Limit max entries for checkAcls

pfnet · Jan 25, 2024 · 65d2f7d · kuenishi · Jan 26, 2024 · 65d2f7d
1 parent 91a080a
commit 65d2f7d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java
@@ -422,4 +422,9 @@ private OMConfigKeys() {
   public static final String OZONE_OM_LISTSTATUS_RATELIMIT_TIMEOUT_KEY =
           "ozone.om.liststatus.ratelimit-timeout";
   public static final int OZONE_OM_LISTSTATUS_RATELIMIT_TIMEOUT_DEFAULT = 8; // seconds
+
+  // Limit for child entries on Ozone ACL check
+  public static final String OZONE_OM_ACL_CHECK_MAX_CHILDREN =
+          "ozone.om.acls.max-children";
+  public static final int OZONE_OM_ACL_CHECK_MAX_CHILDREN_DEFAULT = 300; // entries
 }
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java
@@ -116,6 +116,7 @@
 import static org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER;
 import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_DIR_DELETING_SERVICE_INTERVAL;
 import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_DIR_DELETING_SERVICE_INTERVAL_DEFAULT;
+import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_ACL_CHECK_MAX_CHILDREN;
 import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_OPEN_KEY_CLEANUP_SERVICE_INTERVAL;
 import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_OPEN_KEY_CLEANUP_SERVICE_INTERVAL_DEFAULT;
 import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_OPEN_KEY_CLEANUP_SERVICE_TIMEOUT;
@@ -128,6 +129,7 @@
 import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.KEY_NOT_FOUND;
 import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.SCM_GET_PIPELINE_EXCEPTION;
 import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.VOLUME_NOT_FOUND;
+import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TIMEOUT;
 import static org.apache.hadoop.util.MetricUtil.captureLatencyNs;
 import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.BUCKET_LOCK;
 import static org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY;
@@ -1113,6 +1115,11 @@ private boolean checkChildrenAcls(OzoneObj ozObject, RequestContext context)
       directories.add(ozoneFileStatus);
     }
     while (!directories.isEmpty() && hasAccess) {
+      if (directories.size() >
+              ozoneManager.getConfiguration()
+                      .getInt(OZONE_OM_ACL_CHECK_MAX_CHILDREN, 300)) {
+        throw new OMException("Too much entries for ACL check", TIMEOUT);
+      }
       ozoneFileStatus = directories.pop();
       String keyPath = ozoneFileStatus.getTrimmedName();
       Iterator<? extends OzoneFileStatus> children =