Skip to content

Commit 2daec4f

Browse files
author
Fabian Morgan
committed
pr review comments for ChenSammi - combine methods that setSessionPolicy and s3Action and set them at the call sites
Generated-By: Claude Code with manual updates by me
1 parent 5868614 commit 2daec4f

3 files changed

Lines changed: 23 additions & 40 deletions

File tree

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java

Lines changed: 18 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -606,16 +606,16 @@ public boolean checkAcls(ResourceType resType, StoreType storeType,
606606
.setVolumeName(vol)
607607
.setBucketName(bucket)
608608
.setKeyName(key).build();
609-
RequestContext context = RequestContext.newBuilder()
609+
RequestContext.Builder contextBuilder = RequestContext.newBuilder()
610610
.setClientUgi(ugi)
611611
.setIp(remoteAddress)
612612
.setHost(hostName)
613613
.setAclType(ACLIdentityType.USER)
614614
.setAclRights(aclType)
615-
.setOwnerName(owner)
616-
.build();
615+
.setOwnerName(owner);
616+
maybeAddToContextFromThreadLocal(contextBuilder);
617617

618-
return checkAcls(obj, context, throwIfPermissionDenied);
618+
return checkAcls(obj, contextBuilder.build(), throwIfPermissionDenied);
619619
}
620620

621621
/**
@@ -628,11 +628,8 @@ public boolean checkAcls(ResourceType resType, StoreType storeType,
628628
public boolean checkAcls(OzoneObj obj, RequestContext context,
629629
boolean throwIfPermissionDenied) throws OMException {
630630

631-
final RequestContext normalizedRequestContext = maybeAttachS3ActionFromThreadLocal(
632-
maybeAttachSessionPolicyFromThreadLocal(context));
633-
634631
if (!captureLatencyNs(perfMetrics::setCheckAccessLatencyNs,
635-
() -> accessAuthorizer.checkAccess(obj, normalizedRequestContext))) {
632+
() -> accessAuthorizer.checkAccess(obj, context))) {
636633
if (throwIfPermissionDenied) {
637634
String volumeName = obj.getVolumeName() != null ?
638635
"Volume:" + obj.getVolumeName() + " " : "";
@@ -642,7 +639,7 @@ public boolean checkAcls(OzoneObj obj, RequestContext context,
642639
"Key:" + obj.getKeyName() : "";
643640
// For STS tokens, make clear that the user is using an assumed role, otherwise the access denied
644641
// message could be confusing
645-
String user = normalizedRequestContext.getClientUgi().getShortUserName();
642+
String user = context.getClientUgi().getShortUserName();
646643
final STSTokenIdentifier stsTokenIdentifier = OzoneManager.getStsTokenIdentifier();
647644
if (stsTokenIdentifier != null) {
648645
final StringBuilder builder = new StringBuilder(user)
@@ -655,11 +652,11 @@ public boolean checkAcls(OzoneObj obj, RequestContext context,
655652
}
656653
log.warn("User {} doesn't have {} permission to access {} {}{}{}",
657654
user,
658-
normalizedRequestContext.getAclRights(),
655+
context.getAclRights(),
659656
obj.getResourceType(), volumeName, bucketName, keyName);
660657
throw new OMException(
661658
"User " + user +
662-
" doesn't have " + normalizedRequestContext.getAclRights() +
659+
" doesn't have " + context.getAclRights() +
663660
" permission to access " + obj.getResourceType() + " " +
664661
volumeName + bucketName + keyName, ResultCodes.PERMISSION_DENIED);
665662
}
@@ -670,37 +667,22 @@ public boolean checkAcls(OzoneObj obj, RequestContext context,
670667
}
671668

672669
/**
673-
* Attaches session policy to RequestContext if an STSTokenIdentifier is found in the Ozone Manager thread local
674-
* (meaning this is an STS request), and the STSTokenIdentifier has a session policy. Otherwise, returns the
675-
* RequestContext as it was before.
676-
* @param context the original RequestContext
677-
* @return RequestContext as before or with sessionPolicy embedded
670+
* Enriches the given {@link RequestContext.Builder} with per-request fields from the Ozone Manager
671+
* thread locals: the session policy from {@link STSTokenIdentifier} (set on STS requests) and the
672+
* S3 action from {@link S3Authentication} (set on S3 requests). Either or both may be absent, in
673+
* which case the corresponding field is left untouched on the builder.
674+
* @param contextBuilder the builder to enrich in-place
678675
*/
679-
private RequestContext maybeAttachSessionPolicyFromThreadLocal(RequestContext context) {
676+
public static void maybeAddToContextFromThreadLocal(RequestContext.Builder contextBuilder) {
680677
final STSTokenIdentifier stsTokenIdentifier = OzoneManager.getStsTokenIdentifier();
681-
if (stsTokenIdentifier == null) {
682-
return context;
678+
if (stsTokenIdentifier != null) {
679+
contextBuilder.setSessionPolicy(stsTokenIdentifier.getSessionPolicy());
683680
}
684681

685-
return context.toBuilder()
686-
.setSessionPolicy(stsTokenIdentifier.getSessionPolicy())
687-
.build();
688-
}
689-
690-
/**
691-
* Attaches s3 action to RequestContext if an S3Authentication is found in the Ozone Manager thread local,
692-
* and it has an s3 action. Otherwise, returns the RequestContext as it was before.
693-
* @param context the original RequestContext
694-
* @return RequestContext as before or with s3 action embedded
695-
*/
696-
private RequestContext maybeAttachS3ActionFromThreadLocal(RequestContext context) {
697682
final S3Authentication s3Authentication = OzoneManager.getS3Auth();
698-
if (s3Authentication == null || !s3Authentication.hasS3Action()) {
699-
return context;
683+
if (s3Authentication != null && s3Authentication.hasS3Action() && !s3Authentication.getS3Action().isEmpty()) {
684+
contextBuilder.setS3Action(s3Authentication.getS3Action());
700685
}
701-
return context.toBuilder()
702-
.setS3Action(s3Authentication.getS3Action())
703-
.build();
704686
}
705687

706688
static String getClientAddress() {

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2891,16 +2891,16 @@ public boolean checkAcls(ResourceType resType, StoreType storeType,
28912891
.setVolumeName(vol)
28922892
.setBucketName(bucket)
28932893
.setKeyName(key).build();
2894-
RequestContext context = RequestContext.newBuilder()
2894+
RequestContext.Builder contextBuilder = RequestContext.newBuilder()
28952895
.setClientUgi(ugi)
28962896
.setIp(remoteAddress)
28972897
.setHost(hostName)
28982898
.setAclType(ACLIdentityType.USER)
28992899
.setAclRights(aclType)
2900-
.setOwnerName(owner)
2901-
.build();
2900+
.setOwnerName(owner);
2901+
OmMetadataReader.maybeAddToContextFromThreadLocal(contextBuilder);
29022902

2903-
return omMetadataReader.checkAcls(obj, context, throwIfPermissionDenied);
2903+
return omMetadataReader.checkAcls(obj, contextBuilder.build(), throwIfPermissionDenied);
29042904
}
29052905

29062906
/**

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -385,6 +385,7 @@ protected void checkACLsWithFSO(OzoneManager ozoneManager, String volumeName,
385385
OmMetadataReader omMetadataReader =
386386
(OmMetadataReader) rcMetadataReader.get();
387387

388+
OmMetadataReader.maybeAddToContextFromThreadLocal(contextBuilder);
388389
omMetadataReader.checkAcls(obj, contextBuilder.build(), true);
389390
}
390391
}

0 commit comments

Comments
 (0)