HDDS-1796. Add admin access check for write opertaions in SCMClientProtocolServer and SCMBlockProtocolServer.

hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMBlockProtocolServer.java

@@ -70,6 +70,8 @@
 import static org.apache.hadoop.hdds.scm.server.StorageContainerManager.startRpcServer;
 import static org.apache.hadoop.hdds.server.ServerUtils.getRemoteUserName;
 import static org.apache.hadoop.hdds.server.ServerUtils.updateRPCListenAddress;
+import static org.apache.hadoop.hdds.utils.HddsServerUtil.getRemoteUser;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -177,6 +179,7 @@ public List<AllocatedBlock> allocateBlock(
       ReplicationConfig replicationConfig,
       String owner, ExcludeList excludeList
   ) throws IOException {
+    scm.checkAdminAccess(getRemoteUser(), false);
     Map<String, String> auditMap = Maps.newHashMap();
     auditMap.put("size", String.valueOf(size));
     auditMap.put("num", String.valueOf(num));
@@ -229,6 +232,7 @@ public List<AllocatedBlock> allocateBlock(
   @Override
   public List<DeleteBlockGroupResult> deleteKeyBlocks(
       List<BlockGroup> keyBlocksInfoList) throws IOException {
+    scm.checkAdminAccess(getRemoteUser(), false);
     if (LOG.isDebugEnabled()) {
       LOG.debug("SCM is informed by OM to delete {} blocks",
           keyBlocksInfoList.size());
@@ -305,6 +309,7 @@ public ScmInfo getScmInfo() throws IOException {
 
   @Override
   public boolean addSCM(AddSCMRequest request) throws IOException {
+    scm.checkAdminAccess(getRemoteUser(), false);
     LOG.debug("Adding SCM {} addr {} cluster id {}",
         request.getScmId(), request.getRatisAddr(), request.getClusterId());
 
@@ -332,7 +337,7 @@ public boolean addSCM(AddSCMRequest request) throws IOException {
 
   @Override
   public List<DatanodeDetails> sortDatanodes(List<String> nodes,
-      String clientMachine) throws IOException {
+      String clientMachine) {
     boolean auditSuccess = true;
     try {
       NodeManager nodeManager = scm.getScmNodeManager();

hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java

@@ -300,8 +300,6 @@ private ContainerWithPipeline getContainerWithPipelineCommon(
   @Override
   public ContainerWithPipeline getContainerWithPipeline(long containerID)
       throws IOException {
-    getScm().checkAdminAccess(null, true);
-
     try {
       ContainerWithPipeline cp = getContainerWithPipelineCommon(containerID);
       AUDIT.logReadSuccess(buildAuditMessageForSuccess(
@@ -344,8 +342,6 @@ public List<HddsProtos.SCMContainerReplicaProto> getContainerReplicas(
   @Override
   public List<ContainerWithPipeline> getContainerWithPipelineBatch(
       Iterable<? extends Long> containerIDs) throws IOException {
-    getScm().checkAdminAccess(null, true);
-
     List<ContainerWithPipeline> cpList = new ArrayList<>();
 
     StringBuilder strContainerIDs = new StringBuilder();
@@ -364,7 +360,6 @@ public List<ContainerWithPipeline> getContainerWithPipelineBatch(
       }
     }
 
-
     AUDIT.logReadSuccess(buildAuditMessageForSuccess(
         SCMAction.GET_CONTAINER_WITH_PIPELINE_BATCH,
         Collections.singletonMap("containerIDs", strContainerIDs.toString())));
@@ -382,6 +377,7 @@ public List<ContainerWithPipeline> getExistContainerWithPipelinesInBatch(
         cpList.add(cp);
       } catch (IOException ex) {
         //not found , just go ahead
+        LOG.error("Container with common pipeline not found: {}", ex);
       }
     }
     return cpList;
@@ -595,7 +591,6 @@ public List<HddsProtos.Node> queryNode(
       HddsProtos.NodeOperationalState opState, HddsProtos.NodeState state,
       HddsProtos.QueryScope queryScope, String poolName, int clientVersion)
       throws IOException {
-
     if (queryScope == HddsProtos.QueryScope.POOL) {
       throw new IllegalArgumentException("Not Supported yet");
     }
@@ -656,6 +651,7 @@ public List<DatanodeAdminError> startMaintenanceNodes(List<String> nodes,
 
   @Override
   public void closeContainer(long containerID) throws IOException {
+    getScm().checkAdminAccess(getRemoteUser(), false);
     final UserGroupInformation remoteUser = getRemoteUser();
     final Map<String, String> auditMap = Maps.newHashMap();
     auditMap.put("containerID", String.valueOf(containerID));
@@ -684,6 +680,7 @@ public void closeContainer(long containerID) throws IOException {
   public Pipeline createReplicationPipeline(HddsProtos.ReplicationType type,
       HddsProtos.ReplicationFactor factor, HddsProtos.NodePool nodePool)
       throws IOException {
+    getScm().checkAdminAccess(getRemoteUser(), false);
     Map<String, String> auditMap = Maps.newHashMap();
     if (type != null) {
       auditMap.put("replicationType", type.toString());
@@ -731,6 +728,7 @@ public void activatePipeline(HddsProtos.PipelineID pipelineID)
     Map<String, String> auditMap = Maps.newHashMap();
     auditMap.put("pipelineID", pipelineID.getId());
     try {
+      getScm().checkAdminAccess(getRemoteUser(), false);
       scm.getPipelineManager().activatePipeline(
           PipelineID.getFromProtobuf(pipelineID));
       AUDIT.logWriteSuccess(buildAuditMessageForSuccess(
@@ -963,9 +961,7 @@ public boolean getReplicationManagerStatus() {
   }
 
   @Override
-  public ReplicationManagerReport getReplicationManagerReport()
-      throws IOException {
-    getScm().checkAdminAccess(getRemoteUser(), true);
+  public ReplicationManagerReport getReplicationManagerReport() {
     AUDIT.logReadSuccess(buildAuditMessageForSuccess(
         SCMAction.GET_REPLICATION_MANAGER_REPORT, null));
     return scm.getReplicationManager().getContainerReport();
@@ -1328,6 +1324,7 @@ public DecommissionScmResponseProto decommissionScm(
         DecommissionScmResponseProto.newBuilder();
 
     try {
+      getScm().checkAdminAccess(getRemoteUser(), false);
       decommissionScmResponseBuilder
           .setSuccess(scm.removePeerFromHARing(scmId));
     } catch (IOException ex) {

hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config

@@ -47,7 +47,8 @@ OZONE-SITE.XML_ozone.recon.address=recon:9891
 OZONE-SITE.XML_ozone.security.enabled=true
 OZONE-SITE.XML_ozone.acl.enabled=true
 OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer
-OZONE-SITE.XML_ozone.administrators="testuser,recon"
+OZONE-SITE.XML_ozone.administrators="testuser,recon,om"
+OZONE-SITE.XML_ozone.s3.administrators="testuser,recon,om"
 OZONE-SITE.XML_ozone.recon.administrators="testuser2"
 OZONE-SITE.XML_ozone.s3.administrators="testuser,s3g"
 

hadoop-ozone/dist/src/main/smoketest/admincli/container.robot

@@ -95,3 +95,6 @@ Cannot close container without admin privilege
 
 Cannot create container without admin privilege
     Requires admin privilege    ozone admin container create
+
+Reset user
+    Run Keyword if      '${SECURITY_ENABLED}' == 'true'     Kinit test user     testuser     testuser.keytab