apache · ivandika3 · Apr 3, 2026
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
@@ -218,6 +218,16 @@ public final class OzoneConfigKeys {
   public static final String OZONE_READONLY_ADMINISTRATORS_GROUPS =
       "ozone.readonly.administrators.groups";
 
+  public static final String OZONE_BLACKLIST_USERS =
+      "ozone.blacklist.users";
+  public static final String OZONE_BLACKLIST_GROUPS =
+      "ozone.blacklist.groups";
+
+  public static final String OZONE_READ_BLACKLIST_USERS =
+      "ozone.read.blacklist.users";
+  public static final String OZONE_READ_BLACKLIST_GROUPS =
+      "ozone.read.blacklist.groups";
+
   /**
    * Used only for testing purpose. Results in making every user an admin.
    * */

diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -1903,6 +1903,46 @@
     </description>
   </property>
 
+  <property>
+    <name>ozone.blacklist.users</name>
+    <value/>
+    <description>
+      Ozone blacklisted users delimited by the comma.
+      If set, This is the list of users that are not allowed to do any operations even
+      if the blacklisted user is also under (readonly) admin / admin group,
+    </description>
+  </property>
+
+  <property>
+    <name>ozone.blacklist.groups</name>
+    <value/>
+    <description>
+      Ozone blacklisted groups delimited by the comma.
+      If set, This is the list of groups that are not allowed to do any operations even
+      if the blacklisted user is also under (readonly) admin / admin group,
+    </description>
+  </property>
+
+  <property>
+    <name>ozone.read.blacklist.users</name>
+    <value/>
+    <description>
+      Ozone read blacklist users delimited by the comma.
+      If set, This is the list of users are not allowed to do any read operations even
+      if the blacklisted user is also under (readonly) admin / admin group.
+    </description>
+  </property>
+
+  <property>
+    <name>ozone.read.blacklist.groups</name>
+    <value/>
+    <description>
+      Ozone read blacklist groups delimited by the comma.
+      If set, This is the list of groups are not allowed to do any read operations even
+      if the blacklisted user is also under (readonly) admin / admin group.
+    </description>
+  </property>
+
   <property>
     <name>ozone.s3g.volume.name</name>
     <value>s3v</value>

diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneBlacklist.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/OzoneBlacklist.java
@@ -0,0 +1,219 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdds.server;
+
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_BLACKLIST_GROUPS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_BLACKLIST_USERS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_READ_BLACKLIST_GROUPS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_READ_BLACKLIST_USERS;
+
+import com.google.common.collect.Sets;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.Set;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.util.StringUtils;
+
+/**
+ * This class contains the blacklisted user information, username and group
+ * and is able to check whether the provided {@link UserGroupInformation}
+ * is blacklisted.
+ *
+ * The implementation is similar to {@link OzoneAdmins}.
+ */
+public class OzoneBlacklist {
+
+  private volatile Set<String> blacklistUsernames;
+
+  private volatile Set<String> blacklistGroups;
+
+  public OzoneBlacklist(Collection<String> blacklistUsernames) {
+    this(blacklistUsernames, null);
+  }
+
+  public OzoneBlacklist(Collection<String> blacklistUsernames,
+      Collection<String> blacklistGroups) {
+    setBlacklistUsernames(blacklistUsernames);
+    this.blacklistGroups = blacklistGroups != null
+        ? Collections.unmodifiableSet(new LinkedHashSet<>(blacklistGroups))
+        : Collections.emptySet();
+  }
+
+  /**
+   * Returns an OzoneBlacklist instance configured with blacklisted users
+   * and groups from the provided configuration.
+   *
+   * @param configuration the configuration settings to apply.
+   * @return a configured OzoneBlacklist instance.
+   */
+  public static OzoneBlacklist getOzoneBlacklist(
+      OzoneConfiguration configuration) {
+    Collection<String> blacklistUsernames =
+        getOzoneBlacklistUsersFromConfig(configuration);
+    Collection<String> blacklistGroupNames =
+        getOzoneBlacklistGroupsFromConfig(configuration);
+    return new OzoneBlacklist(blacklistUsernames, blacklistGroupNames);
+  }
+
+  /**
+   * Creates and returns a read-only blacklist object. This object includes the
+   * read blacklisted users and user groups obtained from the Ozone
+   * configuration.
+   *
+   * @param configuration the configuration settings to apply.
+   * @return a configured OzoneBlacklist instance.
+   */
+  public static OzoneBlacklist getReadonlyBlacklist(
+      OzoneConfiguration configuration) {
+    Collection<String> omReadBlacklistUser =
+        getOzoneReadBlacklistUsersFromConfig(configuration);
+    Collection<String> omReadBlacklistGroups =
+        getOzoneReadBlacklistGroupsFromConfig(configuration);
+    return new OzoneBlacklist(omReadBlacklistUser, omReadBlacklistGroups);
+  }
+
+  /**
+   * Check ozone blacklist, throws exception if user is blacklisted.
+   */
+  public void checkBlacklist(UserGroupInformation ugi)
+      throws AccessControlException {
+    if (ugi != null && isBlacklisted(ugi)) {
+      throw new AccessControlException("Access denied for user "
+          + ugi.getUserName() + ". User is blacklisted.");
+    }
+  }
+
+  private boolean hasBlacklistGroup(Collection<String> userGroups) {
+    return !Sets.intersection(blacklistGroups,
+        new LinkedHashSet<>(userGroups)).isEmpty();
+  }
+
+  /**
+   * Check whether the provided {@link UserGroupInformation user}
+   * is blacklisted.
+   *
+   * @param user the {@link UserGroupInformation}.
+   * @return true if the user is blacklisted, otherwise false.
+   */
+  public boolean isBlacklisted(UserGroupInformation user) {
+    return user != null
+        && (blacklistUsernames.contains(user.getShortUserName())
+        || hasBlacklistGroup(user.getGroups()));
+  }
+
+  public Collection<String> getBlacklistGroups() {
+    return blacklistGroups;
+  }
+
+  public Set<String> getBlacklistUsernames() {
+    return blacklistUsernames;
+  }
+
+  public void setBlacklistUsernames(
+      Collection<String> blacklistUsernames) {
+    this.blacklistUsernames = blacklistUsernames != null
+        ? Collections.unmodifiableSet(
+            new LinkedHashSet<>(blacklistUsernames))
+        : Collections.emptySet();
+  }
+
+  /**
+   * Return list of blacklisted users from config.
+   *
+   * @param conf the configuration settings to apply.
+   */
+  public static Collection<String> getOzoneBlacklistUsersFromConfig(
+      OzoneConfiguration conf) {
+    return conf.getTrimmedStringCollection(OZONE_BLACKLIST_USERS);
+  }
+
+  /**
+   * Return list of blacklisted users from config value.
+   * @param valueString the configuration value.
+   */
+  public static Collection<String> getOzoneBlacklistUsersFromConfigValue(
+      String valueString) {
+    return StringUtils.getTrimmedStringCollection(valueString);
+  }
+
+  /**
+   * Return list of blacklist Groups from config.
+   *
+   * @param configuration the configuration settings to apply.
+   */
+  public static Collection<String> getOzoneBlacklistGroupsFromConfig(
+      OzoneConfiguration configuration) {
+    return configuration.getTrimmedStringCollection(OZONE_BLACKLIST_GROUPS);
+  }
+
+  /**
+   * Return list of blacklisted groups from config value.
+   * @param valueString the configuration value.
+   */
+  public static Collection<String> getOzoneBlacklistGroupsFromConfigValue(
+      String valueString) {
+    return StringUtils.getTrimmedStringCollection(valueString);
+  }
+
+  /**
+   * Return list of Ozone Read only blacklisted users from config.
+   *
+   * @param conf the configuration settings to apply.
+   */
+  public static Collection<String> getOzoneReadBlacklistUsersFromConfig(
+      OzoneConfiguration conf) {
+    return conf.getTrimmedStringCollection(OZONE_READ_BLACKLIST_USERS);
+  }
+
+  /**
+   * Return list of Ozone Read only blacklisted users from config value.
+   * @param valueString the configuration value.
+   */
+  public static Collection<String> getOzoneReadBlacklistUsersFromConfigValue(
+      String valueString) {
+    return StringUtils.getTrimmedStringCollection(valueString);
+  }
+
+  /**
+   * Return list of Ozone Read only blacklisted groups from config.
+   *
+   * @param conf the configuration settings to apply.
+   */
+  public static Collection<String> getOzoneReadBlacklistGroupsFromConfig(
+      OzoneConfiguration conf) {
+    return conf.getTrimmedStringCollection(OZONE_READ_BLACKLIST_GROUPS);
+  }
+
+  /**
+   * Return list of Ozone Read only blacklisted groups from config value.
+   * @param valueString the configuration value.
+   */
+  public static Collection<String> getOzoneReadBlacklistGroupsFromConfigValue(
+      String valueString) {
+    return StringUtils.getTrimmedStringCollection(valueString);
+  }
+
+  public void setBlacklistGroups(Collection<String> blacklistGroups) {
+    this.blacklistGroups = blacklistGroups != null
+        ? Collections.unmodifiableSet(new LinkedHashSet<>(blacklistGroups))
+        : Collections.emptySet();
+  }
+}
diff --git a/...ntegration-test/src/test/java/org/apache/hadoop/ozone/reconfig/TestOmReconfiguration.java b/...ntegration-test/src/test/java/org/apache/hadoop/ozone/reconfig/TestOmReconfiguration.java
@@ -19,7 +19,11 @@
 
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_BLACKLIST_GROUPS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_BLACKLIST_USERS;
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_READONLY_ADMINISTRATORS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_READ_BLACKLIST_GROUPS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_READ_BLACKLIST_USERS;
 import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_DIR_DELETING_SERVICE_INTERVAL;
 import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_KEY_DELETING_LIMIT_PER_TASK;
 import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_SNAPSHOT_SST_FILTERING_SERVICE_INTERVAL;
@@ -64,6 +68,10 @@ void reconfigurableProperties() {
         .add(OZONE_THREAD_NUMBER_DIR_DELETION)
         .add(OZONE_SNAPSHOT_SST_FILTERING_SERVICE_INTERVAL)
         .addAll(new OmConfig().reconfigurableProperties())
+        .add(OZONE_BLACKLIST_USERS)
+        .add(OZONE_BLACKLIST_GROUPS)
+        .add(OZONE_READ_BLACKLIST_USERS)
+        .add(OZONE_READ_BLACKLIST_GROUPS)
         .build();
 
     assertProperties(getSubject(), expected);
@@ -92,6 +100,70 @@ void readOnlyAdmins() throws ReconfigurationException {
         cluster().getOzoneManager().getOmReadOnlyAdminUsernames());
   }
 
+  @Test
+  void blacklistUsers() throws ReconfigurationException {
+    final String newValue = RandomStringUtils.secure().nextAlphabetic(10);
+
+    getSubject().reconfigureProperty(OZONE_BLACKLIST_USERS, newValue);
+
+    assertEquals(
+        ImmutableSet.of(newValue),
+        cluster().getOzoneManager().getOmBlacklistUsernames());
+  }
+
+  @Test
+  void blacklistGroups() throws ReconfigurationException {
+    String groupA = "groupA";
+    String groupB = "groupB";
+    getSubject().reconfigureProperty(OZONE_BLACKLIST_GROUPS, groupA);
+    assertTrue(
+        cluster().getOzoneManager().getOmBlacklistGroups().contains(groupA),
+        groupA + " should be a blacklist group");
+
+    getSubject().reconfigureProperty(OZONE_BLACKLIST_GROUPS, groupB);
+    assertFalse(
+        cluster().getOzoneManager().getOmBlacklistGroups().contains(groupA),
+        groupA + " should NOT be a blacklist group");
+    assertTrue(
+        cluster().getOzoneManager().getOmBlacklistGroups().contains(groupB),
+        groupB + " should be a blacklist group");
+  }
+
+  @Test
+  void readBlacklistUsers() throws ReconfigurationException {
+    final String newValue = RandomStringUtils.secure().nextAlphabetic(10);
+
+    getSubject().reconfigureProperty(OZONE_READ_BLACKLIST_USERS,
+        newValue);
+
+    assertEquals(
+        ImmutableSet.of(newValue),
+        cluster().getOzoneManager().getOmReadOnlyBlacklistUsernames());
+  }
+
+  @Test
+  void readBlacklistGroups() throws ReconfigurationException {
+    String groupA = "readonlyBlacklistGroupA";
+    String groupB = "readonlyBlacklistGroupB";
+    getSubject().reconfigureProperty(OZONE_READ_BLACKLIST_GROUPS,
+        groupA);
+    assertTrue(
+        cluster().getOzoneManager().getOmReadonlyBlacklistGroups()
+            .contains(groupA),
+        groupA + " should be a readOnly blacklist group");
+
+    getSubject().reconfigureProperty(OZONE_READ_BLACKLIST_GROUPS,
+        groupB);
+    assertFalse(
+        cluster().getOzoneManager().getOmReadonlyBlacklistGroups()
+            .contains(groupA),
+        groupA + " should NOT be a readOnly blacklist group");
+    assertTrue(
+        cluster().getOzoneManager().getOmReadonlyBlacklistGroups()
+            .contains(groupB),
+        groupB + " should be a readOnly blacklist group");
+  }
+
   @Test
   public void maxListSize() throws ReconfigurationException {
     final long initialValue = cluster().getOzoneManager().getConfig().getMaxListSize();