in hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer.java [87:190]
public boolean checkAccess(IOzoneObj ozObject, RequestContext context)
throws OMException {
Objects.requireNonNull(ozObject);
Objects.requireNonNull(context);
OzoneObjInfo objInfo;
RequestContext parentContext;
RequestContext parentVolContext;
boolean isACLTypeCreate = (context.getAclRights() == ACLType.CREATE);
if (ozObject instanceof OzoneObjInfo) {
objInfo = (OzoneObjInfo) ozObject;
} else {
throw new OMException("Unexpected input received. OM native acls are " +
"configured to work with OzoneObjInfo type only.", INVALID_REQUEST);
}
// bypass all checks for admin
if (adminCheck.test(context.getClientUgi())) {
return true;
}
// bypass read checks for read only admin users
if (readOnlyAdminCheck.test(context.getClientUgi())
&& (context.getAclRights() == ACLType.READ
|| context.getAclRights() == ACLType.READ_ACL
|| context.getAclRights() == ACLType.LIST)) {
return true;
}
boolean isOwner = isOwner(context.getClientUgi(), context.getOwnerName());
boolean isListAllVolume = ((context.getAclRights() == ACLType.LIST) &&
objInfo.getVolumeName().equals(OzoneConsts.OZONE_ROOT));
if (isListAllVolume) {
return getAllowListAllVolumes();
}
ACLType parentAclRight = OzoneAclUtils.getParentNativeAcl(
context.getAclRights(), objInfo.getResourceType());
parentContext = RequestContext.newBuilder()
.setClientUgi(context.getClientUgi())
.setIp(context.getIp())
.setAclType(context.getAclType())
.setAclRights(parentAclRight).build();
// Volume will be always read in case of key and prefix
parentVolContext = RequestContext.newBuilder()
.setClientUgi(context.getClientUgi())
.setIp(context.getIp())
.setAclType(context.getAclType())
.setAclRights(ACLType.READ).build();
switch (objInfo.getResourceType()) {
case VOLUME:
LOG.trace("Checking access for volume: {}", objInfo);
if (isACLTypeCreate) {
// only admin is allowed to create volume and list all volumes
return false;
}
return isOwner || volumeManager.checkAccess(objInfo, context);
case BUCKET:
LOG.trace("Checking access for bucket: {}", objInfo);
// Skip check for volume owner
if (isOwner) {
return true;
}
// Skip bucket access check for CREATE acl since
// bucket will not exist at the time of creation
boolean bucketAccess = isACLTypeCreate
|| bucketManager.checkAccess(objInfo, context);
return (bucketAccess
&& volumeManager.checkAccess(objInfo, parentContext));
case KEY:
LOG.trace("Checking access for Key: {}", objInfo);
// Skip check for volume owner
if (isOwner) {
return true;
}
// Skip key access check for CREATE acl since
// key will not exist at the time of creation
boolean keyAccess = isACLTypeCreate
|| keyManager.checkAccess(objInfo, context);
return (keyAccess
&& prefixManager.checkAccess(objInfo, parentContext)
&& bucketManager.checkAccess(objInfo, parentContext)
&& volumeManager.checkAccess(objInfo, parentVolContext));
case PREFIX:
LOG.trace("Checking access for Prefix: {}", objInfo);
// Skip check for volume owner
if (isOwner) {
return true;
}
// Skip prefix access check for CREATE acl since
// prefix will not exist at the time of creation
boolean prefixAccess = isACLTypeCreate
|| prefixManager.checkAccess(objInfo, context);
return (prefixAccess
&& bucketManager.checkAccess(objInfo, parentContext)
&& volumeManager.checkAccess(objInfo, parentVolContext));
default:
throw new OMException("Unexpected object type:" +
objInfo.getResourceType(), INVALID_REQUEST);
}
}