HDDS-6931. Support for serialized pre-process validators#9774
Open
art9440 wants to merge 52 commits intoapache:masterfrom
Open
HDDS-6931. Support for serialized pre-process validators#9774art9440 wants to merge 52 commits intoapache:masterfrom
art9440 wants to merge 52 commits intoapache:masterfrom
Conversation
This reverts commit 62ef090.
…CreateBucketPermissionDenied
# Conflicts: # hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/volume/OMVolumeCreateRequest.java
…MBucketSetPropertyRequest
Contributor
Gargi-jais11
left a comment
Gargi-jais11
left a comment
There was a problem hiding this comment.
Thanks @art9440 for the patch.
Please find the inlined comments.
Comment on lines
117
to
121
| if (StringUtils.isBlank(volumeName)) { | ||
| if (StringUtils.isBlank(volumeName)) { | ||
| throw new OMException("Invalid, volume name is empty", | ||
| OMException.ResultCodes.INVALID_VOLUME_NAME); | ||
| } |
Contributor
There was a problem hiding this comment.
Nit: Remove this redundant check twice.
...nager/src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketDeleteRequest.java
Outdated
Show resolved
Hide resolved
.../src/test/java/org/apache/hadoop/ozone/om/request/bucket/TestOMBucketSetPropertyRequest.java
Outdated
Show resolved
Hide resolved
...zone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMSetTimesRequest.java
Outdated
Show resolved
Hide resolved
...nager/src/test/java/org/apache/hadoop/ozone/om/request/volume/TestOMVolumeDeleteRequest.java
Outdated
Show resolved
Hide resolved
…ne/om/request/bucket/TestOMBucketDeleteRequest.java Co-authored-by: Gargi Jaiswal <134698352+Gargi-jais11@users.noreply.github.com>
…ne/om/request/bucket/TestOMBucketSetPropertyRequest.java Co-authored-by: Gargi Jaiswal <134698352+Gargi-jais11@users.noreply.github.com>
…ne/om/request/key/TestOMSetTimesRequest.java Co-authored-by: Gargi Jaiswal <134698352+Gargi-jais11@users.noreply.github.com>
…ne/om/request/volume/TestOMVolumeDeleteRequest.java Co-authored-by: Gargi Jaiswal <134698352+Gargi-jais11@users.noreply.github.com>
Comment on lines
+80
to
+89
| OMKeySetTimesRequest setTimes = new OMKeySetTimesRequest(req, getBucketLayout()) { | ||
| @Override | ||
| public void checkAcls(OzoneManager ozoneManager, | ||
| OzoneObj.ResourceType resType, | ||
| OzoneObj.StoreType storeType, | ||
| IAccessAuthorizer.ACLType aclType, | ||
| String vol, String bucket, String key) throws IOException | ||
| { | ||
| throw new OMException("denied", OMException.ResultCodes.PERMISSION_DENIED); | ||
| } |
Contributor
There was a problem hiding this comment.
I think its better to use Mockito spy instead of override for ACL Permission-Denied Tests. One of the reason is that if checkAcls signature changes, only the stubbing call needs updating.
OMKeySetTimesRequest setTimes = spy(new OMKeySetTimesRequest(req, getBucketLayout()));
doThrow(new OMException("denied", OMException.ResultCodes.PERMISSION_DENIED))
.when(setTimes).checkAcls(any(), any(), any(), any(), any(), any(), any());
Files needed to change: TestOMSetTimesRequest, TestOMVolumeDeleteRequest, TestOMBucketSetPropertyRequest, TestOMBucketDeleteRequest.
| try { | ||
| checkAcls(ozoneManager, OzoneObj.ResourceType.KEY, | ||
| OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.WRITE_ACL, | ||
| newKeyArgs.getVolumeName(), newKeyArgs.getBucketName(), newKeyArgs.getKeyName()); |
Contributor
There was a problem hiding this comment.
@art9440 This is not related to your changes, found this will understanding your changes.
As per my understanding SetTimes updates the key’s modification time (which is metadata update) only. It does not modify ACLs, so don't you think the ACL check should use WRITE, not WRITE_ACL?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
This pull request refactors the request processing logic in Ozone Manager by moving selected ACL checks from validateAndUpdateCache to preExecute and introducing unified early validation for object names.
@duongkame in the HDDS-6931 mentioned:
"I think pre-process validation should only perform logic on data which is not supposed to change between pre-process and actual execution in validateAndUpdateCache. Otherwise, that validation should be moved to {{validateAndUpdateCache, }}and is done together with the real data change in a proper lock scope to ensure consistency."
This change improves the architectural consistency of request handling in Ozone Manager by ensuring that access control checks and basic input validation are performed at the earliest possible stage of request processing.
Currently, ACL checks are implemented inconsistently across different OM request types. In some requests (e.g., volume and bucket creation), ACL validation is already performed in preExecute, while in others it is deferred to validateAndUpdateCache. This inconsistency leads to:
Unnecessary lock acquisition for requests that will eventually fail due to insufficient permissions
Increased lock holding time under high load
Reduced predictability of request lifecycle
This patch moves ACL checks for selected operations (volume, bucket, key and related management requests) to the preExecute stage, where it is safe to do so — i.e., only when the validation logic depends on data that does not change between preExecute and validateAndUpdateCache.
The approach follows the principle discussed in HDDS-6931: pre-processing validation should only operate on immutable or request-local data. All validations that depend on mutable metadata state remain in validateAndUpdateCache under proper lock scope.
Additionally, this PR introduces unified early validation of volume, bucket and key names. Previously, name validation was either duplicated or missing in some request classes. Validation logic is now centralized and executed during preExecute, ensuring:
Early rejection of malformed requests
Reduced propagation of invalid inputs into metadata handling
Improved maintainability and consistency across request implementations
No functional changes are introduced in terms of authorization semantics; the patch strictly changes when the validation occurs, not how it is evaluated.
This refactoring improves scalability (by reducing unnecessary lock usage), strengthens architectural consistency, and simplifies future maintenance of OM request logic.
What is the link to the Apache JIRA
HDDS-6931
How was this patch tested?
For all changes in preExecute with ACL checks were written Unit tests.