[
https://issues.apache.org/jira/browse/HADOOP-17397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17241056#comment-17241056
]
Thomas Marqardt commented on HADOOP-17397:
------------------------------------------
Unfortunately, this was not the correct fix.
DelegationSASGenerator.getDelegationSAS should return sp=p for the
set-permission and set-acl operations. The tests should be updated to do the
following:
# When saoid and suoid are not specified, skoid must have an RBAC role
assignment which grants
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action
and sp=p in order to set permissions or set ACL.
# When saoid or suiod is specified, same as 1) but furthermore the saoid or
suoid must be an owner of the file or directory in order for the operation to
succeed.
# When saoid or suiod is specified, the ownership check is bypassed by also
including 'o' (ownership) in the SAS permission (for example, sp=op). Note
that 'o' grants the saoid or suoid the ability to change the file or directory
owner to themself, and they can also change the owning group. Generally
speaking, if a trusted authorizer would like to give a user the ability to
change the permissions or ACL, then that user should be the file or directory
owner.
> ABFS: SAS Test updates for version and permission update
> --------------------------------------------------------
>
> Key: HADOOP-17397
> URL: https://issues.apache.org/jira/browse/HADOOP-17397
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/azure
> Affects Versions: 3.3.0
> Reporter: Sneha Vijayarajan
> Assignee: Sneha Vijayarajan
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.3.1
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> This Jira will track the below 2 updates to SAS test code:
> # Upgrading the SAS version in Service SAS generator (test code)
> # Updating the permission in Delegation SAS to "op" from "p" for ACL
> operation as identities added as suoid/saoid added by tests are not owners of
> test path (Again test code).
> [Relevant public documentation:
> https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#specify-a-signed-object-id-for-a-security-principal-preview|https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#specify-a-signed-object-id-for-a-security-principal-preview]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
