HDDS-14574. Enforce 700 permissions on Ozone Metadata and Data(hdds) directories

[Gargi-jais11]

What changes were proposed in this pull request?

Current Behaviour:
For Ozone metadata of OM, SCM, DN and Recon and Datanode Directory(/data/hdds) have 750 and 755 permissions respectively.

Proposed Behaviour:
We should bring Ozone up to parity with HDFS, where we have both a parameter that controls the permission, as well as health alerts for lax permissions.
Incorrectly permissioned data directories can lead to a serious data breach as any user (e.g. any Spark application) is able to read the data files.
Make the default permissions for all ozone metadata and data directories as 700 similar to hdfs.

Added new config for data directory permission: hdds.datanode.data.dir.permissions with default value of 700 and changed ozone metadata directory permissions to 700 from 750.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14574

How was this patch tested?

Added unit tests. Also manually tested for permissions:

// DN
[bash]# ls -la
total 4
drwx------ 8 hdfs hdfs 190 Feb 3 08:28 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
-rw-r--r-- 1 hdfs hdfs  0 Feb 3 08:28 cd
drwx------ 3 hdfs hdfs 65 Feb 3 08:28 data --------------------------> 700 data
-rw-r--r-- 1 hdfs hdfs 408 Feb 3 06:08 datanode.id
drwxr-xr-x 2 hdfs hdfs 10 Feb 2 04:46 db.checkpoints
drwxr-xr-x 3 hdfs hdfs 37 Feb 2 04:46 db.snapshots
drwx------ 5 hdfs hdfs 72 Feb 3 07:17 ozone-metadata. ---------------------> 700 metadata
drwxr-xr-x 3 root root 26 Feb 2 04:46 ratis
drwxr-xr-x 2 hdfs hdfs 333 Feb 3 06:08 witnessed_container.db

// OM
[bash om]# ls -la
total 0
drwxr-xr-x 5 root root 69 Feb 2 04:46 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
drwx------ 6 hdfs hdfs 112 Feb 4 06:03 data 
drwx------ 7 hdfs hdfs 117 Feb 2 06:07 ozone-metadata
drwxr-xr-x 3 hdfs hdfs 58 Feb 2 04:47 ratis

// recon
[bash recon]# ls -la
total 0
drwxr-xr-x 6 root root 81 Feb 2 04:46 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
drwx------ 8 hdfs hdfs 184 Feb 2 04:47 data
drwxr-xr-x 3 root root 18 Feb 2 04:46 om
drwx------ 4 hdfs hdfs 48 Feb 2 04:46 ozone-metadata
drwxr-xr-x 3 root root 26 Feb 2 04:46 scm

//SCM
[bash scm]# ls -la
total 0
drwxr-xr-x 5 root root 69 Feb 2 04:46 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
drwx------ 6 hdfs hdfs 93 Feb 2 04:46 data
drwx------ 6 hdfs hdfs 96 Feb 2 06:07 ozone-metadata
drwxr-xr-x 3 hdfs hdfs 58 Feb 2 04:46 ratis

[Gargi-jais11]

@ChenSammi , @sumitagrawl and @jojochuang Please review the patch.

[sreejasahithi]

Thanks @Gargi-jais11 for working on this, left few comments

[sumitagrawl]

this is called here also, and even during loading root also, check if this is duplicate OR for different path.

[Gargi-jais11]

These are not duplicates - they set permissions on different paths. Line 789 sets permissions on the volume root (e.g., /data/hdds1), while line 807 sets permissions on the storage directory (e.g., /data/hdds1/hdds). Both levels need secure permissions for defense-in-depth.

[sumitagrawl]

This is required only for datavolume other other volume types ?

[Gargi-jais11]

The volumeType == StorageVolume.VolumeType.DATA_VOLUME check is correct. Permission setting is only for data volumes.
META_VOLUME (MetadataVolume) - Stores Ratis metadata which is managed by Ratis.
DbVolume is for db instance storage. So not sure we can use same config hdds.datanode.dir.data.permissions over here as well. However the parent hdds/ directory is the HddsVolume storage dir and gets permissions from hdds.datanode.data.dir.permissions (default 700). So container.db is already protected by that parent hierarchy.