[
https://issues.apache.org/jira/browse/HDDS-4755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17272782#comment-17272782
]
UENISHI Kota commented on HDDS-4755:
------------------------------------
Given that OzoneManager#openKey is only for creating and updating, the argument
of checkAcls()
[here|https://github.com/apache/ozone/blob/6fe3e8ae89fc7fb1701ca420c54c68d87724154b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L2162]
should be ACLType.WRITE when a key exists, and CREATE when a key doesn't
exist. Anyhow, the following catch clause is not necessary to handle key
creation, because checkAcls() doesn't do any lookup inside. This is because
it's calling IAccessAuthorizer internally, which shouldn't do any data lookup
IMO.
> Can't create key in non-owned bucket although it should be allowed by ACL
> -------------------------------------------------------------------------
>
> Key: HDDS-4755
> URL: https://issues.apache.org/jira/browse/HDDS-4755
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Components: OM
> Affects Versions: 1.0.0
> Environment: Secure setup of Ozone 1.0.0
> Reporter: UENISHI Kota
> Priority: Major
>
> Even though in case a bucket has ACL like "world::a" or "anonymous::a", no
> others than the owner cannot create any key in the bucket. I believe it's not
> only me and it's reproducible with following sequence:
> As an admin user:
> 1. ozone sh volume addacl -a "world::a" /s3v
> 2. ozone sh bucket create /s3v/sandbox
> 3. ozone sh bucket addacl -a "world::a" /s3v/sandbox
> Which yields the following ACL state:
> $ bin/ozone sh volume getacl /s3v
> [ {
> "type" : "USER",
> "name" : "ozone",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "ozone",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "WORLD",
> "name" : "WORLD",
> "aclScope" : "ACCESS",
> "aclList" : [ "READ", "CREATE", "LIST", "READ_ACL" ]
> }, {
> "type" : "ANONYMOUS",
> "name" : "ANONYMOUS",
> "aclScope" : "ACCESS",
> "aclList" : [ "READ", "LIST" ]
> } ]
> $ bin/ozone sh bucket getacl /s3v/sandbox
> [ {
> "type" : "USER",
> "name" : "[email protected]",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "hdfs",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> },
> { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [
> "ALL" ] } ]
> And then I tried to create a key as another user but fails: \{quote}
> $ bin/ozone sh key put /s3v/sandbox/hello.txt hello.txt
> PERMISSION_DENIED User [email protected] doesn't have CREATE permission to access
> key
>
> I doubt checkAcls()
> [here|https://github.com/apache/ozone/blob/6fe3e8ae89fc7fb1701ca420c54c68d87724154b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L2162-L2163],
> which throws PERMISSION_DENIED rather than KEY_NOT_FOUND.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
