ChenSammi edited a comment on pull request #2009: URL: https://github.com/apache/ozone/pull/2009#issuecomment-797336829
> > > > > Thanks @ChenSammi for working on this. The patch LGTM overall. One concern I have: After this change, we will need corresponding changes on the s3v and bucket acls. This can be either manual or as part of (get s3 secret) so that when the acl check is enforced, MPU will not fail unexpectedly. > > > > > > @xiaoyuyao , I didn't understand your concern clearly. Would you explain it a little more? > > My concerns is that previous, S3 secret gives users permission to access buckets under s3v. Now, additional permission must be provisioned on top of it to allow user to read/write using the S3 secret. > > Should this one wait to use S3 acl mapping or expect ACL for s3 users configured via Kerberos? @xiaoyuyao , current ACL check depends on whether "ozone.acl.enabled" is true, it doesn't check whether "ozone.security.enabled" is true or not. In our production cluster, "ozone.acl.enabled" is true and "ozone.security.enabled" is false. I did a little more test, small objects uploading through S3G are already controled by ACL of bucket. Only the large object uploading now doesn't have the ACL check. HDFS uses "hadoop.security.authentication" property to control the authentication, "simple" or "kerberos". "simple" equals to "ozone.security.enabled" false. "Kerberos' equals to "ozone.security.enabled" true. HDFS uses "dfs.permissions.enabled" property to control whether permission check should be enforeced, similar to Ozone "ozone.acl.enabled" property. So generally, I think Ozone has the similar security control pattern as HDFS. Permission check doesn't requires Kerberos authentication. Not very familar with s3 secret, is it like user password, which allows user to pass the authentication? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
