HDDS-14380. The user who starts Recon process will have administrator privilege #9627
Conversation
jojochuang
requested review from
ArafatKhan2198,
devabhishekpal and
devmadhuu
devmadhuu
left a comment
devmadhuu
left a comment
There was a problem hiding this comment.
Thanks @echonesis for the patch. Largely looks good, but just few minor comments.
|
|
||
| @Override | ||
| protected void configure() { | ||
| bind(ReconServer.class).toInstance(reconServer); |
There was a problem hiding this comment.
why we need reconServer instance to be passes explicitly to ReconControllerModule ? can we not use Singleton ?
There was a problem hiding this comment.
This follows the same pattern as OM and SCM. In OM, the starter user and admin information are stored as instance fields in the OzoneManager object itself (https://github.com/apache/ozone/blob/master/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L680-L682). Similarly, we store this information in the ReconServer instance and make it accessible to other components via Guice.
Using bind(ReconServer.class).toInstance(reconServer) allows other components to inject and access the starter user information, just like how OM exposes this through its instance methods.
|
|
||
| String reconStarterUser = UserGroupInformation.getCurrentUser().getShortUserName(); | ||
| Collection<String> adminUsers = | ||
| OzoneAdmins.getOzoneAdminsFromConfig(configuration, reconStarterUser); |
There was a problem hiding this comment.
Instead of calling Admins and AdminsGroups method separately here, can we use this method directly and then add recon admins and recon admin groups. this will minimise the code lines.
There was a problem hiding this comment.
Thanks for the suggestion!
Since we need to add Recon-specific admins from OZONE_RECON_ADMINISTRATORS and OZONE_RECON_ADMINISTRATORS_GROUPS, using addAll() seemed like a straightforward approach.
| * | ||
| * @return Collection of admin groups | ||
| */ | ||
| public Collection<String> getReconAdminGroups() { |
There was a problem hiding this comment.
Any specific usecase or need to define these admin and admin group getter methods ?
There was a problem hiding this comment.
Thanks @devmadhuu !
These methods follow the same pattern as OM's getOmAdminUsernames() and getOmAdminGroups() for consistency. They're not currently used in Recon.
I will remove them in a follow-up commit if preferred.
3 participants
What changes were proposed in this pull request?
This PR enhances the Recon administrator access control by automatically granting administrator privileges to the user who starts the Recon process, in addition to any configured administrators.
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-14380
How was this patch tested?
GitHub Actions CI: https://github.com/echonesis/ozone/actions/runs/21105670646