Gargi-jais11 commented on code in PR #9868:
URL: https://github.com/apache/ozone/pull/9868#discussion_r3070828358
##########
hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kerberos/AuthorizationProbe.java:
##########
@@ -52,24 +53,49 @@ public boolean test(OzoneConfiguration conf) {
print(conf, HddsConfigKeys.HDDS_SECURITY_CLIENT_SCM_BLOCK_PROTOCOL_ACL);
print(conf,
HddsConfigKeys.HDDS_SECURITY_CLIENT_SCM_CERTIFICATE_PROTOCOL_ACL);
+ ProbeResult result = ProbeResult.PASS;
+
+ // Validate Ozone security if enabled
+ boolean ozoneSecurityEnabled = conf.getBoolean(
+ OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY,
+ OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT);
+
+ // If security disabled, no need to check further.
+ if (!ozoneSecurityEnabled) {
+ warn("Ozone security is disabled (ozone.security.enabled=false). "
+ + "Authorization checks are not enforced in non-secure mode.");
Review Comment:
Instead of hardcoding please use the constants for key and value:
```
"Ozone security is disabled (" + OZONE_SECURITY_ENABLED_KEY + "=" +
OZONE_SECURITY_ENABLED_KEY_DEFAULT + ". Authorization checks are not enforced
in non-secure mode."
```
##########
hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kerberos/AuthorizationProbe.java:
##########
@@ -52,24 +53,49 @@ public boolean test(OzoneConfiguration conf) {
print(conf, HddsConfigKeys.HDDS_SECURITY_CLIENT_SCM_BLOCK_PROTOCOL_ACL);
print(conf,
HddsConfigKeys.HDDS_SECURITY_CLIENT_SCM_CERTIFICATE_PROTOCOL_ACL);
+ ProbeResult result = ProbeResult.PASS;
+
+ // Validate Ozone security if enabled
+ boolean ozoneSecurityEnabled = conf.getBoolean(
+ OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY,
+ OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT);
+
+ // If security disabled, no need to check further.
+ if (!ozoneSecurityEnabled) {
+ warn("Ozone security is disabled (ozone.security.enabled=false). "
+ + "Authorization checks are not enforced in non-secure mode.");
+ return ProbeResult.WARN; // not a failure
+ }
+
+ // Validate Ozone authorization(master switch)
+ boolean ozoneAuthEnabled = conf.getBoolean(
+ OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED, true);
+
+ if (!ozoneAuthEnabled) {
+ warn("Ozone authorization is disabled
(ozone.authorization.enabled=false). "
Review Comment:
Similarly use the constants for `ozone.authorization.enabled` and its
default value.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
