Steve Loughran created HADOOP-17261:
---------------------------------------
Summary: s3a rename() now requires s3:deleteObjectVersion
permission
Key: HADOOP-17261
URL: https://issues.apache.org/jira/browse/HADOOP-17261
Project: Hadoop Common
Issue Type: Sub-task
Components: fs/s3
Affects Versions: 3.4.0
Reporter: Steve Loughran
Assignee: Steve Loughran
With the directory marker change (HADOOP-13230) you need the
s3:deleteObjectVersion permission in your role, else the operation will fail in
the bulk delete, *if S3Guard is in use*
Root cause
-if fileStatus has a versionId, we pass that in to the delete KeyVersion pair
-an unguarded listing doesn't get that versionId, so this is not an issue
-but if files in a directory were previously created such that S3Guard has
their versionId in its tables, that is used in the request
-which then fails if the caller doesn't have the permission
Although we say "you need s3:delete*", this is a regression as any IAM role
without the permission will have rename fail during delete
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
