ACL requests with FSO refactored

Author: ss77892

hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOMHALeaderSpecificACLEnforcement.java

@@ -43,6 +43,7 @@
 import org.apache.hadoop.hdds.utils.IOUtils;
 import org.apache.hadoop.ozone.MiniOzoneCluster;
 import org.apache.hadoop.ozone.MiniOzoneHAClusterImpl;
+import org.apache.hadoop.ozone.OzoneAcl;
 import org.apache.hadoop.ozone.client.BucketArgs;
 import org.apache.hadoop.ozone.client.ObjectStore;
 import org.apache.hadoop.ozone.client.OzoneBucket;
@@ -56,6 +57,8 @@
 import org.apache.hadoop.ozone.om.helpers.BucketLayout;
 import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
 import org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer;
+import org.apache.hadoop.ozone.security.acl.OzoneObj;
+import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ozone.test.GenericTestUtils;
 import org.junit.jupiter.api.AfterAll;
@@ -857,6 +860,132 @@ public void testKeysRenameAclEnforcementAfterLeadershipChange() throws Exception
     assertEquals(OMException.ResultCodes.KEY_NOT_FOUND, ex2.getResult());
   }
 
+  /**
+   * Tests that key ACL operations (addAcl, removeAcl, setAcl) are enforced in preExecute
+   * and are leader-specific. Uses FILE_SYSTEM_OPTIMIZED bucket layout.
+   *
+   * <p>This test verifies that ACL operations on keys work correctly across leadership changes:
+   * <ul>
+   *   <li>Admin user can modify ACLs on any key when they're admin on the current leader</li>
+   *   <li>Admin user cannot modify ACLs after leadership transfer to a node where they're not admin</li>
+   *   <li>ACL checks happen in preExecute phase before any transaction execution</li>
+   * </ul>
+   */
+  @Test
+  public void testKeyAclOperationsEnforcementAfterLeadershipChangeWithFSO() throws Exception {
+    ObjectStore adminObjectStore = client.getObjectStore();
+    String testVolume = "keyaclvol-" +
+        RandomStringUtils.secure().nextAlphabetic(5).toLowerCase(Locale.ROOT);
+    String testBucket = "keyaclbucket-" +
+        RandomStringUtils.secure().nextAlphabetic(5).toLowerCase(Locale.ROOT);
+    String keyName = "keyacl-" +
+        RandomStringUtils.secure().nextAlphabetic(5).toLowerCase(Locale.ROOT);
+
+    // Step 1: Create volume, bucket with FSO layout, and key as admin
+    VolumeArgs volumeArgs = VolumeArgs.newBuilder()
+        .setOwner(adminUserUgi.getShortUserName())
+        .build();
+    adminObjectStore.createVolume(testVolume, volumeArgs);
+    OzoneVolume adminVolume = adminObjectStore.getVolume(testVolume);
+
+    // Use FILE_SYSTEM_OPTIMIZED bucket layout
+    BucketArgs bucketArgs = BucketArgs.newBuilder()
+        .setBucketLayout(BucketLayout.FILE_SYSTEM_OPTIMIZED)
+        .build();
+    adminVolume.createBucket(testBucket, bucketArgs);
+    OzoneBucket adminBucket = adminVolume.getBucket(testBucket);
+
+    // Create a key as admin (so test user is NOT the owner)
+    try (OzoneOutputStream out = adminBucket.createKey(keyName, 0)) {
+      out.write("test data for ACL operations".getBytes(UTF_8));
+    }
+
+    OzoneKey key = adminBucket.getKey(keyName);
+    assertNotNull(key, "Key should be created successfully");
+
+    // Create OzoneObj for ACL operations
+    OzoneObj keyObj = OzoneObjInfo.Builder.newBuilder()
+        .setVolumeName(testVolume)
+        .setBucketName(testBucket)
+        .setKeyName(keyName)
+        .setResType(OzoneObj.ResourceType.KEY)
+        .setStoreType(OzoneObj.StoreType.OZONE)
+        .build();
+
+    int originalAclCount = adminObjectStore.getAcl(keyObj).size();
+
+    // Step 2: Add test user as admin on current leader
+    OzoneManager currentLeader = cluster.getOMLeader();
+    String leaderNodeId = currentLeader.getOMNodeId();
+    addAdminToSpecificOM(currentLeader, TEST_USER);
+    assertThat(currentLeader.getOmAdminUsernames()).contains(TEST_USER);
+
+    // Step 3: Test user performs ACL operations as admin (should succeed)
+    UserGroupInformation.setLoginUser(testUserUgi);
+    try (OzoneClient userClient = OzoneClientFactory.getRpcClient(OM_SERVICE_ID, cluster.getConf())) {
+      ObjectStore userObjectStore = userClient.getObjectStore();
+
+      // Add ACL - should succeed
+      OzoneAcl addAcl = OzoneAcl.parseAcl("user:anotheruser:rw[ACCESS]");
+      boolean addResult = userObjectStore.addAcl(keyObj, addAcl);
+      assertThat(addResult).isTrue();
+
+      // Verify ACL was added
+      List<OzoneAcl> acls = userObjectStore.getAcl(keyObj);
+      assertThat(acls).hasSize(originalAclCount + 1);
+      assertThat(acls).contains(addAcl);
+
+      // Set ACL - should succeed
+      OzoneAcl setAcl = OzoneAcl.parseAcl("user:setuser:rwx[ACCESS]");
+      boolean setResult = userObjectStore.setAcl(keyObj, Collections.singletonList(setAcl));
+      assertThat(setResult).isTrue();
+
+      // Verify ACL was set (replaced all previous ACLs)
+      acls = userObjectStore.getAcl(keyObj);
+      assertThat(acls).hasSize(1);
+      assertThat(acls).contains(setAcl);
+
+      // Step 4: Transfer leadership to another node where test user is NOT admin
+      OzoneManager newLeader = transferLeadershipToAnotherNode(currentLeader);
+      assertNotEquals(leaderNodeId, newLeader.getOMNodeId(),
+          "Leadership should have transferred to a different node");
+      assertThat(newLeader.getOmAdminUsernames()).doesNotContain(TEST_USER);
+
+      // Step 5: Try ACL operations on new leader - should fail with PERMISSION_DENIED
+      OzoneAcl anotherAcl = OzoneAcl.parseAcl("user:yetanotheruser:r[ACCESS]");
+
+      // Add ACL should fail
+      OMException addException = assertThrows(OMException.class, () -> {
+        userObjectStore.addAcl(keyObj, anotherAcl);
+      }, "addAcl should fail for non-admin user on new leader");
+      assertEquals(PERMISSION_DENIED, addException.getResult(),
+          "Should get PERMISSION_DENIED when ACL check fails in preExecute");
+
+      // Remove ACL should fail
+      OMException removeException = assertThrows(OMException.class, () -> {
+        userObjectStore.removeAcl(keyObj, setAcl);
+      }, "removeAcl should fail for non-admin user on new leader");
+      assertEquals(PERMISSION_DENIED, removeException.getResult(),
+          "Should get PERMISSION_DENIED when ACL check fails in preExecute");
+
+      // Set ACL should fail
+      OzoneAcl newSetAcl = OzoneAcl.parseAcl("user:failuser:w[ACCESS]");
+      OMException setException = assertThrows(OMException.class, () -> {
+        userObjectStore.setAcl(keyObj, Collections.singletonList(newSetAcl));
+      }, "setAcl should fail for non-admin user on new leader");
+      assertEquals(PERMISSION_DENIED, setException.getResult(),
+          "Should get PERMISSION_DENIED when ACL check fails in preExecute");
+
+    } finally {
+      UserGroupInformation.setLoginUser(adminUserUgi);
+    }
+
+    // Step 6: Verify the ACLs remain unchanged (operations were rejected in preExecute)
+    List<OzoneAcl> finalAcls = adminObjectStore.getAcl(keyObj);
+    assertThat(finalAcls).hasSize(1);
+    assertThat(finalAcls).contains(OzoneAcl.parseAcl("user:setuser:rwx[ACCESS]"));
+  }
+
   /**
    * Helper method to check if volume exists.
    */

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAclRequestWithFSO.java

@@ -22,11 +22,13 @@
 
 import java.io.IOException;
 import java.nio.file.InvalidPathException;
+import java.util.LinkedHashMap;
 import java.util.Map;
 import org.apache.commons.lang3.tuple.Pair;
 import org.apache.hadoop.hdds.utils.db.Table;
 import org.apache.hadoop.hdds.utils.db.cache.CacheKey;
 import org.apache.hadoop.hdds.utils.db.cache.CacheValue;
+import org.apache.hadoop.ozone.audit.OMAction;
 import org.apache.hadoop.ozone.om.OMMetadataManager;
 import org.apache.hadoop.ozone.om.OzoneManager;
 import org.apache.hadoop.ozone.om.ResolvedBucket;
@@ -42,6 +44,7 @@
 import org.apache.hadoop.ozone.om.response.OMClientResponse;
 import org.apache.hadoop.ozone.om.response.key.acl.OMKeyAclResponseWithFSO;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest;
 import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
 import org.apache.hadoop.ozone.security.acl.OzoneObj;
 
@@ -56,6 +59,46 @@ public OMKeyAclRequestWithFSO(OzoneManagerProtocolProtos.OMRequest omReq,
     setBucketLayout(bucketLayout);
   }
 
+  @Override
+  public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
+    OMRequest omRequest = super.preExecute(ozoneManager);
+
+    // ACL check during preExecute
+    if (ozoneManager.getAclsEnabled()) {
+      try {
+        ObjectParser objectParser = new ObjectParser(getPath(),
+            OzoneManagerProtocolProtos.OzoneObj.ObjectType.KEY);
+        ResolvedBucket resolvedBucket = ozoneManager.resolveBucketLink(
+            Pair.of(objectParser.getVolume(), objectParser.getBucket()));
+        String volume = resolvedBucket.realVolume();
+        String bucket = resolvedBucket.realBucket();
+        String key = objectParser.getKey();
+
+        checkAcls(ozoneManager, OzoneObj.ResourceType.KEY,
+            OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL,
+            volume, bucket, key);
+      } catch (IOException ex) {
+        // Ensure audit log captures preExecute failures
+        Map<String, String> auditMap = new LinkedHashMap<>();
+        OzoneObj obj = getObject();
+        auditMap.putAll(obj.toAuditMap());
+        // Determine which action based on request type
+        OMAction action = OMAction.SET_ACL;
+        if (omRequest.hasAddAclRequest()) {
+          action = OMAction.ADD_ACL;
+        } else if (omRequest.hasRemoveAclRequest()) {
+          action = OMAction.REMOVE_ACL;
+        }
+        markForAudit(ozoneManager.getAuditLogger(),
+            buildAuditMessage(action, auditMap, ex,
+                omRequest.getUserInfo()));
+        throw ex;
+      }
+    }
+
+    return omRequest;
+  }
+
   @Override
   public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, ExecutionContext context) {
     final long trxnLogIndex = context.getIndex();
@@ -81,12 +124,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut
       bucket = resolvedBucket.realBucket();
       key = objectParser.getKey();
 
-      // check Acl
-      if (ozoneManager.getAclsEnabled()) {
-        checkAcls(ozoneManager, OzoneObj.ResourceType.KEY,
-            OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL,
-            volume, bucket, key);
-      }
       mergeOmLockDetails(omMetadataManager.getLock()
           .acquireWriteLock(BUCKET_LOCK, volume, bucket));
       lockAcquired = getOmLockDetails().isLockAcquired();

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyAddAclRequestWithFSO.java

@@ -55,13 +55,17 @@ public class OMKeyAddAclRequestWithFSO extends OMKeyAclRequestWithFSO {
   @Override
   public OzoneManagerProtocolProtos.OMRequest preExecute(
       OzoneManager ozoneManager) throws IOException {
+    // Call parent's preExecute to perform ACL checks
+    OzoneManagerProtocolProtos.OMRequest omRequest =
+        super.preExecute(ozoneManager);
+
     long modificationTime = Time.now();
     OzoneManagerProtocolProtos.AddAclRequest.Builder addAclRequestBuilder =
-        getOmRequest().getAddAclRequest().toBuilder()
+        omRequest.getAddAclRequest().toBuilder()
             .setModificationTime(modificationTime);
 
-    return getOmRequest().toBuilder().setAddAclRequest(addAclRequestBuilder)
-        .setUserInfo(getUserInfo()).build();
+    return omRequest.toBuilder().setAddAclRequest(addAclRequestBuilder)
+        .build();
   }
 
   public OMKeyAddAclRequestWithFSO(

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeyRemoveAclRequestWithFSO.java

@@ -55,14 +55,18 @@ public class OMKeyRemoveAclRequestWithFSO extends OMKeyAclRequestWithFSO {
   @Override
   public OzoneManagerProtocolProtos.OMRequest preExecute(
       OzoneManager ozoneManager) throws IOException {
+    // Call parent's preExecute to perform ACL checks
+    OzoneManagerProtocolProtos.OMRequest omRequest =
+        super.preExecute(ozoneManager);
+
     long modificationTime = Time.now();
     OzoneManagerProtocolProtos.RemoveAclRequest.Builder
         removeAclRequestBuilder =
-        getOmRequest().getRemoveAclRequest().toBuilder()
+        omRequest.getRemoveAclRequest().toBuilder()
             .setModificationTime(modificationTime);
 
-    return getOmRequest().toBuilder()
-        .setRemoveAclRequest(removeAclRequestBuilder).setUserInfo(getUserInfo())
+    return omRequest.toBuilder()
+        .setRemoveAclRequest(removeAclRequestBuilder)
         .build();
   }
 

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/acl/OMKeySetAclRequestWithFSO.java

@@ -56,13 +56,17 @@ public class OMKeySetAclRequestWithFSO extends OMKeyAclRequestWithFSO {
   @Override
   public OzoneManagerProtocolProtos.OMRequest preExecute(
       OzoneManager ozoneManager) throws IOException {
+    // Call parent's preExecute to perform ACL checks
+    OzoneManagerProtocolProtos.OMRequest omRequest =
+        super.preExecute(ozoneManager);
+
     long modificationTime = Time.now();
     OzoneManagerProtocolProtos.SetAclRequest.Builder setAclRequestBuilder =
-        getOmRequest().getSetAclRequest().toBuilder()
+        omRequest.getSetAclRequest().toBuilder()
             .setModificationTime(modificationTime);
 
-    return getOmRequest().toBuilder().setSetAclRequest(setAclRequestBuilder)
-        .setUserInfo(getUserInfo()).build();
+    return omRequest.toBuilder().setSetAclRequest(setAclRequestBuilder)
+        .build();
   }
 
   public OMKeySetAclRequestWithFSO(