[jira] [Commented] (HADOOP-15525) s3a: clarify / improve support for mixed ACL buckets

[Aaron Fabbri (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-15525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16506673#comment-16506673
 ] 

Aaron Fabbri commented on HADOOP-15525:
---------------------------------------

Thanks [~poeppt]. We do have assume role support in S3A (HADOOP-15176). I'd 
like to add:
 # Documentation with IAM policy examples on how to achieve the scenario listed 
here.
 # Probably: some integration tests that confirm it works as expected–and keeps 
working in the future.
 # Along the way, any features we think we need to simplify usage, etc. can get 
new JIRAs.

This will greatly simplify things for end users that are trying to achieve this 
because the way directories are emulated, and the implication for required 
permissions, is not obvious.

> s3a: clarify / improve support for mixed ACL buckets
> ----------------------------------------------------
>
>                 Key: HADOOP-15525
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15525
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/s3
>    Affects Versions: 3.0.0
>            Reporter: Aaron Fabbri
>            Assignee: Aaron Fabbri
>            Priority: Major
>
> Scenario: customer wants to only give a Hadoop cluster access to a subtree of 
> an S3 bucket.
> For example, assume Hadoop uses some IAM identity "hadoop", which they wish 
> to grant full permission to everything under the following path:
> s3a://bucket/a/b/c/hadoop-dir
> they don't want hadoop user to be able to read/list/delete anything outside 
> of the hadoop-dir "subdir"
> Problems: 
> To implement the "directory structure on flat key space" emulation logic we 
> use to present a Hadoop FS on top of a blob store, we need to create / delete 
> / list ancestors of {{hadoop-dir}}. (to maintain the invariants (1) zero-byte 
> object with key ending in '/' exists iff empty directory is there and (2) 
> files cannot live beneath files, only directories.)
> I'd like us to either (1) document a workaround (example IAM ACLs) that gets 
> this basic functionality, and/or (2) make improvements to make this less 
> painful.
> We've discussed some of these issues before but I didn't see a dedicated JIRA.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org