HDDS-7240. List all volume operation should go through ACL check as well in order to trigger audit logging (#3770)
diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml
index 0ca1359..4ebef89 100644
--- a/hadoop-hdds/common/src/main/resources/ozone-default.xml
+++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -608,7 +608,11 @@
<description>
Allows everyone to list all volumes when set to true. Defaults to true.
When set to false, non-admin users can only list the volumes they have
- access to. Admins can always list all volumes.
+ access to. Admins can always list all volumes. Note that this config
+ only applies to OzoneNativeAuthorizer. For other authorizers, admin
+ needs to set policies accordingly to allow all volume listing
+ e.g. for Ranger, a new policy with special volume "/" can be added to
+ allow group public LIST access.
</description>
</property>
<property>
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 1d7282c..7ddaca5 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -2712,12 +2712,9 @@
auditMap.put(OzoneConsts.USERNAME, null);
try {
metrics.incNumVolumeLists();
- if (!allowListAllVolumes) {
- // Only admin can list all volumes when disallowed in config
- if (isAclEnabled) {
- checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.LIST,
- OzoneConsts.OZONE_ROOT, null, null);
- }
+ if (isAclEnabled) {
+ checkAcls(ResourceType.VOLUME, StoreType.OZONE, ACLType.LIST,
+ OzoneConsts.OZONE_ROOT, null, null);
}
return volumeManager.listVolumes(null, prefix, prevKey, maxKeys);
} catch (Exception ex) {
