[jira] [Created] (RANGER-3731) Ranger policy enforcement for Ozone does not seem consistent based on the policy resources

Fri, 22 Apr 2022 01:49:07 -0700 

Abhishek created RANGER-3731:
--------------------------------

             Summary: Ranger policy enforcement for Ozone does not seem 
consistent based on the policy resources
                 Key: RANGER-3731
                 URL: https://issues.apache.org/jira/browse/RANGER-3731
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Abhishek


With the following Ozone policy,
{code:java}
Policy resources - volume - *, bukcet - *, key - *
All access provided to hrt_1 user{code}

The hrt_1 user is able to perform the following ls operation :-
{code:java}
ozone fs -ls -R 
o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn
drwxrwxrwx   - hrt_1 hrt_1          0 2022-04-22 04:23 
o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn/dir1
drwxrwxrwx   - hrt_1 hrt_1          0 2022-04-22 04:23 
o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn/dir1/dir11
 {code}

But with the following policy,
{code:java}
Policy resources - volume - *, bucket - *, key - test_dir_*_1
All access provided to hrt_1 user 
{code}

The hrt_1 user is not able to access the key dir and the access is denied to 
the user
at the volume level itself. The user is not allowed access on the volume and to 
the bucket even if the policy resource has a wildcard "*" to allow access on 
bucket and volume.
{code:java}
ozone fs -ls -R 
o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn
22/04/22 07:08:00 WARN fs.FileSystem: Failed to initialize fileystem 
o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn:
 PERMISSION_DENIED org.apache.hadoop.ozone.om.exceptions.OMException: User 
hrt_1 doesn't have READ permission to access volume Volume:test-volume-nzxvfhn 
ls: User hrt_1 doesn't have READ permission to access volume 
Volume:test-volume-nzxvfhn  {code}

The behaviour does not seem consistent when the policy resource for key 
contains a "*" and when the policy resource for key contains a specific value.
The behavior should be consistent in both the cases



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to