From 36ea14527a453be51f127251707cf65f95171814 Mon Sep 17 00:00:00 2001 From: Zita Dombi Date: Wed, 21 Sep 2022 16:13:36 +0200 Subject: [PATCH 1/2] Removed if condition in order to trigger ACL check everytime. Change-Id: I48d7d60c84bdf73ac2101c1dd711cad2badfe5b2 --- .../java/org/apache/hadoop/ozone/om/OzoneManager.java | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java index baaa9f93692c..1a194602ddaf 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java @@ -2709,12 +2709,9 @@ public List listAllVolumes(String prefix, String prevKey, int auditMap.put(OzoneConsts.USERNAME, null); try { metrics.incNumVolumeLists(); - if (!allowListAllVolumes) { - // Only admin can list all volumes when disallowed in config - if (isAclEnabled) { - checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.LIST, - OzoneConsts.OZONE_ROOT, null, null); - } + if (isAclEnabled) { + checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.LIST, + OzoneConsts.OZONE_ROOT, null, null); } return volumeManager.listVolumes(null, prefix, prevKey, maxKeys); } catch (Exception ex) { From c71f7383f93de14fd38308e59cfe347fdbd41943 Mon Sep 17 00:00:00 2001 From: Zita Dombi Date: Wed, 21 Sep 2022 16:14:09 +0200 Subject: [PATCH 2/2] Changed ozone.om.volume.listall.allowed description accordingly. Change-Id: I06ef015cf06b7b5382f1df481886e95c74d64abb --- hadoop-hdds/common/src/main/resources/ozone-default.xml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index 0ca1359cdcfd..4ebef89f7551 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -608,7 +608,11 @@ Allows everyone to list all volumes when set to true. Defaults to true. When set to false, non-admin users can only list the volumes they have - access to. Admins can always list all volumes. + access to. Admins can always list all volumes. Note that this config + only applies to OzoneNativeAuthorizer. For other authorizers, admin + needs to set policies accordingly to allow all volume listing + e.g. for Ranger, a new policy with special volume "/" can be added to + allow group public LIST access.