HDDS-1600. Add userName and IPAddress as part of OMRequest.

Author: bharatviswa504

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/exceptions/OMException.java

@@ -196,5 +196,9 @@ public enum ResultCodes {
     FILE_ALREADY_EXISTS,
 
     NOT_A_FILE,
+
+    PERMISSION_DENIED, // Error codes used during acl validation
+
+    TIMEOUT // Error codes used during acl validation
   }
 }

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java

@@ -19,6 +19,7 @@
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.ozone.OzoneConsts;
+import org.apache.hadoop.ozone.om.exceptions.OMException;
 
 import java.util.BitSet;
 
@@ -35,11 +36,11 @@ public interface IAccessAuthorizer {
    *
    * @param ozoneObject object for which access needs to be checked.
    * @param context Context object encapsulating all user related information.
-   * @throws OzoneAclException
+   * @throws org.apache.hadoop.ozone.om.exceptions.OMException
    * @return true if user has access else false.
    */
   boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
-      throws OzoneAclException;
+      throws OMException;
 
   /**
    * ACL rights.

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAccessAuthorizer.java

@@ -16,14 +16,16 @@
  */
 package org.apache.hadoop.ozone.security.acl;
 
+import org.apache.hadoop.ozone.om.exceptions.OMException;
+
 /**
  * Default implementation for {@link IAccessAuthorizer}.
  * */
 public class OzoneAccessAuthorizer implements IAccessAuthorizer {
 
   @Override
   public boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
-      throws OzoneAclException {
+      throws OMException {
     return true;
   }
 }

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAclException.java

@@ -102,6 +102,9 @@ message OMRequest {
 
   required string clientId = 3;
 
+  optional UserInfo userInfo = 4;
+
+
   optional CreateVolumeRequest              createVolumeRequest            = 11;
   optional SetVolumePropertyRequest         setVolumePropertyRequest       = 12;
   optional CheckVolumeAccessRequest         checkVolumeAccessRequest       = 13;
@@ -271,6 +274,8 @@ enum Status {
     DIRECTORY_NOT_FOUND = 45;
     FILE_ALREADY_EXISTS = 46;
     NOT_A_FILE = 47;
+    PERMISSION_DENIED = 48;
+    TIMEOUT = 49;
 }
 
 
@@ -284,6 +289,16 @@ message VolumeInfo {
     required uint64 creationTime = 7;
 }
 
+/**
+    User information which will be extracted during RPC context and used
+    during validating Acl.
+*/
+message UserInfo {
+    optional string userName = 1;
+    optional string remoteAddress = 3;
+}
+
+
 /**
     Creates a volume
 */

hadoop-ozone/common/src/main/proto/OzoneManagerProtocol.proto

@@ -24,10 +24,10 @@
 import org.apache.hadoop.hdfs.server.datanode.ObjectStoreHandler;
 import org.apache.hadoop.ozone.MiniOzoneCluster;
 import org.apache.hadoop.ozone.OzoneTestUtils;
+import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes;
 import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
 import org.apache.hadoop.ozone.security.acl.IOzoneObj;
-import org.apache.hadoop.ozone.security.acl.OzoneAclException;
 import org.apache.hadoop.ozone.security.acl.RequestContext;
 import org.apache.hadoop.ozone.web.handlers.BucketArgs;
 import org.apache.hadoop.ozone.web.handlers.KeyArgs;
@@ -169,7 +169,7 @@ class OzoneAccessAuthrizerTest implements IAccessAuthorizer {
 
   @Override
   public boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
-      throws OzoneAclException {
+      throws OMException {
     return false;
   }
 }

hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestOmAcls.java

@@ -82,6 +82,13 @@ https://maven.apache.org/xsd/maven-4.0.0.xsd">
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.jmockit</groupId>
+      <artifactId>jmockit</artifactId>
+      <version>1.24</version>
+      <scope>test</scope>
+    </dependency>
+
   </dependencies>
   <build>
     <plugins>

hadoop-ozone/ozone-manager/pom.xml

@@ -24,6 +24,7 @@
 import com.google.common.base.Preconditions;
 import com.google.protobuf.BlockingService;
 
+import java.net.InetAddress;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.KeyPair;
@@ -127,8 +128,6 @@
 import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
 import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
 import org.apache.hadoop.ozone.security.acl.OzoneAccessAuthorizer;
-import org.apache.hadoop.ozone.security.acl.OzoneAclException;
-import org.apache.hadoop.ozone.security.acl.OzoneAclException.ErrorCode;
 import org.apache.hadoop.ozone.security.acl.OzoneObj;
 import org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType;
 import org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType;
@@ -1733,18 +1732,36 @@ public void applyDeleteVolume(String volume, String owner,
    * @param vol     - name of volume
    * @param bucket  - bucket name
    * @param key     - key
-   * @throws OzoneAclException
+   * @throws OMException
    */
   private void checkAcls(ResourceType resType, StoreType store,
       ACLType acl, String vol, String bucket, String key)
-      throws OzoneAclException {
-    if(!isAclEnabled) {
-      return;
-    }
+      throws OMException {
+    checkAcls(resType, store, acl, vol, bucket, key,
+        ProtobufRpcEngine.Server.getRemoteUser(),
+        ProtobufRpcEngine.Server.getRemoteIp());
+  }
 
+  /**
+   * CheckAcls for the ozone object.
+   * @param resType
+   * @param storeType
+   * @param aclType
+   * @param vol
+   * @param bucket
+   * @param key
+   * @param ugi
+   * @param remoteAddress
+   * @throws OMException
+   */
+  @SuppressWarnings("parameternumber")
+  public void checkAcls(ResourceType resType, StoreType storeType,
+      ACLType aclType, String vol, String bucket, String key,
+      UserGroupInformation ugi, InetAddress remoteAddress)
+      throws OMException {
     OzoneObj obj = OzoneObjInfo.Builder.newBuilder()
         .setResType(resType)
-        .setStoreType(store)
+        .setStoreType(storeType)
         .setVolumeName(vol)
         .setBucketName(bucket)
         .setKeyName(key).build();
@@ -1753,17 +1770,26 @@ private void checkAcls(ResourceType resType, StoreType store,
         .setClientUgi(user)
         .setIp(ProtobufRpcEngine.Server.getRemoteIp())
         .setAclType(ACLIdentityType.USER)
-        .setAclRights(acl)
+        .setAclRights(aclType)
         .build();
     if (!accessAuthorizer.checkAccess(obj, context)) {
       LOG.warn("User {} doesn't have {} permission to access {}",
-          user.getUserName(), acl, resType);
-      throw new OzoneAclException("User " + user.getUserName() + " doesn't " +
-          "have " + acl + " permission to access " + resType,
-          ErrorCode.PERMISSION_DENIED);
+          user.getUserName(), aclType, resType);
+      throw new OMException("User " + user.getUserName() + " doesn't " +
+          "have " + aclType + " permission to access " + resType,
+          ResultCodes.PERMISSION_DENIED);
     }
   }
 
+  /**
+   *
+   * Return true if Ozone acl's are enabled, else false.
+   * @return boolean
+   */
+  public boolean getAclsEnabled() {
+    return isAclEnabled;
+  }
+
   /**
    * Changes the owner of a volume.
    *
@@ -2406,8 +2432,10 @@ public void setBucketProperty(OmBucketArgs args)
    */
   @Override
   public void deleteBucket(String volume, String bucket) throws IOException {
-    checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.WRITE, volume,
-        bucket, null);
+    if (isAclEnabled) {
+      checkAcls(ResourceType.BUCKET, StoreType.OZONE, ACLType.WRITE, volume,
+          bucket, null);
+    }
     Map<String, String> auditMap = buildAuditMap(volume);
     auditMap.put(OzoneConsts.BUCKET, bucket);
     try {