Skip to content

HDDS-13855. Move ACL check to preExecute in Volume, Bucket and Keys requests #9297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ss77892 wants to merge 2 commits into from
Closed

HDDS-13855. Move ACL check to preExecute in Volume, Bucket and Keys requests #9297

ss77892 wants to merge 2 commits into from

Conversation

@ss77892
Copy link
Contributor

@ss77892 ss77892 commented Nov 14, 2025
edited by ivandika3
Loading

What changes were proposed in this pull request?

HDDS-13855. Move ACL check in Volume, Bucket and Keys requests to preexecute.

Please describe your PR in detail:
We are moving ACL checks from the validate cache method to the pre-execute stage to avoid multiple executions on all Ratis nodes.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-13855

How was this patch tested?

Manual tests, UT

@ivandika3 ivandika3 requested a review from swamirishi November 15, 2025 03:30
sarvekshayr
sarvekshayr reviewed Nov 17, 2025
View reviewed changes
Copy link
Contributor

@sarvekshayr sarvekshayr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ss77892 for the patch.

Just wanted to clarify one thing around the ACL handling in OMKeysDeleteRequest and OMKeysRenameRequest.

In the new implementation, the logic throws an exception on the first ACL failure.
In the old implementation, ACL failures were collected per key, allowing partial success.

Is this change in behaviour intentional? Should the request fail immediately on the first ACL violation?

.../ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeysRenameRequest.java Outdated
Comment on lines 116 to 119
auditMap.put("volume", resolvedVolume);
auditMap.put("bucket", resolvedBucket);
auditMap.put("fromKey", fromKeyName);
auditMap.put("toKey", toKeyName);
Copy link
Contributor

@sarvekshayr sarvekshayr Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To keep the audit map keys consistent across the codebase, can we avoid hardcoding here?
We should either use the existing constants or add new ones if needed for consistency.

@adoroszlai adoroszlai changed the title HDDS-13855. Move ACL check in Volume, Bucket and Keys requests to preexecute. HDDS-13855. Move ACL check to preExecute in Volume, Bucket and Keys requests Nov 17, 2025
@swamirishi
Copy link
Contributor

swamirishi commented Nov 17, 2025

@yandrey321 Can you take a look at this change?

adoroszlai
adoroszlai reviewed Dec 7, 2025
View reviewed changes
...tion-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java
// Add test user as admin on current leader
OzoneManager currentLeader = cluster.getOMLeader();
addAdminToSpecificOM(currentLeader, TEST_USER);
assertTrue(currentLeader.getOmAdminUsernames().contains(TEST_USER));
Copy link
Contributor

@adoroszlai adoroszlai Dec 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: please use assertThat(...).contains(...) for better assertion failure message. Similarly, doesNotContain(...) instead of assertFalse(...).

...e-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeDeleteRequest.java
super.preExecute(ozoneManager);
DeleteVolumeRequest deleteVolumeRequest =
getOmRequest().getDeleteVolumeRequest();
Preconditions.checkNotNull(deleteVolumeRequest);
Copy link
Contributor

@adoroszlai adoroszlai Dec 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: prefer JDK's Objects.requireNonNull

Suggested change
Preconditions.checkNotNull(deleteVolumeRequest);
Objects.requireNonNull(deleteVolumeRequest);

@github-actions
Copy link

github-actions bot commented Dec 29, 2025

This PR has been marked as stale due to 21 days of inactivity. Please comment or remove the stale label to keep it open. Otherwise, it will be automatically closed in 7 days.

@github-actions github-actions bot added the stale label Dec 29, 2025
@github-actions
Copy link

github-actions bot commented Jan 5, 2026

Thank you for your contribution. This PR is being closed due to inactivity. If needed, feel free to reopen it.

@github-actions github-actions bot closed this Jan 5, 2026
@ss77892 ss77892 mentioned this pull request Jan 20, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adoroszlai adoroszlai adoroszlai left review comments

@sarvekshayr sarvekshayr sarvekshayr left review comments

@swamirishi swamirishi Awaiting requested review from swamirishi

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ss77892 @swamirishi @adoroszlai @sarvekshayr