HDDS-1796. Add admin access check for write opertaions in SCMClientProtocolServer and SCMBlockProtocolServer. #5203
Conversation
…eck for admin access.
| @Override | ||
| public List<DatanodeDetails> sortDatanodes(List<String> nodes, | ||
| String clientMachine) throws IOException { | ||
| scm.checkAdminAccess(getRemoteUser(), false); |
There was a problem hiding this comment.
sortDatanodes is kind of a read operation, it doesn't change the in memory or persist state of pipeline.
There was a problem hiding this comment.
Thanks @ChenSammi for review. I understood and handled the comment. Pls re-review.
|
@devmadhuu , the overall patch looks good. |
…eck for admin access.
|
Secure acceptance tests are failing, likely because OM user is not an SCM admin. What is the best way to resolve this? |
|
Good question. We have property "ozone.administrators" and "ozone.administrators.groups" for Ozone administrator configuration. There properties cover both OM and SCM. I didn't check how the unit is failed. In a real Ozone cluster, if OM and SCM are lauched by same user, then it will be fine. If different users are used to lauch OM and SCM, we requires end user to explictily include the user who launch OM in "ozone.administrators", or the user group in "ozone.administrators.groups", otherwise the request from OM will be rejected by SCM. |
@errose28 Thanks for pointing out, As per @ChenSammi suggested to have specified admin user under "ozone.administrators" config based on test case, it can be handled, but I have noticed that few robot acceptance test cases are expecting for permission denied and if I specify admin user , those failed with message "'[ ]' does not contain 'PERMISSION_DENIED'", but since we have only docker-config where "ozone.administrators" config can be added, so positive test cases passes, but negative test cases fails. Any suggestion how to handle this ? |
Is it available to use other users which are not included in "ozone.administrators" to run the test which expects a PERMISSION_DENIED? |
I have resolved and able to successfully run all secure acceptance test cases now, however below 2 test cases related to aws s3g API is still failing. 
|
Would OM admin be considered an SCM admin by default? I'm not sure we want this, but if we do not do it this way it would be a breaking change because all users would need to update their admin configs. Also it looks like acceptance tests are still failing. @devmadhuu its probably better to convert this to a draft and debug the failures on your fork until CI is green. |
@errose28 , currently the "ozone.administrators" applies to both OM and SCM. There is no individual property to control OM or SCM admins. And both OM and SCM will add the user who launches the services as admin. Usually, the user who launches OM, will launches SCM too, so it will not be a general problem. |
|
Should we handle other file integration tests failing in this PR as part of other JIRA/PR ? For intermittent failures in integration tests of this PR, it will be handled as part of other PR, as many other integration tests fails intermittently. If all is Ok in this PR, pls have a re-look. |
file integration test failing can be handled with a new JIRA. |
|
@ChenSammi Thank you for detailed review, As discussed, have removed checkAdminAccess for following SCM APIs:
Pls have a re-look |
|
|
||
| public List<DeletedBlocksTransactionInfo> getFailedDeletedBlockTxn(int count, | ||
| long startTxId) throws IOException { | ||
| getScm().checkAdminAccess(getRemoteUser(), true); |
There was a problem hiding this comment.
This check can be removed too.
There was a problem hiding this comment.
This check can be removed too.
Done.
| Can follow link with read access | ||
| Execute kdestroy | ||
| Run Keyword Kinit test user testuser2 testuser2.keytab | ||
| Run Keyword Kinit test user testuser testuser.keytab |
There was a problem hiding this comment.
Is this still needed now?
| ${result} = Execute And Ignore Error ozone sh key list ${protocol}${server}/${volume}/bb1 | ||
| Should contain ${result} PERMISSION_DENIED | ||
| Execute kdestroy | ||
| Run Keyword Kinit test user testuser2 testuser2.keytab |
There was a problem hiding this comment.
Is this still needed now?
|
@ChenSammi Handled comments, pls review. |
ChenSammi
changed the title
|
@ChenSammi @devmadhuu, In real ozone secure cluster, If remoteUser is "om" and scmAdmins is having "scm", because of this allocateBlock fails. Do we need to change any configuration? |
4 participants
What changes were proposed in this pull request?
Most of the calls to SCM are only done by the namespace layer (OzoneManager), it makes sense to make all the client-facing APIs of SCM to do Admin check. SCM should only get calls from namespace service or from admin, it cannot get direct calls from a client.
allocateBlock, deleteBlock and sortDatanodes doesn't have Admin check now. If we do Admin check for getContainerWithPipeline, we should also do the same in allocateBlock, deleteBlock and sortDatanodes.
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-1796
How was this patch tested?
This patch is tested with existing Junit test cases of all the updated client facing APIs of SCM.