ntroutman opened a new pull request #3811: URL: https://github.com/apache/zeppelin/pull/3811
### What is this PR for? When S3NotebookRepo saves a notebook into S3 it does so without granting the bucket owner full control of the object, this means that owning AWS account cannot read the notebook, only the creating AWS account. This causes issues when a notebook bucket is shared across AWS accounts. This PR introduces the configuration value "zeppelin.notebook.s3.cannedAcl" which will override the default object permissions when saving a notebook to S3. This allows granting the bucket owner full control when the writer and the bucket owner are different AWS accounts. ### What type of PR is it? Improvement/Feature ### Todos * [ ] - N/A ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-4896 ### How should this be tested? #### Unit-Tests Unfortunately Unit-Tests are not possible as gaul.S3Proxy does not support Object ACL throwing a NotImplemented exception if you attempt to use PutRequest.withCannedAcl for any value other than public or private (see https://github.com/gaul/s3proxy#limitations). #### Manual Testing 1. Have two AWS accounts, "account-a" and "account-b" 2. Create a bucket "notebook-bucket" in "account-a" and grant "account-b" permissions to write to it 3. Setup zeppelin-site.xml for S3NotebookRepor WITHOUT Canned ACL Feature and AWS Credentials for "account-b" 4. Launch zeppelin, create a new note titled 'WithoutACL', and shutdown zeppelin 5. Verify that the permissions on the S3 Object do NOT grant the bucket owner "account-a" permissions ``` aws s3api get-object-acl --bucket notebook-bucket --key test-user/notebook/WithoutACL_2FD4NFYTU.zpln { "Owner": { "DisplayName": "account-b", "ID": "1e9...e4" }, "Grants": [ { "Grantee": { "DisplayName": "account-b", "ID": "1e9...e4", "Type": "CanonicalUser" }, "Permission": "FULL_CONTROL" } ] } ``` 6. Edit zeppelin-site.xml enabling "zeppelin.notebook.s3.cannedAcl" as "BucketOwnerFullControl" 7. Launch zeppelin, create a new note titled "WithACL", and shutdown zeppelin 8. Verify that the permissions on the S3 object DO GRANT the bucket owner, "account-a", full control ``` aws s3api get-object-acl --bucket notebook-bucket --key test-user/notebook/WithACL_2FCXTUS3M.zpln { "Owner": { "DisplayName": "account-b", "ID": "1e9...e4" }, "Grants": [ { "Grantee": { "DisplayName": "account-b", "ID": "1e9...e4", "Type": "CanonicalUser" }, "Permission": "FULL_CONTROL" }, { "Grantee": { "DisplayName": "account-a", "ID": "f60...ee", "Type": "CanonicalUser" }, "Permission": "FULL_CONTROL" } ] } ``` ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this need documentation? Yes, added relevant documentation along side existing S3 Notebook Repo documentation. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
