[
https://issues.apache.org/jira/browse/HDDS-4755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
UENISHI Kota updated HDDS-4755:
-------------------------------
Description:
Even though in case a bucket has ACL like "world::a" or "anonymous::a", no
others than the owner cannot create any key in the bucket. I believe it's not
only me and it's reproducible with following sequence:
As an admin user:
1. ozone sh volume addacl -a "world::a" /s3v
2. ozone sh bucket create /s3v/sandbox
3. ozone sh bucket addacl -a "world::a" /s3v/sandbox
Which yields the following ACL state:
$ bin/ozone sh volume getacl /s3v
[ {
"type" : "USER",
"name" : "ozone",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "hadoop",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "ozone",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "READ", "CREATE", "LIST", "READ_ACL" ]
}, {
"type" : "ANONYMOUS",
"name" : "ANONYMOUS",
"aclScope" : "ACCESS",
"aclList" : [ "READ", "LIST" ]
} ]
$ bin/ozone sh bucket getacl /s3v/sandbox
[ {
"type" : "USER",
"name" : "[email protected]",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "hdfs",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "hadoop",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
},
{ "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [
"ALL" ] } ]
And then I tried to create a key as another user but fails: \{quote}
$ bin/ozone sh key put /s3v/sandbox/hello.txt hello.txt
PERMISSION_DENIED User [email protected] doesn't have CREATE permission to access key
I doubt checkAcls()
[here|https://github.com/apache/ozone/blob/6fe3e8ae89fc7fb1701ca420c54c68d87724154b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L2162-L2163],
which throws PERMISSION_DENIED rather than KEY_NOT_FOUND.
was:
Even though in case a bucket has ACL like "world::a" or "anonymous::a", no
others than the owner cannot create any key in the bucket. I believe it's not
only me and it's reproducible with following sequence:
As an admin user:
1. ozone sh volume addacl -a "world::a" /s3v
2. ozone sh bucket create /s3v/sandbox
3. ozone sh bucket addacl -a "world::a" /s3v/sandbox
Which yields the ACL state:
{quote}$ bin/ozone sh volume getacl /s3v
[ {
"type" : "USER",
"name" : "ozone",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "hadoop",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "ozone",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "READ", "CREATE", "LIST", "READ_ACL" ]
}, {
"type" : "ANONYMOUS",
"name" : "ANONYMOUS",
"aclScope" : "ACCESS",
"aclList" : [ "READ", "LIST" ]
} ]
$ bin/ozone sh bucket getacl /s3v/sandbox
[ {
"type" : "USER",
"name" : "[email protected]",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "hdfs",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "hadoop",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "WORLD",
"name" : "WORLD",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ]{quote}
And then I tried to create a key as another user but fails:
{quote}$ bin/ozone sh key put /s3v/sandbox/hello.txt hello.txt
PERMISSION_DENIED User [email protected] doesn't have CREATE permission to access
key{quote}
I doubt checkAcls()
[here|https://github.com/apache/ozone/blob/6fe3e8ae89fc7fb1701ca420c54c68d87724154b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L2162-L2163],
which throws PERMISSION_DENIED rather than KEY_NOT_FOUND.
> Can't create key in non-owned bucket although it should be allowed by ACL
> -------------------------------------------------------------------------
>
> Key: HDDS-4755
> URL: https://issues.apache.org/jira/browse/HDDS-4755
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Components: OM
> Affects Versions: 1.0.0
> Environment: Secure setup of Ozone 1.0.0
> Reporter: UENISHI Kota
> Priority: Major
>
> Even though in case a bucket has ACL like "world::a" or "anonymous::a", no
> others than the owner cannot create any key in the bucket. I believe it's not
> only me and it's reproducible with following sequence:
> As an admin user:
> 1. ozone sh volume addacl -a "world::a" /s3v
> 2. ozone sh bucket create /s3v/sandbox
> 3. ozone sh bucket addacl -a "world::a" /s3v/sandbox
> Which yields the following ACL state:
> $ bin/ozone sh volume getacl /s3v
> [ {
> "type" : "USER",
> "name" : "ozone",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "ozone",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "WORLD",
> "name" : "WORLD",
> "aclScope" : "ACCESS",
> "aclList" : [ "READ", "CREATE", "LIST", "READ_ACL" ]
> }, {
> "type" : "ANONYMOUS",
> "name" : "ANONYMOUS",
> "aclScope" : "ACCESS",
> "aclList" : [ "READ", "LIST" ]
> } ]
> $ bin/ozone sh bucket getacl /s3v/sandbox
> [ {
> "type" : "USER",
> "name" : "[email protected]",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "hdfs",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> },
> { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [
> "ALL" ] } ]
> And then I tried to create a key as another user but fails: \{quote}
> $ bin/ozone sh key put /s3v/sandbox/hello.txt hello.txt
> PERMISSION_DENIED User [email protected] doesn't have CREATE permission to access
> key
>
> I doubt checkAcls()
> [here|https://github.com/apache/ozone/blob/6fe3e8ae89fc7fb1701ca420c54c68d87724154b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L2162-L2163],
> which throws PERMISSION_DENIED rather than KEY_NOT_FOUND.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
