.hdds.scm.HddsWhiteboxTestUtils.setInternalState; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_BLOCK_DELETING_SERVICE_INTERVAL; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.common.BlockGroup.SIZE_NOT_AVAILABLE; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; @@ -167,7 +168,7 @@ public class TestStorageContainerManager { @Test void test(@TempDir Path tempDir) throws Exception { OzoneConfiguration conf = new OzoneConfiguration(); - StorageContainerManager.setTestSecureScmFlag(true); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); configureTopology(conf); configureBlockDeletion(conf); Path scmPath = tempDir.resolve("scm-meta"); diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java index e2249d7125c3..f6cc539eb96c 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java @@ -17,11 +17,12 @@ package org.apache.hadoop.ozone.client.rpc; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; + import java.io.IOException; import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.ozone.OzoneConfigKeys; -import org.apache.hadoop.ozone.om.OzoneManager; import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.BeforeAll; @@ -33,7 +34,7 @@ class TestOzoneRpcClient extends OzoneRpcClientTests { @BeforeAll public static void init() throws Exception { OzoneConfiguration conf = new OzoneConfiguration(); - OzoneManager.setTestSecureOmFlag(true); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); conf.setInt(ScmConfigKeys.OZONE_SCM_PIPELINE_OWNER_CONTAINER_COUNT, 1); conf.setBoolean(OzoneConfigKeys.OZONE_ACL_ENABLED, true); conf.set(OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS, diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java index 276533c21553..c8bc35c7ac5b 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java @@ -17,6 +17,7 @@ package org.apache.hadoop.ozone.om; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConsts.SCM_DUMMY_SERVICE_ID; import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_DECOMMISSIONED_NODES_KEY; import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_RATIS_SERVER_REQUEST_TIMEOUT_DEFAULT; @@ -89,7 +90,14 @@ public class TestAddRemoveOzoneManager { private OzoneClient client; private void setupCluster(int numInitialOMs) throws Exception { + setupCluster(numInitialOMs, false); + } + + private void setupCluster(int numInitialOMs, boolean enableTestAuthorization) throws Exception { conf = new OzoneConfiguration(); + if (enableTestAuthorization) { + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); + } conf.setInt(OzoneConfigKeys.OZONE_CLIENT_FAILOVER_MAX_ATTEMPTS_KEY, 5); cluster = MiniOzoneCluster.newHABuilder(conf) .setSCMServiceId(SCM_DUMMY_SERVICE_ID) @@ -408,9 +416,8 @@ public void testBootstrapListenerOM() throws Exception { */ @Test public void testDecommission() throws Exception { - OzoneManager.setTestSecureOmFlag(true); try { - setupCluster(3); + setupCluster(3, true); user = UserGroupInformation.createUserForTesting("user", new String[]{}); // Stop the 3rd OM and decommission it using non-privileged user @@ -446,7 +453,7 @@ public void testDecommission() throws Exception { assertNotNull(bucket.getKey(key)); } finally { - OzoneManager.setTestSecureOmFlag(false); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, false); } } diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java index 7720e16a7832..56904a942894 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java @@ -22,6 +22,7 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_WILDCARD; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConsts.DB_COMPACTION_SST_BACKUP_DIR; import static org.apache.hadoop.ozone.OzoneConsts.MULTIPART_FORM_DATA_BOUNDARY; import static org.apache.hadoop.ozone.OzoneConsts.OM_DB_NAME; @@ -320,8 +321,7 @@ private void testDoPostWithInvalidContentType() throws Exception { @Test void testSpnegoEnabled() throws Exception { - // Enable test security mode to allow authorization checks without Kerberos - OzoneManager.setTestSecureOmFlag(true); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); conf.setBoolean(OZONE_ACL_ENABLED, true); conf.set(OZONE_ADMINISTRATORS, ""); conf.set(OZONE_OM_HTTP_AUTH_TYPE, "kerberos"); diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java index ce1e726223c2..447496ab9adf 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java @@ -21,6 +21,7 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.PERMISSION_DENIED; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; @@ -185,8 +186,7 @@ private void setupCluster() throws Exception { private OzoneConfiguration createBaseConfiguration() throws IOException { OzoneConfiguration conf = new OzoneConfiguration(); - // Enable test security mode to allow ACL testing without Kerberos - OzoneManager.setTestSecureOmFlag(true); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); // Enable ACL for proper permission testing conf.setBoolean(OZONE_ACL_ENABLED, true); diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java index 8ae47ad0cd95..f76b1090b3b5 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java @@ -21,6 +21,7 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_WILDCARD; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.audit.AuditLogTestUtils.verifyAuditLog; import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER; import static org.assertj.core.api.Assertions.assertThat; @@ -73,8 +74,7 @@ public class TestOmAcls { @BeforeAll public static void init() throws Exception { OzoneConfiguration conf = new OzoneConfiguration(); - // Enable test security mode to allow ACL testing without Kerberos - OzoneManager.setTestSecureOmFlag(true); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); conf.setBoolean(OZONE_ACL_ENABLED, true); conf.setClass(OZONE_ACL_AUTHORIZER_CLASS, OzoneAccessAuthorizerTest.class, IAccessAuthorizer.class); diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java index 5d91a57ccd07..cf1e94226837 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java @@ -22,6 +22,7 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConsts.ADMIN; import static org.apache.hadoop.ozone.OzoneConsts.OZONE_OFS_URI_SCHEME; import static org.apache.hadoop.ozone.om.OmSnapshotManager.getSnapshotPath; @@ -107,8 +108,7 @@ public class TestOzoneManagerSnapshotAcl { public static void init() throws Exception { UserGroupInformation.setLoginUser(ADMIN_UGI); final OzoneConfiguration conf = new OzoneConfiguration(); - // Enable test security mode to allow ACL testing without Kerberos - OzoneManager.setTestSecureOmFlag(true); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); conf.setBoolean(OZONE_ACL_ENABLED, true); conf.set(OZONE_ACL_AUTHORIZER_CLASS, OZONE_ACL_AUTHORIZER_CLASS_NATIVE); diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java b/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java index 7dcceb4ac5b3..b3d8e1616dbf 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java @@ -20,13 +20,12 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.ozone.MiniOzoneCluster; import org.apache.hadoop.ozone.om.OMConfigKeys; -import org.apache.hadoop.ozone.om.OzoneManager; import org.apache.hadoop.security.UserGroupInformation; -import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.TestInstance; @@ -52,24 +51,14 @@ protected MiniOzoneCluster.Builder newClusterBuilder() { protected OzoneConfiguration createOzoneConfig() { loginAdmin(); // Enable test security mode to allow ACL checks without Kerberos - OzoneManager.setTestSecureOmFlag(true); OzoneConfiguration conf = super.createOzoneConfig(); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); conf.setBoolean(OZONE_ACL_ENABLED, true); conf.set(OZONE_ACL_AUTHORIZER_CLASS, OZONE_ACL_AUTHORIZER_CLASS_NATIVE); conf.setBoolean(OMConfigKeys.OZONE_OM_ENABLE_FILESYSTEM_PATHS, true); return conf; } - @Override - @AfterAll - void shutdownCluster() { - try { - super.shutdownCluster(); - } finally { - OzoneManager.setTestSecureOmFlag(false); - } - } - @BeforeEach void loginAdmin() { UserGroupInformation.setLoginUser(ADMIN_UGI); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java index 592d99bb507c..23a43a08e00f 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java @@ -32,8 +32,6 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_FLEXIBLE_FQDN_RESOLUTION_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_FLEXIBLE_FQDN_RESOLUTION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_KEY_PREALLOCATION_BLOCKS_MAX; @@ -428,7 +426,6 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl new ObjectMapper().readerFor(OmMetricsInfo.class); private static final int SHUTDOWN_HOOK_PRIORITY = 30; private final File omMetaDir; - private boolean isAuthorizationEnabled; private boolean isAclEnabled; private final boolean isSpnegoEnabled; private final SecurityConfig secConfig; @@ -867,13 +864,11 @@ public String getThreadNamePrefix() { * require. */ private void setInstanceVariablesFromConf() { - this.isAuthorizationEnabled = configuration.getBoolean( - OZONE_AUTHORIZATION_ENABLED, - OZONE_AUTHORIZATION_ENABLED_DEFAULT); this.isAclEnabled = configuration.getBoolean(OZONE_ACL_ENABLED, OZONE_ACL_ENABLED_DEFAULT); LOG.info("Authorization enabled: {}, ACL enabled: {}", - isAuthorizationEnabled, isAclEnabled); + secConfig != null ? secConfig.isAuthorizationEnabled() : false, + isAclEnabled); } /** @@ -2763,13 +2758,7 @@ public boolean checkAcls(ResourceType resType, StoreType storeType, * @return true if admin authorization checks should be performed */ public boolean isAdminAuthorizationEnabled() { - // ONLY IN TESTS: Allow authorization testing without Kerberos - if (testSecureOmFlag) { - return isAuthorizationEnabled; // Skip security check - } - - // require full security + authorization - return OzoneSecurityUtil.isAuthorizationEnabled(configuration); + return secConfig != null && secConfig.isAuthorizationEnabled(); } /** @@ -2815,7 +2804,7 @@ public OmVolumeArgs getVolumeInfo(String volume) throws IOException { boolean auditSuccess = true; Map auditMap = buildAuditMap(volume); try { - if (isAclEnabled) { + if (isObjectAclEnabled()) { omMetadataReader.checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.READ, volume, null, null); @@ -2851,7 +2840,7 @@ public List listVolumeByUser(String userName, String prefix, String prevKey, int maxKeys) throws IOException { UserGroupInformation remoteUserUgi = ProtobufRpcEngine.Server.getRemoteUser(); - if (isAclEnabled) { + if (isObjectAclEnabled()) { if (remoteUserUgi == null) { LOG.error("Rpc user UGI is null. Authorization failed."); throw new OMException("Rpc user UGI is null. Authorization failed.", @@ -2866,7 +2855,7 @@ public List listVolumeByUser(String userName, String prefix, auditMap.put(OzoneConsts.USERNAME, userName); try { metrics.incNumVolumeLists(); - if (isAclEnabled) { + if (isObjectAclEnabled()) { String remoteUserName = remoteUserUgi.getShortUserName(); // if not admin nor list my own volumes, check ACL. if (!remoteUserName.equals(userName) && !isAdmin(remoteUserUgi)) { @@ -2924,7 +2913,7 @@ public List listAllVolumes(String prefix, String prevKey, int auditMap.put(OzoneConsts.USERNAME, null); try { metrics.incNumVolumeLists(); - if (isAclEnabled) { + if (isObjectAclEnabled()) { omMetadataReader.checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.LIST, OzoneConsts.OZONE_ROOT, null, null); @@ -2961,7 +2950,7 @@ public List listBuckets(String volumeName, String startKey, auditMap.put(OzoneConsts.HAS_SNAPSHOT, String.valueOf(hasSnapshot)); try { - if (isAclEnabled) { + if (isObjectAclEnabled()) { omMetadataReader.checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.LIST, volumeName, null, null); @@ -2997,7 +2986,7 @@ public OmBucketInfo getBucketInfo(String volume, String bucket) Map auditMap = buildAuditMap(volume); auditMap.put(OzoneConsts.BUCKET, bucket); try { - if (isAclEnabled) { + if (isObjectAclEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.READ, volume, bucket, null); @@ -3121,7 +3110,7 @@ public SnapshotInfo getSnapshotInfo(String volumeName, String bucketName, ResolvedBucket resolvedBucket = resolveBucketLink(Pair.of(volumeName, bucketName)); auditMap = buildAuditMap(resolvedBucket.realVolume()); auditMap.put(OzoneConsts.BUCKET, resolvedBucket.realBucket()); - if (isAclEnabled) { + if (isObjectAclEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.READ, resolvedBucket.realVolume(), resolvedBucket.realBucket(), null); } @@ -3152,7 +3141,7 @@ public ListSnapshotResponse listSnapshot( ResolvedBucket resolvedBucket = resolveBucketLink(Pair.of(volumeName, bucketName)); auditMap = buildAuditMap(resolvedBucket.realVolume()); auditMap.put(OzoneConsts.BUCKET, resolvedBucket.realBucket()); - if (isAclEnabled) { + if (isObjectAclEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.LIST, resolvedBucket.realVolume(), resolvedBucket.realBucket(), null); } @@ -4669,7 +4658,7 @@ public ResolvedBucket resolveBucketLink(Pair requested, OMClientRequest omClientRequest) throws IOException { OmBucketInfo resolved; - if (isAclEnabled) { + if (isObjectAclEnabled()) { resolved = resolveBucketLink(requested, new HashSet<>(), omClientRequest.createUGIForApi(), omClientRequest.getRemoteAddress(), @@ -4685,7 +4674,7 @@ public ResolvedBucket resolveBucketLink(Pair requested, public ResolvedBucket resolveBucketLink(Pair requested, boolean allowDanglingBuckets) throws IOException { - return resolveBucketLink(requested, allowDanglingBuckets, isAclEnabled); + return resolveBucketLink(requested, allowDanglingBuckets, isObjectAclEnabled()); } public ResolvedBucket resolveBucketLink(Pair requested, @@ -4721,7 +4710,7 @@ private OmBucketInfo resolveBucketLink( String hostName, boolean allowDanglingBuckets) throws IOException { return resolveBucketLink(volumeAndBucket, visited, userGroupInformation, remoteAddress, hostName, - allowDanglingBuckets, isAclEnabled); + allowDanglingBuckets, isObjectAclEnabled()); } /** @@ -5231,7 +5220,7 @@ public SnapshotDiffResponse snapshotDiff(String volume, // Updating the volumeName & bucketName in case the bucket is a linked bucket. We need to do this before a // permission check, since linked bucket permissions and source bucket permissions could be different. ResolvedBucket resolvedBucket = resolveBucketLink(Pair.of(volume, bucket), false); - if (isAclEnabled) { + if (isObjectAclEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.READ, resolvedBucket.realVolume(), resolvedBucket.realBucket(), null); } @@ -5268,7 +5257,7 @@ public CancelSnapshotDiffResponse cancelSnapshotDiff(String volume, try { ResolvedBucket resolvedBucket = this.resolveBucketLink(Pair.of(volume, bucket), false); - if (isAclEnabled) { + if (isObjectAclEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.READ, resolvedBucket.realVolume(), resolvedBucket.realBucket(), null); } @@ -5305,7 +5294,7 @@ public ListSnapshotDiffJobResponse listSnapshotDiffJobs( try { ResolvedBucket resolvedBucket = this.resolveBucketLink(Pair.of(volume, bucket), false); - if (isAclEnabled) { + if (isObjectAclEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.LIST, volume, bucket, null); } From 25af25355359c4fc8d01939a8288412adb0c7977 Mon Sep 17 00:00:00 2001 From: Gargi Jaiswal Date: Tue, 3 Mar 2026 18:19:40 +0530 Subject: [PATCH 6/8] remove isObjectAclEnabled and reuse getAclsEnabled to reduce the changes --- .../hadoop/ozone/om/OmMetadataReader.java | 2 +- .../apache/hadoop/ozone/om/OzoneManager.java | 42 ++++++++----------- .../ozone/om/request/OMClientRequest.java | 2 +- .../request/bucket/OMBucketCreateRequest.java | 2 +- .../request/bucket/OMBucketDeleteRequest.java | 2 +- .../bucket/OMBucketSetOwnerRequest.java | 2 +- .../bucket/OMBucketSetPropertyRequest.java | 2 +- .../bucket/acl/OMBucketAclRequest.java | 2 +- .../ozone/om/request/key/OMKeyRequest.java | 6 +-- .../om/request/key/OMKeySetTimesRequest.java | 2 +- .../om/request/key/acl/OMKeyAclRequest.java | 2 +- .../key/acl/OMKeyAclRequestWithFSO.java | 2 +- .../key/acl/prefix/OMPrefixAclRequest.java | 2 +- .../s3/tenant/OMTenantCreateRequest.java | 2 +- .../s3/tenant/OMTenantDeleteRequest.java | 2 +- .../request/volume/OMVolumeCreateRequest.java | 2 +- .../request/volume/OMVolumeDeleteRequest.java | 2 +- .../volume/OMVolumeSetOwnerRequest.java | 2 +- .../volume/OMVolumeSetQuotaRequest.java | 2 +- .../volume/acl/OMVolumeAclRequest.java | 2 +- .../bucket/TestOMBucketCreateRequest.java | 2 +- .../s3/tenant/TestOMTenantCreateRequest.java | 2 +- .../s3/tenant/TestOMTenantDeleteRequest.java | 2 +- .../volume/TestOMVolumeCreateRequest.java | 2 +- .../acl/TestOzoneAuthorizerFactory.java | 3 -- 25 files changed, 42 insertions(+), 53 deletions(-) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java index 9de63914f7d0..a5ba074156ee 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java @@ -98,7 +98,7 @@ public OmMetadataReader(KeyManager keyManager, this.volumeManager = ozoneManager.getVolumeManager(); this.prefixManager = prefixManager; this.ozoneManager = ozoneManager; - this.isAclEnabled = ozoneManager.isObjectAclEnabled(); + this.isAclEnabled = ozoneManager.getAclsEnabled(); this.log = log; this.audit = audit; this.metrics = omMetadataReaderMetrics; diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java index 23a43a08e00f..f5087d873845 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java @@ -2761,23 +2761,15 @@ public boolean isAdminAuthorizationEnabled() { return secConfig != null && secConfig.isAuthorizationEnabled(); } - /** - * Check if object ACL checks should be enforced. - * This controls volume/bucket/key level permissions. - * - * @return true if object ACL checks should be performed - */ - public boolean isObjectAclEnabled() { - return isAdminAuthorizationEnabled() && getAclsEnabled(); - } - /** * Return true if Ozone acl's are enabled, else false. + * ACLs are only effective when authorization is enabled. + * This controls volume/bucket/key level permissions. * * @return boolean */ public boolean getAclsEnabled() { - return isAclEnabled; + return isAdminAuthorizationEnabled() && isAclEnabled; } public UncheckedAutoCloseableSupplier getOmMetadataReader() { @@ -2804,7 +2796,7 @@ public OmVolumeArgs getVolumeInfo(String volume) throws IOException { boolean auditSuccess = true; Map auditMap = buildAuditMap(volume); try { - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { omMetadataReader.checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.READ, volume, null, null); @@ -2840,7 +2832,7 @@ public List listVolumeByUser(String userName, String prefix, String prevKey, int maxKeys) throws IOException { UserGroupInformation remoteUserUgi = ProtobufRpcEngine.Server.getRemoteUser(); - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { if (remoteUserUgi == null) { LOG.error("Rpc user UGI is null. Authorization failed."); throw new OMException("Rpc user UGI is null. Authorization failed.", @@ -2855,7 +2847,7 @@ public List listVolumeByUser(String userName, String prefix, auditMap.put(OzoneConsts.USERNAME, userName); try { metrics.incNumVolumeLists(); - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { String remoteUserName = remoteUserUgi.getShortUserName(); // if not admin nor list my own volumes, check ACL. if (!remoteUserName.equals(userName) && !isAdmin(remoteUserUgi)) { @@ -2913,7 +2905,7 @@ public List listAllVolumes(String prefix, String prevKey, int auditMap.put(OzoneConsts.USERNAME, null); try { metrics.incNumVolumeLists(); - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { omMetadataReader.checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.LIST, OzoneConsts.OZONE_ROOT, null, null); @@ -2950,7 +2942,7 @@ public List listBuckets(String volumeName, String startKey, auditMap.put(OzoneConsts.HAS_SNAPSHOT, String.valueOf(hasSnapshot)); try { - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { omMetadataReader.checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.LIST, volumeName, null, null); @@ -2986,7 +2978,7 @@ public OmBucketInfo getBucketInfo(String volume, String bucket) Map auditMap = buildAuditMap(volume); auditMap.put(OzoneConsts.BUCKET, bucket); try { - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.READ, volume, bucket, null); @@ -3110,7 +3102,7 @@ public SnapshotInfo getSnapshotInfo(String volumeName, String bucketName, ResolvedBucket resolvedBucket = resolveBucketLink(Pair.of(volumeName, bucketName)); auditMap = buildAuditMap(resolvedBucket.realVolume()); auditMap.put(OzoneConsts.BUCKET, resolvedBucket.realBucket()); - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.READ, resolvedBucket.realVolume(), resolvedBucket.realBucket(), null); } @@ -3141,7 +3133,7 @@ public ListSnapshotResponse listSnapshot( ResolvedBucket resolvedBucket = resolveBucketLink(Pair.of(volumeName, bucketName)); auditMap = buildAuditMap(resolvedBucket.realVolume()); auditMap.put(OzoneConsts.BUCKET, resolvedBucket.realBucket()); - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.LIST, resolvedBucket.realVolume(), resolvedBucket.realBucket(), null); } @@ -4658,7 +4650,7 @@ public ResolvedBucket resolveBucketLink(Pair requested, OMClientRequest omClientRequest) throws IOException { OmBucketInfo resolved; - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { resolved = resolveBucketLink(requested, new HashSet<>(), omClientRequest.createUGIForApi(), omClientRequest.getRemoteAddress(), @@ -4674,7 +4666,7 @@ public ResolvedBucket resolveBucketLink(Pair requested, public ResolvedBucket resolveBucketLink(Pair requested, boolean allowDanglingBuckets) throws IOException { - return resolveBucketLink(requested, allowDanglingBuckets, isObjectAclEnabled()); + return resolveBucketLink(requested, allowDanglingBuckets, getAclsEnabled()); } public ResolvedBucket resolveBucketLink(Pair requested, @@ -4710,7 +4702,7 @@ private OmBucketInfo resolveBucketLink( String hostName, boolean allowDanglingBuckets) throws IOException { return resolveBucketLink(volumeAndBucket, visited, userGroupInformation, remoteAddress, hostName, - allowDanglingBuckets, isObjectAclEnabled()); + allowDanglingBuckets, getAclsEnabled()); } /** @@ -5220,7 +5212,7 @@ public SnapshotDiffResponse snapshotDiff(String volume, // Updating the volumeName & bucketName in case the bucket is a linked bucket. We need to do this before a // permission check, since linked bucket permissions and source bucket permissions could be different. ResolvedBucket resolvedBucket = resolveBucketLink(Pair.of(volume, bucket), false); - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.READ, resolvedBucket.realVolume(), resolvedBucket.realBucket(), null); } @@ -5257,7 +5249,7 @@ public CancelSnapshotDiffResponse cancelSnapshotDiff(String volume, try { ResolvedBucket resolvedBucket = this.resolveBucketLink(Pair.of(volume, bucket), false); - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.READ, resolvedBucket.realVolume(), resolvedBucket.realBucket(), null); } @@ -5294,7 +5286,7 @@ public ListSnapshotDiffJobResponse listSnapshotDiffJobs( try { ResolvedBucket resolvedBucket = this.resolveBucketLink(Pair.of(volume, bucket), false); - if (isObjectAclEnabled()) { + if (getAclsEnabled()) { omMetadataReader.checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.LIST, volume, bucket, null); } diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java index 3896071f09eb..884c5fa310bc 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java @@ -282,7 +282,7 @@ protected void checkACLsWithFSO(OzoneManager ozoneManager, String volumeName, .setRecursiveAccessCheck(pathViewer.isCheckRecursiveAccess()); // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { String volumeOwner = ozoneManager.getVolumeOwner( obj.getVolumeName(), contextBuilder.getAclRights(), obj.getResourceType()); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java index 4e7516c07015..718f329aaaff 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java @@ -102,7 +102,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { OmUtils.validateBucketName(bucketInfo.getBucketName(), strict); // ACL check during preExecute - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.CREATE, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java index 3b58e4c419c7..3c5f028bb5d9 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java @@ -102,7 +102,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.DELETE, volumeName, bucketName, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetOwnerRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetOwnerRequest.java index c7dbd437c272..6d0c90cdca29 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetOwnerRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetOwnerRequest.java @@ -110,7 +110,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volumeName, bucketName, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java index 3fa453642e59..6c321ce84b29 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java @@ -133,7 +133,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAclPermission(ozoneManager, volumeName, bucketName); } diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java index cb0428c7fa58..6faac1a24dc3 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/acl/OMBucketAclRequest.java @@ -88,7 +88,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut bucket = resolvedBucket.realBucket(); // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, bucket, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java index 05de930f66d2..7df2619e9e46 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java @@ -621,7 +621,7 @@ protected OmKeyInfo.Builder dirKeyInfoBuilderNoACL(String keyName, KeyArgs keyAr protected void checkBucketAcls(OzoneManager ozoneManager, String volume, String bucket, String key, IAccessAuthorizer.ACLType aclType) throws IOException { - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, aclType, volume, bucket, key); @@ -642,7 +642,7 @@ protected void checkKeyAcls(OzoneManager ozoneManager, String volume, String bucket, String key, IAccessAuthorizer.ACLType aclType, OzoneObj.ResourceType resourceType) throws IOException { - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, resourceType, OzoneObj.StoreType.OZONE, aclType, volume, bucket, key); } @@ -663,7 +663,7 @@ protected void checkKeyAcls(OzoneManager ozoneManager, String volume, String bucket, String key, IAccessAuthorizer.ACLType aclType, OzoneObj.ResourceType resourceType, String volumeOwner) throws IOException { - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, resourceType, OzoneObj.StoreType.OZONE, aclType, volume, bucket, key, volumeOwner, ozoneManager.getBucketOwner(volume, bucket, aclType, resourceType)); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeySetTimesRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeySetTimesRequest.java index d79874399332..eef06ef2b41e 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeySetTimesRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeySetTimesRequest.java @@ -79,7 +79,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { OzoneManagerProtocolProtos.KeyArgs newKeyArgs = resolveBucketLink(ozoneManager, keyArgs); // ACL check during preExecute - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java index f910bb4a60af..35e06de92ee2 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequest.java @@ -88,7 +88,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut key = objectParser.getKey(); // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, bucket, key); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java index fe1109fe35d1..f9c8602e0a43 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java @@ -82,7 +82,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut key = objectParser.getKey(); // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, bucket, key); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/prefix/OMPrefixAclRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/prefix/OMPrefixAclRequest.java index 6d13ffddc7bb..5549c1f21b9f 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/prefix/OMPrefixAclRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/prefix/OMPrefixAclRequest.java @@ -77,7 +77,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut prefixPath = resolvedPrefixObj.getPath(); // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.PREFIX, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, resolvedPrefixObj.getVolumeName(), resolvedPrefixObj.getBucketName(), diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java index 7a0c15a29c2d..ecb5a19f343b 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java @@ -143,7 +143,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { .getVolumeKey(volumeName); // ACL check during preExecute (align with other create requests) - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.CREATE, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java index 9af5fdb00b05..c49525271a7c 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java @@ -113,7 +113,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { } // Perform ACL check during preExecute (WRITE_ACL on volume if applicable) - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java index 8745f9b59c00..3348037a62db 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java @@ -74,7 +74,7 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { ozoneManager.isStrictS3()); // ACL check during preExecute - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { try { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.CREATE, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeDeleteRequest.java index b67c20c23643..ba32fe542c98 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeDeleteRequest.java @@ -81,7 +81,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.DELETE, volume, null, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetOwnerRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetOwnerRequest.java index e5f287e4338c..02c3b7874e99 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetOwnerRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetOwnerRequest.java @@ -109,7 +109,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, null, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetQuotaRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetQuotaRequest.java index 687110b4e9e0..c93e8cbeb6c3 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetQuotaRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeSetQuotaRequest.java @@ -110,7 +110,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut OMClientResponse omClientResponse = null; try { // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE, volume, null, null); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/acl/OMVolumeAclRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/acl/OMVolumeAclRequest.java index e34e8bbedfa9..23b522ad77a6 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/acl/OMVolumeAclRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/acl/OMVolumeAclRequest.java @@ -72,7 +72,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut Result result; try { // check Acl - if (ozoneManager.isObjectAclEnabled()) { + if (ozoneManager.getAclsEnabled()) { checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, volume, null, null); diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketCreateRequest.java index c6c8c698ce8e..49bf00b1f8f2 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketCreateRequest.java @@ -164,7 +164,7 @@ public void preExecutePermissionDeniedWhenAclEnabled() { String bucketName = UUID.randomUUID().toString(); // Enable ACLs so preExecute path performs ACL checks - when(ozoneManager.isObjectAclEnabled()).thenReturn(true); + when(ozoneManager.getAclsEnabled()).thenReturn(true); OMRequest originalRequest = newCreateBucketRequest( newBucketInfoBuilder(bucketName, volumeName)).build(); diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantCreateRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantCreateRequest.java index 5d244eaa8b08..36529d01064c 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantCreateRequest.java @@ -276,7 +276,7 @@ private void doPreExecute(String tenantId) throws Exception { @Test public void preExecutePermissionDeniedWhenAclEnabled() throws Exception { - when(ozoneManager.isObjectAclEnabled()).thenReturn(true); + when(ozoneManager.getAclsEnabled()).thenReturn(true); final String tenantId = UUID.randomUUID().toString(); OMRequest originalRequest = diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantDeleteRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantDeleteRequest.java index fa73d8b31301..6de4f1d8446d 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/tenant/TestOMTenantDeleteRequest.java @@ -113,7 +113,7 @@ public void tearDown() { @Test public void preExecutePermissionDeniedWhenAclEnabled() throws Exception { - when(ozoneManager.isObjectAclEnabled()).thenReturn(true); + when(ozoneManager.getAclsEnabled()).thenReturn(true); final String tenantId = UUID.randomUUID().toString(); final String volumeName = tenantId; diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/volume/TestOMVolumeCreateRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/volume/TestOMVolumeCreateRequest.java index f3a17293144a..628e163a6afb 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/volume/TestOMVolumeCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/volume/TestOMVolumeCreateRequest.java @@ -221,7 +221,7 @@ public void preExecutePermissionDeniedWhenAclEnabled() throws Exception { String adminName = UUID.randomUUID().toString(); String ownerName = UUID.randomUUID().toString(); - when(ozoneManager.isObjectAclEnabled()).thenReturn(true); + when(ozoneManager.getAclsEnabled()).thenReturn(true); OMRequest originalRequest = createVolumeRequest(volumeName, adminName, ownerName, "world::a"); diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java index a920bb0dd3ce..fd19e657ce34 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java @@ -173,9 +173,6 @@ private static OzoneManager omMock(OzoneConfiguration conf, .thenReturn(conf); when(om.getAclsEnabled()) .thenReturn(aclEnabled); - when(om.isObjectAclEnabled()) - .thenReturn(aclEnabled); - return om; } From 9a00cda3f34e4e020582cdcbb4664ed29c54d586 Mon Sep 17 00:00:00 2001 From: Gargi Jaiswal Date: Wed, 4 Mar 2026 00:17:24 +0530 Subject: [PATCH 7/8] fix test failures --- .../apache/hadoop/hdds/security/SecurityConfig.java | 11 +++++++++-- .../java/org/apache/hadoop/ozone/OzoneConfigKeys.java | 7 ------- .../org/apache/hadoop/ozone/OzoneSecurityUtil.java | 4 ++-- .../hadoop/ozone/container/common/SCMTestUtils.java | 2 +- .../hadoop/hdds/scm/TestStorageContainerManager.java | 2 +- .../hadoop/ozone/client/rpc/TestOzoneRpcClient.java | 2 +- .../ozone/client/rpc/TestSecureOzoneRpcClient.java | 2 ++ .../hadoop/ozone/om/TestAddRemoveOzoneManager.java | 2 +- .../hadoop/ozone/om/TestOMDbCheckpointServlet.java | 2 +- .../om/TestOMHALeaderSpecificACLEnforcement.java | 2 +- .../java/org/apache/hadoop/ozone/om/TestOmAcls.java | 2 +- .../om/snapshot/TestOzoneManagerSnapshotAcl.java | 2 +- .../src/test/java/org/apache/ozone/test/AclTests.java | 2 +- .../om/request/bucket/OMBucketDeleteRequest.java | 2 +- .../security/acl/TestOzoneAuthorizerFactory.java | 1 + 15 files changed, 24 insertions(+), 21 deletions(-) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java index d6661bce7847..2b0efc4d6ab9 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java @@ -75,8 +75,6 @@ import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT; import java.io.IOException; import java.nio.file.Path; @@ -108,6 +106,15 @@ public class SecurityConfig { private static final Logger LOG = LoggerFactory.getLogger(SecurityConfig.class); private static volatile Provider provider; + + /** + * Test-only configuration property to enable authorization checks without + * requiring full security (Kerberos) setup. This is for testing purposes + * only. + */ + public static final String OZONE_TEST_AUTHORIZATION_ENABLED = "ozone.test.authorization.enabled"; + public static final boolean OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT = false; + private final int size; private final String keyAlgo; private final String providerString; diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java index 1ff88a03e53b..456f44bac113 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java @@ -471,13 +471,6 @@ public final class OzoneConfigKeys { false; public static final String OZONE_AUTHORIZATION_ENABLED = "ozone.authorization.enabled"; public static final boolean OZONE_AUTHORIZATION_ENABLED_DEFAULT = true; - /** - * Test-only configuration property to enable authorization checks without - * requiring full security (Kerberos) setup. This is for testing purposes - * only and should not be used in production. - */ - public static final String OZONE_TEST_AUTHORIZATION_ENABLED = "ozone.test.authorization.enabled"; - public static final boolean OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT = false; public static final String OZONE_S3_VOLUME_NAME = "ozone.s3g.volume.name"; public static final String OZONE_S3_VOLUME_NAME_DEFAULT = diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java index a42ec94653ef..6e9da83b2bb3 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java @@ -17,14 +17,14 @@ package org.apache.hadoop.ozone; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_KEY; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED_DEFAULT; import java.io.File; import java.io.IOException; diff --git a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java index afc0adcd209a..e29f46cd74e0 100644 --- a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java +++ b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/container/common/SCMTestUtils.java @@ -17,7 +17,7 @@ package org.apache.hadoop.ozone.container.common; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.junit.jupiter.api.Assertions.assertTrue; import static org.mockito.Mockito.mock; diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java index 63c53aff2e65..37c4cfd380d9 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestStorageContainerManager.java @@ -24,8 +24,8 @@ import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_SCM_SAFEMODE_PIPELINE_CREATION; import static org.apache.hadoop.hdds.scm.HddsTestUtils.mockRemoteUser; import static org.apache.hadoop.hdds.scm.HddsWhiteboxTestUtils.setInternalState; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_BLOCK_DELETING_SERVICE_INTERVAL; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.common.BlockGroup.SIZE_NOT_AVAILABLE; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java index f6cc539eb96c..7e6a64ea098f 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestOzoneRpcClient.java @@ -17,7 +17,7 @@ package org.apache.hadoop.ozone.client.rpc; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import java.io.IOException; import org.apache.hadoop.hdds.conf.OzoneConfiguration; diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java index 773ea96c3c7b..772ec0383fbe 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java @@ -19,6 +19,7 @@ import static java.nio.charset.StandardCharsets.UTF_8; import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConsts.FORCE_LEASE_RECOVERY_ENV; import static org.apache.hadoop.ozone.OzoneConsts.OZONE_OFS_URI_SCHEME; import static org.apache.hadoop.ozone.OzoneConsts.OZONE_ROOT; @@ -116,6 +117,7 @@ public static void init() throws Exception { conf.setBoolean(HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED, true); conf.set(OZONE_METADATA_DIRS, testDir.getAbsolutePath()); conf.setBoolean(OzoneConfigKeys.OZONE_ACL_ENABLED, true); + conf.setBoolean(OZONE_TEST_AUTHORIZATION_ENABLED, true); conf.set(OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS, OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE); CertificateClientTestImpl certificateClientTest = diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java index c8bc35c7ac5b..c891ca99ff4d 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestAddRemoveOzoneManager.java @@ -17,7 +17,7 @@ package org.apache.hadoop.ozone.om; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConsts.SCM_DUMMY_SERVICE_ID; import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_DECOMMISSIONED_NODES_KEY; import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_RATIS_SERVER_REQUEST_TIMEOUT_DEFAULT; diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java index 56904a942894..ac12189b1f62 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMDbCheckpointServlet.java @@ -18,11 +18,11 @@ package org.apache.hadoop.ozone.om; import static org.apache.hadoop.hdds.recon.ReconConfig.ConfigStrings.OZONE_RECON_KERBEROS_PRINCIPAL_KEY; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.hdds.utils.HddsServerUtil.OZONE_RATIS_SNAPSHOT_COMPLETE_FLAG_NAME; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_WILDCARD; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConsts.DB_COMPACTION_SST_BACKUP_DIR; import static org.apache.hadoop.ozone.OzoneConsts.MULTIPART_FORM_DATA_BOUNDARY; import static org.apache.hadoop.ozone.OzoneConsts.OM_DB_NAME; diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java index 447496ab9adf..43acb0f823d9 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java @@ -18,10 +18,10 @@ package org.apache.hadoop.ozone.om; import static java.nio.charset.StandardCharsets.UTF_8; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.PERMISSION_DENIED; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java index f76b1090b3b5..8faf7d973cff 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java @@ -17,11 +17,11 @@ package org.apache.hadoop.ozone.om; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_WILDCARD; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.audit.AuditLogTestUtils.verifyAuditLog; import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER; import static org.assertj.core.api.Assertions.assertThat; diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java index cf1e94226837..ae6cddba7cf7 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/snapshot/TestOzoneManagerSnapshotAcl.java @@ -19,10 +19,10 @@ import static java.nio.charset.StandardCharsets.UTF_8; import static org.apache.hadoop.fs.FileSystem.FS_DEFAULT_NAME_KEY; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConsts.ADMIN; import static org.apache.hadoop.ozone.OzoneConsts.OZONE_OFS_URI_SCHEME; import static org.apache.hadoop.ozone.om.OmSnapshotManager.getSnapshotPath; diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java b/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java index b3d8e1616dbf..fa51d5b9b4f2 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/ozone/test/AclTests.java @@ -17,10 +17,10 @@ package org.apache.ozone.test; +import static org.apache.hadoop.hdds.security.SecurityConfig.OZONE_TEST_AUTHORIZATION_ENABLED; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_TEST_AUTHORIZATION_ENABLED; import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.ozone.MiniOzoneCluster; diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java index 3c5f028bb5d9..deb2c8a05b32 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketDeleteRequest.java @@ -126,7 +126,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut if (omBucketInfo == null) { LOG.debug("bucket: {} not found ", bucketName); - throw new OMException("Bucket not exists", BUCKET_NOT_FOUND); + throw new OMException("Bucket not found", BUCKET_NOT_FOUND); } //Check if bucket is empty diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java index fd19e657ce34..bb40fe4166ca 100644 --- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java +++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java @@ -173,6 +173,7 @@ private static OzoneManager omMock(OzoneConfiguration conf, .thenReturn(conf); when(om.getAclsEnabled()) .thenReturn(aclEnabled); + return om; } From f67f70e1275bd56f739577af893755f67937bd1a Mon Sep 17 00:00:00 2001 From: Gargi Jaiswal Date: Mon, 9 Mar 2026 09:40:35 +0530 Subject: [PATCH 8/8] remove redudant check from OMBucketSetPropertyRequest --- .../bucket/OMBucketSetPropertyRequest.java | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java index 6c321ce84b29..a88e5fb73334 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java @@ -252,16 +252,14 @@ private void checkAclPermission( OzoneManager ozoneManager, String volumeName, String bucketName) throws IOException { if (ozoneManager.getAccessAuthorizer().isNative()) { - if (ozoneManager.isAdminAuthorizationEnabled()) { - UserGroupInformation ugi = createUGIForApi(); - String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName, - IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET); - if (!ozoneManager.isAdmin(ugi) && - !ozoneManager.isOwner(ugi, bucketOwner)) { - throw new OMException( - "Bucket properties are allowed to changed by Admin and Owner", - OMException.ResultCodes.PERMISSION_DENIED); - } + UserGroupInformation ugi = createUGIForApi(); + String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName, + IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET); + if (!ozoneManager.isAdmin(ugi) && + !ozoneManager.isOwner(ugi, bucketOwner)) { + throw new OMException( + "Bucket properties are allowed to changed by Admin and Owner", + OMException.ResultCodes.PERMISSION_DENIED); } } else { // ranger acl checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET,