HDDS-13999. Complete ignore the ACL sent by client during object crea…

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OmConfig.java

@@ -117,6 +117,14 @@ public class OmConfig extends ReconfigurableConfig {
   private String groupDefaultRights;
   private Set<ACLType> groupDefaultRightSet;
 
+  @Config(key = "object.creation.ignore.client.acls",
+      defaultValue = "false",
+      type = ConfigType.BOOLEAN,
+      tags = {ConfigTag.OM, ConfigTag.SECURITY},
+      description = "Ignore ACLs sent by client to OzoneManager during volume/bucket/key creation."
+  )
+  private boolean ignoreClientACLs;
+
   public long getRatisBasedFinalizationTimeout() {
     return ratisBasedFinalizationTimeout;
   }
@@ -181,6 +189,14 @@ private Set<ACLType> getGroupDefaultRightSet() {
         : ACLType.parseList(groupDefaultRights);
   }
 
+  public boolean ignoreClientACLs() {
+    return ignoreClientACLs;
+  }
+
+  public void setIgnoreClientACLs(boolean ignore) {
+    ignoreClientACLs = ignore;
+  }
+
   @PostConstruct
   public void validate() {
     if (maxListSize <= 0) {

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java

@@ -336,7 +336,7 @@ private void addDefaultAcls(OmBucketInfo omBucketInfo,
     List<OzoneAcl> acls = new ArrayList<>();
     // Add default acls
     acls.addAll(getDefaultAclList(createUGIForApi(), ozoneManager.getConfig()));
-    if (omBucketInfo.getAcls() != null) {
+    if (omBucketInfo.getAcls() != null && !ozoneManager.getConfig().ignoreClientACLs()) {
       // Add acls for bucket creator.
       acls.addAll(omBucketInfo.getAcls());
     }

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java

@@ -333,7 +333,7 @@ protected List<OzoneAcl> getAclsForKey(KeyArgs keyArgs,
 
     List<OzoneAcl> acls = new ArrayList<>();
     acls.addAll(getDefaultAclList(createUGIForApi(), config));
-    if (keyArgs.getAclsList() != null) {
+    if (!keyArgs.getAclsList().isEmpty() && !config.ignoreClientACLs()) {
       acls.addAll(OzoneAclUtil.fromProtobuf(keyArgs.getAclsList()));
     }
 
@@ -407,7 +407,9 @@ protected List<OzoneAcl> getAclsForDir(KeyArgs keyArgs, OmBucketInfo bucketInfo,
     }
 
     // add acls from clients
-    acls.addAll(OzoneAclUtil.fromProtobuf(keyArgs.getAclsList()));
+    if (!keyArgs.getAclsList().isEmpty() && !config.ignoreClientACLs()) {
+      acls.addAll(OzoneAclUtil.fromProtobuf(keyArgs.getAclsList()));
+    }
     acls = acls.stream().distinct().collect(Collectors.toList());
     return acls;
   }

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java

@@ -168,7 +168,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut
         List<OzoneAcl> listOfAcls = getDefaultAclList(UserGroupInformation.createRemoteUser(owner),
             ozoneManager.getConfig());
         // ACLs from VolumeArgs
-        if (omVolumeArgs.getAcls() != null) {
+        if (omVolumeArgs.getAcls() != null && !ozoneManager.getConfig().ignoreClientACLs()) {
           listOfAcls.addAll(omVolumeArgs.getAcls());
         }
         // Remove the duplicates

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketCreateRequest.java

@@ -20,17 +20,21 @@
 import static org.apache.hadoop.ozone.om.request.OMRequestTestUtils.newBucketInfoBuilder;
 import static org.apache.hadoop.ozone.om.request.OMRequestTestUtils.newCreateBucketRequest;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.when;
 
+import java.util.List;
 import java.util.UUID;
 import org.apache.hadoop.hdds.client.DefaultReplicationConfig;
 import org.apache.hadoop.hdds.client.ECReplicationConfig;
+import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
 import org.apache.hadoop.hdds.protocol.proto.HddsProtos.StorageTypeProto;
+import org.apache.hadoop.ozone.OzoneAcl;
 import org.apache.hadoop.ozone.om.OMConfigKeys;
 import org.apache.hadoop.ozone.om.OMMetadataManager;
 import org.apache.hadoop.ozone.om.OzoneManager;
@@ -48,6 +52,8 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.util.Time;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 
 /**
  * Tests OMBucketCreateRequest class, which handles CreateBucket request.
@@ -320,6 +326,44 @@ public void testAcceptNonS3CompliantBucketNameCreationWithStrictS3False()
     }
   }
 
+  @ParameterizedTest
+  @ValueSource(booleans = {true, false})
+  public void testIgnoreClientACL(boolean ignoreClientACLs) throws Exception {
+    ozoneManager.getConfig().setIgnoreClientACLs(ignoreClientACLs);
+
+    String volumeName = UUID.randomUUID().toString();
+    String bucketName = UUID.randomUUID().toString();
+    OMRequestTestUtils.addVolumeToDB(volumeName, omMetadataManager, 10000L);
+
+    // create a bucket
+    String acl = "user:ozone:a";
+    OzoneManagerProtocolProtos.BucketInfo.Builder builder =
+        OzoneManagerProtocolProtos.BucketInfo.newBuilder()
+            .setBucketName(bucketName)
+            .setVolumeName(volumeName)
+            .setStorageType(HddsProtos.StorageTypeProto.SSD)
+            .setIsVersionEnabled(false)
+            .setQuotaInBytes(5000L)
+            .addAcls(OzoneAcl.toProtobuf(OzoneAcl.parseAcl(acl)));
+    OMRequest originalRequest = newCreateBucketRequest(builder).build();
+    OMBucketCreateRequest omBucketCreateRequest = new OMBucketCreateRequest(originalRequest);
+    OMRequest modifiedRequest = omBucketCreateRequest.preExecute(ozoneManager);
+    OMBucketCreateRequest testRequest = new OMBucketCreateRequest(modifiedRequest);
+    testRequest.setUGI(UserGroupInformation.getCurrentUser());
+    OMClientResponse resp = testRequest.validateAndUpdateCache(ozoneManager, 1);
+    assertEquals(resp.getOMResponse().getStatus().toString(), OMException.ResultCodes.OK.toString());
+
+    // Check ACLs
+    OmBucketInfo bucket =
+        omMetadataManager.getBucketTable().get(omMetadataManager.getBucketKey(volumeName, bucketName));
+    List<OzoneAcl> aclList = bucket.getAcls();
+    if (ignoreClientACLs) {
+      assertFalse(aclList.contains(OzoneAcl.parseAcl(acl)));
+    } else {
+      assertTrue(aclList.contains(OzoneAcl.parseAcl(acl)));
+    }
+  }
+
   private void acceptBucketCreationHelper(String volumeName, String bucketName)
         throws Exception {
     OMBucketCreateRequest omBucketCreateRequest = 

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/file/TestOMDirectoryCreateRequest.java

@@ -21,6 +21,7 @@
 import static org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER;
 import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Status.VOLUME_NOT_FOUND;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
@@ -495,6 +496,44 @@ public void testCreateDirectoryInheritParentDefaultAcls() throws Exception {
 
   }
 
+  @ParameterizedTest
+  @ValueSource(booleans = {true, false})
+  public void testIgnoreClientACL(boolean ignoreClientACLs) throws Exception {
+    ozoneManager.getConfig().setIgnoreClientACLs(ignoreClientACLs);
+
+    String volumeName = "vol1";
+    String bucketName = "bucket1";
+    String keyName = genRandomKeyName();
+
+    // Add volume and bucket entries to DB.
+    OMRequestTestUtils.addVolumeAndBucketToDB(volumeName, bucketName,
+        omMetadataManager);
+
+    String ozoneAll = "user:ozone:a";
+    List<OzoneAcl> aclList = new ArrayList<>();
+    aclList.add(OzoneAcl.parseAcl(ozoneAll));
+    OMRequest omRequest = createDirectoryRequest(volumeName, bucketName,
+        OzoneFSUtils.addTrailingSlashIfNeeded(keyName), aclList);
+    OMDirectoryCreateRequest omDirectoryCreateRequest =
+        new OMDirectoryCreateRequest(omRequest, getBucketLayout());
+
+    OMRequest modifiedOmRequest = omDirectoryCreateRequest.preExecute(ozoneManager);
+    omDirectoryCreateRequest = new OMDirectoryCreateRequest(modifiedOmRequest, getBucketLayout());
+    omDirectoryCreateRequest.setUGI(UserGroupInformation.getCurrentUser());
+
+    OMClientResponse omClientResponse = omDirectoryCreateRequest.validateAndUpdateCache(ozoneManager, 100L);
+    assertEquals(OzoneManagerProtocolProtos.Status.OK, omClientResponse.getOMResponse().getStatus());
+
+    OmKeyInfo keyInfo = omMetadataManager.getKeyTable(getBucketLayout()).get(
+        omMetadataManager.getOzoneDirKey(volumeName, bucketName, keyName));
+
+    if (ignoreClientACLs) {
+      assertFalse(keyInfo.getAcls().contains(OzoneAcl.parseAcl(ozoneAll)));
+    } else {
+      assertTrue(keyInfo.getAcls().contains(OzoneAcl.parseAcl(ozoneAll)));
+    }
+  }
+
   private void verifyDirectoriesInheritAcls(String volumeName,
       String bucketName, String keyName, List<OzoneAcl> bucketAcls)
       throws IOException {
@@ -520,19 +559,31 @@ private void verifyDirectoriesInheritAcls(String volumeName,
     }
   }
 
+  private OMRequest createDirectoryRequest(String volumeName, String bucketName, String keyName) {
+    return createDirectoryRequest(volumeName, bucketName, keyName, null);
+  }
+
   /**
    * Create OMRequest which encapsulates CreateDirectory request.
    * @param volumeName
    * @param bucketName
    * @param keyName
+   * @param acls
    * @return OMRequest
    */
   private OMRequest createDirectoryRequest(String volumeName, String bucketName,
-      String keyName) {
-    return OMRequest.newBuilder().setCreateDirectoryRequest(
-        CreateDirectoryRequest.newBuilder().setKeyArgs(
-            KeyArgs.newBuilder().setVolumeName(volumeName)
-                .setBucketName(bucketName).setKeyName(keyName)))
+      String keyName, List<OzoneAcl> acls) {
+    KeyArgs.Builder builder = KeyArgs.newBuilder()
+        .setVolumeName(volumeName)
+        .setBucketName(bucketName)
+        .setKeyName(keyName);
+    if (acls != null) {
+      for (OzoneAcl acl : acls) {
+        builder.addAcls(OzoneAcl.toProtobuf(acl));
+      }
+    }
+    return OMRequest.newBuilder()
+        .setCreateDirectoryRequest(CreateDirectoryRequest.newBuilder().setKeyArgs(builder))
         .setCmdType(OzoneManagerProtocolProtos.Type.CreateDirectory)
         .setClientId(UUID.randomUUID().toString()).build();
   }

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/file/TestOMDirectoryCreateRequestWithFSO.java

@@ -20,6 +20,7 @@
 import static org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationFactor.THREE;
 import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Status.VOLUME_NOT_FOUND;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
@@ -73,6 +74,8 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 
 /**
  * Test OM directory create request - prefix layout.
@@ -709,6 +712,45 @@ public void testCreateDirectoryInheritParentDefaultAcls() throws Exception {
 
   }
 
+  @ParameterizedTest
+  @ValueSource(booleans = {true, false})
+  public void testIgnoreClientACL(boolean ignoreClientACLs) throws Exception {
+    ozoneManager.getConfig().setIgnoreClientACLs(ignoreClientACLs);
+
+    String volumeName = "vol1";
+    String bucketName = "bucket1";
+    List<String> dirs = new ArrayList<>();
+    String keyName = createDirKey(dirs, 3);
+
+    // Add volume and bucket entries to DB.
+    OMRequestTestUtils.addVolumeAndBucketToDB(volumeName, bucketName,
+        omMetadataManager, getBucketLayout());
+
+    String ozoneAll = "user:ozone:a";
+    List<OzoneAcl> aclList = new ArrayList<>();
+    aclList.add(OzoneAcl.parseAcl(ozoneAll));
+    OMRequest omRequest = createDirectoryRequest(volumeName, bucketName,
+        OzoneFSUtils.addTrailingSlashIfNeeded(keyName), aclList);
+    OMDirectoryCreateRequest omDirectoryCreateRequest =
+        new OMDirectoryCreateRequest(omRequest, getBucketLayout());
+
+    OMRequest modifiedOmRequest = omDirectoryCreateRequest.preExecute(ozoneManager);
+    omDirectoryCreateRequest = new OMDirectoryCreateRequest(modifiedOmRequest, getBucketLayout());
+    omDirectoryCreateRequest.setUGI(UserGroupInformation.getCurrentUser());
+
+    OMClientResponse omClientResponse = omDirectoryCreateRequest.validateAndUpdateCache(ozoneManager, 100L);
+    assertEquals(OzoneManagerProtocolProtos.Status.OK, omClientResponse.getOMResponse().getStatus());
+
+    OmKeyInfo keyInfo = omMetadataManager.getKeyTable(getBucketLayout()).get(
+        omMetadataManager.getOzoneDirKey(volumeName, bucketName, keyName));
+
+    if (ignoreClientACLs) {
+      assertFalse(keyInfo.getAcls().contains(OzoneAcl.parseAcl(ozoneAll)));
+    } else {
+      assertTrue(keyInfo.getAcls().contains(OzoneAcl.parseAcl(ozoneAll)));
+    }
+  }
+
   private void verifyDirectoriesInheritAcls(List<String> dirs,
       long volumeId, long bucketId, List<OzoneAcl> bucketAcls)
       throws IOException {
@@ -788,22 +830,34 @@ private void verifyDirectoriesNotInCache(List<String> dirs,
     }
   }
 
+  private OMRequest createDirectoryRequest(String volumeName, String bucketName, String keyName) {
+    return createDirectoryRequest(volumeName, bucketName, keyName, null);
+  }
+
   /**
    * Create OMRequest which encapsulates CreateDirectory request.
    *
    * @param volumeName
    * @param bucketName
    * @param keyName
+   * @param acls
    * @return OMRequest
    */
   private OMRequest createDirectoryRequest(String volumeName, String bucketName,
-                                           String keyName) {
-    return OMRequest.newBuilder().setCreateDirectoryRequest(
-            CreateDirectoryRequest.newBuilder().setKeyArgs(
-                    KeyArgs.newBuilder().setVolumeName(volumeName)
-                            .setBucketName(bucketName).setKeyName(keyName)))
-            .setCmdType(OzoneManagerProtocolProtos.Type.CreateDirectory)
-            .setClientId(UUID.randomUUID().toString()).build();
+      String keyName, List<OzoneAcl> acls) {
+    KeyArgs.Builder builder = KeyArgs.newBuilder()
+        .setVolumeName(volumeName)
+        .setBucketName(bucketName)
+        .setKeyName(keyName);
+    if (acls != null) {
+      for (OzoneAcl acl : acls) {
+        builder.addAcls(OzoneAcl.toProtobuf(acl));
+      }
+    }
+    return OMRequest.newBuilder()
+        .setCreateDirectoryRequest(CreateDirectoryRequest.newBuilder().setKeyArgs(builder))
+        .setCmdType(OzoneManagerProtocolProtos.Type.CreateDirectory)
+        .setClientId(UUID.randomUUID().toString()).build();
   }
 
   private BucketLayout getBucketLayout() {