[jira] [Work logged] (HDDS-939) Add S3 access check to Ozone manager

ASF GitHub Bot (JIRA) Fri, 22 Mar 2019 14:44:21 -0700


     [ 
https://issues.apache.org/jira/browse/HDDS-939?focusedWorklogId=217448&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-217448
 ]


ASF GitHub Bot logged work on HDDS-939:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 22/Mar/19 21:43
            Start Date: 22/Mar/19 21:43
    Worklog Time Spent: 10m 
      Work Description: ajayydv commented on issue #634: HDDS-939. Add S3 
access check to Ozone manager. Contributed by Ajay Kumar.
URL: https://github.com/apache/hadoop/pull/634#issuecomment-475793501
 
 
   > So instead of a md5Hex of Kerberos, we now store accessKey as original 
Kerberos user.
   > 
   > So that for Ozone S3, in OM when acl check happens, it will be a kerberos 
user. So, ACL check for ozone s3 happens. (Not sure if my understanding is 
completely correct here?)
   > 
   > But with this we have a issue, because internally when a bucket is created 
(S3 bucket), we consider volume name as awsaccessKeyID. With this, our volume 
name can have '/', '.' characters. The volume creation fails. (Because we do 
validate the name in RpcClient by calling verifyResourceName) We need to change 
the logic over there. Previously we don't see any issue because it md5Hex.
   > 
   > I think if the awsAccessKey will not have realm, if it has just name we 
shall not see the issue.
   
   @bharatviswa504  thanks for bringing this up. Updated PR to handle this by 
normalizing the userId if it is kerberos id.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 217448)
    Time Spent: 1h  (was: 50m)

> Add S3 access check to Ozone manager
> ------------------------------------
>
>                 Key: HDDS-939
>                 URL: https://issues.apache.org/jira/browse/HDDS-939
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>          Components: Ozone Manager, S3
>            Reporter: Anu Engineer
>            Assignee: Ajay Kumar
>            Priority: Blocker
>              Labels: pull-request-available
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> Add the mapping from S3 User Identity to UGI inside Ozone Manager.  Also add 
> the access check permission, that is call into the checkAccess, which will be 
> intercepted by Ranger or Ozone access check.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Work logged] (HDDS-939) Add S3 access check to Ozone manager

Reply via email to