Skip to content

HDDS-4585. Support bucket acl operation in S3g #1701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xiaoyuyao merged 12 commits into from
Apr 28, 2021
Merged

HDDS-4585. Support bucket acl operation in S3g #1701

xiaoyuyao merged 12 commits into from
Apr 28, 2021

Conversation

@ChenSammi
Copy link
Contributor

@ChenSammi ChenSammi commented Dec 15, 2020

@ChenSammi
Copy link
Contributor Author

ChenSammi commented Dec 25, 2020

AWS CLI console output with the patch,

Get ACL
[root@]# aws s3api --profile root --endpoint-url http://host:9878 get-bucket-acl --bucket ozone
{
"Owner": {
"DisplayName": "root",
"ID": "root"
},
"Grants": [
{
"Grantee": {
"Type": "CanonicalUser",
"DisplayName": "apple",
"ID": "apple"
},
"Permission": "FULL_CONTROL"
}
]
}

Put ACL
Form1
[root@]#aws s3api --profile root --endpoint-url http://host:9878 put-bucket-acl --bucket=ozone --grant-read id=one,id=two,id=three --grant-full-control id=tom,id=jerry

Form2
[root@]#aws s3api --profile root --endpoint-url http://host:9878 put-bucket-acl --bucket=ozone --access-control-policy '{"Grants": [ {"Grantee": {"DisplayName": "root", "ID": "root", "Type": "CanonicalUser"},"Permission": "FULL_CONTROL"} ], "Owner": {"DisplayName": "root","ID": "root"}}'

xiaoyuyao
xiaoyuyao reviewed Jan 19, 2021
View reviewed changes
Copy link
Contributor

@xiaoyuyao xiaoyuyao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall, a few comments inline.

xiaoyuyao
xiaoyuyao reviewed Jan 22, 2021
View reviewed changes
Copy link
Contributor

@xiaoyuyao xiaoyuyao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some additional comments.

@arp7 arp7 requested a review from prashantpogde January 25, 2021 21:16
@ChenSammi
Copy link
Contributor Author

ChenSammi commented Jan 29, 2021

misc acceptance exit with error code 1, while there is no obvious error. Can anyone tell me how to do a further investigation.

@adoroszlai
Copy link
Contributor

adoroszlai commented Jan 29, 2021

misc acceptance exit with error code 1, while there is no obvious error.

I'm looking into it: HDDS-4760.

@ChenSammi
Copy link
Contributor Author

ChenSammi commented Jan 29, 2021

misc acceptance exit with error code 1, while there is no obvious error.

I'm looking into it: HDDS-4760.

@adoroszlai ,thanks for the info.

prashantpogde
prashantpogde reviewed Feb 2, 2021
View reviewed changes
hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/BucketEndpoint.java Outdated
Copy link
Contributor

@prashantpogde prashantpogde Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to setup ACL on a volume here ? couldn't this lead to manipulating permissions on a bucket where the user doesn't have a permission ?

Copy link
Contributor Author

@ChenSammi ChenSammi Feb 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we need to setup ACL on a volume for S3 bucket. Here we grant the user least privilege on volume in order to make sure user can access the bucket. If a user has full control of the bucket while he doesn't have any permission on volume, user will fail to execute some operations, such as bucket list.

The thing is object hierarchy of Ozone is /volume/bucket/key. ACL on Ozone has the hierarchical characteristic. ACL of parent will impact the accessibility of it's child.

Copy link
Contributor

@xiaoyuyao xiaoyuyao Apr 13, 2021
edited by ChenSammi
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we read the existing volume acl, add the new ones necessary and set it back instead of overwrite the existing ACL on the s3 volume?

@xiaoyuyao , I updated the implementation. Now it will remove all the ACLs of import users from Volume first, then apply the new ACLs on Volume.

@ChenSammi
Copy link
Contributor Author

ChenSammi commented Feb 19, 2021

@xiaoyuyao @prashantpogde , I just rebased the patch to the master branch, do you have time to take another look?

The remaining checkstyle warnings are mainly XML content string used for test which I don't plan to fix.
The failed secure acceptance test seems irrelevant.

@adoroszlai
Copy link
Contributor

adoroszlai commented Feb 19, 2021

The remaining checkstyle warnings are mainly XML content string used for test which I don't plan to fix.

These should be trivial to fix:

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/S3Acl.java
 38: Utility classes should not have a public or default constructor.
 42: Name 'grantRead' must match pattern '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$'.
 43: Name 'grantWrite' must match pattern '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$'.
 44: Name 'grantReadACP' must match pattern '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$'.
 45: Name 'grantWriteACP' must match pattern '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$'.
 46: Name 'grantFullControl' must match pattern '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$'.
 49: Name 'cannedAclHeader' must match pattern '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$'.
hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/endpoint/TestBucketAcl.java
 53: Name 'bucketName' must match pattern '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$'.
 60: Name 'aclMarker' must match pattern '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$'.

and these can be fixed by moving XML content to external file(s) under hadoop-ozone/s3gateway/src/test/resources:

hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/endpoint/TestBucketAcl.java
 224: Line is longer than 80 characters (found 90).
 226: Line is longer than 80 characters (found 100).
 231: Line is longer than 80 characters (found 120).
 232: Line is longer than 80 characters (found 104).
 238: Line is longer than 80 characters (found 112).
 239: Line is longer than 80 characters (found 99).
 244: Line is longer than 80 characters (found 112).
 245: Line is longer than 80 characters (found 98).
 250: Line is longer than 80 characters (found 128).
 251: Line is longer than 80 characters (found 84).
 256: Line is longer than 80 characters (found 120).
 257: Line is longer than 80 characters (found 115).
 272: Line is longer than 80 characters (found 90).
 274: Line is longer than 80 characters (found 100).
 279: Line is longer than 80 characters (found 120).
 280: Line is longer than 80 characters (found 104).
 286: Line is longer than 80 characters (found 120).
 287: Line is longer than 80 characters (found 115).

@ChenSammi
Copy link
Contributor Author

ChenSammi commented Mar 24, 2021

Hey,@xiaoyuyao do you have time to take another look?

@mukul1987 mukul1987 force-pushed the master branch 2 times, most recently from 79a9d39 to 520ba00 Compare March 25, 2021 16:05
xiaoyuyao
xiaoyuyao reviewed Apr 13, 2021
View reviewed changes
Copy link
Contributor

@xiaoyuyao xiaoyuyao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ChenSammi for the update. I have a few additional question added.

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/BucketEndpoint.java Outdated
Copy link
Contributor

@xiaoyuyao xiaoyuyao Apr 13, 2021
edited by ChenSammi
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we read the existing volume acl, add the new ones necessary and set it back instead of overwrite the existing ACL on the s3 volume?

@xiaoyuyao , I updated the implementation. Now it will remove all the ACLs of import users from Volume first, then apply the new ACLs on Volume.

@ChenSammi ChenSammi closed this Apr 21, 2021
@ChenSammi ChenSammi reopened this Apr 21, 2021
@xiaoyuyao
Copy link
Contributor

xiaoyuyao commented Apr 27, 2021

Thanks @ChenSammi for the update. The latest change LGTM. +1. I will merge the PR if no further comments by EOD today.

@xiaoyuyao xiaoyuyao merged commit 66a411b into apache:master Apr 28, 2021
errose28 added a commit to errose28/ozone that referenced this pull request May 4, 2021
@errose28
Merge remote-tracking branch 'upstream/master' into HDDS-3698-nonroll…
253cc55 
…ing-upgrade-master-merge2

* upstream/master: (56 commits)
  HDDS-2212. Genconf tool should generate config files for secure clust… (apache#1788)
  HDDS-5166. Remove duplicate assignment of OZONE_OPTS for freon and sh (apache#2195)
  Revert "HDDS-5144. Create github check to alert when dependency tree is changed (apache#2177)"
  HDDS-4983. Display key offset for each block in command key info (apache#2051)
  HDDS-5144. Create github check to alert when dependency tree is changed (apache#2177)
  HDDS-4585. Support bucket acl operation in S3g (apache#1701)
  HDDS-5153. Decommissioning a dead node should complete immediately (apache#2190)
  HDDS-5147. Intermittent test failure in TestContainerDeletionChoosingPolicy#testRandomChoosingPolicy (apache#2188)
  HDDS-5152. Fix Suggested leader in Client. (apache#2189)
  HDDS-5148. Bump ratis version to 2.1.0-ff8aa66-SNAPSHOT (apache#2184)
  HDDS-4515. Datanodes should be able to persist and load CRL (apache#2181)
  HDDS-5060. [SCM HA Security] Make InterSCM grpc channel secure. (apache#2187)
  HDDS-5051. Ensure failover to suggested leader if any for NotLeaderException. (apache#2141)
  HDDS-5127. Fix getServiceList when SCM HA is enabled (apache#2173)
  HDDS-4889. Add simple CI check for docs (apache#2156)
  HDDS-5131. Use timeout in github actions (apache#2176)
  HDDS-5103. Fix Install Snapshot Mechanism in SCMStateMachine. (apache#2155)
  HDDS-5124. Use OzoneConsts.OZONE_TIME_ZONE instead of "GMT" (apache#2166)
  HDDS-5047. Refactor Pipeline to use ReplicationConfig instead of factor/type (apache#2096)
  HDDS-5083. Bump version of common-compress (apache#2139)
  ...

Conflicts:
	hadoop-hdds/common/pom.xml
	hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
	hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java
	hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
	hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/node/SCMNodeManager.java
	hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineManager.java
	hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMStorageConfig.java
	hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
	hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/node/TestSCMNodeManager.java
	hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/MiniOzoneClusterImpl.java
	hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMStorage.java
	hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
	hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/scm/ReconStorageContainerManagerFacade.java
@ChenSammi
Copy link
Contributor Author

ChenSammi commented May 6, 2021

Thanks @xiaoyuyao for the code review.

errose28 added a commit to errose28/ozone that referenced this pull request May 13, 2021
@errose28
Merge branch 'HDDS-3698-nonrolling-upgrade' into HDDS-5138-admin-chec…
080019b 
…k-in-auth

* HDDS-3698-nonrolling-upgrade: (57 commits)
  Fix compilation errors afte merge Update javassist in recon pom Fix changes introduced in merge that failed TestSCMNodeManager upgrade tests Fix checkstyle Fix intermittent test failure TestSCMNodeManager#testSetNodeOpStateAndCommandFired after merge Skip scm init default layout version in TestOzoneConfigurationFields
  HDDS-2212. Genconf tool should generate config files for secure clust… (apache#1788)
  HDDS-5166. Remove duplicate assignment of OZONE_OPTS for freon and sh (apache#2195)
  Revert "HDDS-5144. Create github check to alert when dependency tree is changed (apache#2177)"
  HDDS-4983. Display key offset for each block in command key info (apache#2051)
  HDDS-5144. Create github check to alert when dependency tree is changed (apache#2177)
  HDDS-4585. Support bucket acl operation in S3g (apache#1701)
  HDDS-5153. Decommissioning a dead node should complete immediately (apache#2190)
  HDDS-5147. Intermittent test failure in TestContainerDeletionChoosingPolicy#testRandomChoosingPolicy (apache#2188)
  HDDS-5152. Fix Suggested leader in Client. (apache#2189)
  HDDS-5148. Bump ratis version to 2.1.0-ff8aa66-SNAPSHOT (apache#2184)
  HDDS-4515. Datanodes should be able to persist and load CRL (apache#2181)
  HDDS-5060. [SCM HA Security] Make InterSCM grpc channel secure. (apache#2187)
  HDDS-5051. Ensure failover to suggested leader if any for NotLeaderException. (apache#2141)
  HDDS-5127. Fix getServiceList when SCM HA is enabled (apache#2173)
  HDDS-4889. Add simple CI check for docs (apache#2156)
  HDDS-5131. Use timeout in github actions (apache#2176)
  HDDS-5103. Fix Install Snapshot Mechanism in SCMStateMachine. (apache#2155)
  HDDS-5124. Use OzoneConsts.OZONE_TIME_ZONE instead of "GMT" (apache#2166)
  HDDS-5047. Refactor Pipeline to use ReplicationConfig instead of factor/type (apache#2096)
  ...
kerneltime pushed a commit to kerneltime/ozone that referenced this pull request Aug 25, 2021
@ChenSammi @kerneltime
HDDS-4585. Support bucket acl operation in S3g (apache#1701)
780cd16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiaoyuyao xiaoyuyao xiaoyuyao left review comments

@prashantpogde prashantpogde prashantpogde left review comments

@elek elek Awaiting requested review from elek

@bharatviswa504 bharatviswa504 Awaiting requested review from bharatviswa504

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ChenSammi @adoroszlai @xiaoyuyao @prashantpogde