@@ -606,16 +606,16 @@ public boolean checkAcls(ResourceType resType, StoreType storeType,
606606 .setVolumeName (vol )
607607 .setBucketName (bucket )
608608 .setKeyName (key ).build ();
609- RequestContext context = RequestContext .newBuilder ()
609+ RequestContext . Builder contextBuilder = RequestContext .newBuilder ()
610610 .setClientUgi (ugi )
611611 .setIp (remoteAddress )
612612 .setHost (hostName )
613613 .setAclType (ACLIdentityType .USER )
614614 .setAclRights (aclType )
615- .setOwnerName (owner )
616- . build ( );
615+ .setOwnerName (owner );
616+ maybeAddToContextFromThreadLocal ( contextBuilder );
617617
618- return checkAcls (obj , context , throwIfPermissionDenied );
618+ return checkAcls (obj , contextBuilder . build () , throwIfPermissionDenied );
619619 }
620620
621621 /**
@@ -628,11 +628,8 @@ public boolean checkAcls(ResourceType resType, StoreType storeType,
628628 public boolean checkAcls (OzoneObj obj , RequestContext context ,
629629 boolean throwIfPermissionDenied ) throws OMException {
630630
631- final RequestContext normalizedRequestContext = maybeAttachS3ActionFromThreadLocal (
632- maybeAttachSessionPolicyFromThreadLocal (context ));
633-
634631 if (!captureLatencyNs (perfMetrics ::setCheckAccessLatencyNs ,
635- () -> accessAuthorizer .checkAccess (obj , normalizedRequestContext ))) {
632+ () -> accessAuthorizer .checkAccess (obj , context ))) {
636633 if (throwIfPermissionDenied ) {
637634 String volumeName = obj .getVolumeName () != null ?
638635 "Volume:" + obj .getVolumeName () + " " : "" ;
@@ -642,7 +639,7 @@ public boolean checkAcls(OzoneObj obj, RequestContext context,
642639 "Key:" + obj .getKeyName () : "" ;
643640 // For STS tokens, make clear that the user is using an assumed role, otherwise the access denied
644641 // message could be confusing
645- String user = normalizedRequestContext .getClientUgi ().getShortUserName ();
642+ String user = context .getClientUgi ().getShortUserName ();
646643 final STSTokenIdentifier stsTokenIdentifier = OzoneManager .getStsTokenIdentifier ();
647644 if (stsTokenIdentifier != null ) {
648645 final StringBuilder builder = new StringBuilder (user )
@@ -655,11 +652,11 @@ public boolean checkAcls(OzoneObj obj, RequestContext context,
655652 }
656653 log .warn ("User {} doesn't have {} permission to access {} {}{}{}" ,
657654 user ,
658- normalizedRequestContext .getAclRights (),
655+ context .getAclRights (),
659656 obj .getResourceType (), volumeName , bucketName , keyName );
660657 throw new OMException (
661658 "User " + user +
662- " doesn't have " + normalizedRequestContext .getAclRights () +
659+ " doesn't have " + context .getAclRights () +
663660 " permission to access " + obj .getResourceType () + " " +
664661 volumeName + bucketName + keyName , ResultCodes .PERMISSION_DENIED );
665662 }
@@ -670,37 +667,22 @@ public boolean checkAcls(OzoneObj obj, RequestContext context,
670667 }
671668
672669 /**
673- * Attaches session policy to RequestContext if an STSTokenIdentifier is found in the Ozone Manager thread local
674- * (meaning this is an STS request), and the STSTokenIdentifier has a session policy. Otherwise, returns the
675- * RequestContext as it was before.
676- * @param context the original RequestContext
677- * @return RequestContext as before or with sessionPolicy embedded
670+ * Enriches the given {@link RequestContext.Builder} with per-request fields from the Ozone Manager
671+ * thread locals: the session policy from {@link STSTokenIdentifier} (set on STS requests) and the
672+ * S3 action from {@link S3Authentication} (set on S3 requests). Either or both may be absent, in
673+ * which case the corresponding field is left untouched on the builder.
674+ * @param contextBuilder the builder to enrich in-place
678675 */
679- private RequestContext maybeAttachSessionPolicyFromThreadLocal (RequestContext context ) {
676+ public static void maybeAddToContextFromThreadLocal (RequestContext . Builder contextBuilder ) {
680677 final STSTokenIdentifier stsTokenIdentifier = OzoneManager .getStsTokenIdentifier ();
681- if (stsTokenIdentifier = = null ) {
682- return context ;
678+ if (stsTokenIdentifier ! = null ) {
679+ contextBuilder . setSessionPolicy ( stsTokenIdentifier . getSessionPolicy ()) ;
683680 }
684681
685- return context .toBuilder ()
686- .setSessionPolicy (stsTokenIdentifier .getSessionPolicy ())
687- .build ();
688- }
689-
690- /**
691- * Attaches s3 action to RequestContext if an S3Authentication is found in the Ozone Manager thread local,
692- * and it has an s3 action. Otherwise, returns the RequestContext as it was before.
693- * @param context the original RequestContext
694- * @return RequestContext as before or with s3 action embedded
695- */
696- private RequestContext maybeAttachS3ActionFromThreadLocal (RequestContext context ) {
697682 final S3Authentication s3Authentication = OzoneManager .getS3Auth ();
698- if (s3Authentication == null || ! s3Authentication .hasS3Action ()) {
699- return context ;
683+ if (s3Authentication != null && s3Authentication .hasS3Action () && ! s3Authentication . getS3Action (). isEmpty ()) {
684+ contextBuilder . setS3Action ( s3Authentication . getS3Action ()) ;
700685 }
701- return context .toBuilder ()
702- .setS3Action (s3Authentication .getS3Action ())
703- .build ();
704686 }
705687
706688 static String getClientAddress () {
0 commit comments