[
https://issues.apache.org/jira/browse/HDDS-5031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17310929#comment-17310929
]
Vivek Ratnavel Subramanian commented on HDDS-5031:
--------------------------------------------------
[~kmizumar] [~Sammi] Just to clarify, are you talking about the initial ACLs
set for the target bucket during bucket creation? And your expectation is that
the target bucket has the same set of ACLs as the source bucket which can then
be modified by the user who created the bucket link?
> Different ACLs depending on the access path
> -------------------------------------------
>
> Key: HDDS-5031
> URL: https://issues.apache.org/jira/browse/HDDS-5031
> Project: Apache Ozone
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.1.0
> Environment: * CentOS Linux release 7.6.1810 (Core)
> * OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)
> * Ozone 1.1.0-SNAPSHOT (commit 79a9d39da7f33e71bc00183e280105562354cca4)
> * Docker Engine - Community 20.10.5
> Reporter: Kiyoshi Mizumaru
> Priority: Major
>
> We have noticed the following facts and would like to confirm whether this is
> the intended behavior or a problem that needs to be fixed. As of now, a
> bucket can be accessed by creating a symlink and applying a different ACL to
> another access path.
> For example, in the following session, /volume-for-anonymous/bucket-a and
> /s3v/bucket-a are pointing to the same bucket but have different ACL
> settings. Is this the intended behavior of the design?
> {code:java}
> λ
> ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/
> master docker-compose ps
> Name Command State
> Ports
> ------------------------------------------------------------------------------------------------------------
> ozone_datanode_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:49160->9864/tcp, 0.0.0.0:49159->9882/tcp
> ozone_om_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9862->9862/tcp, 0.0.0.0:9874->9874/tcp
> ozone_recon_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9888->9888/tcp
> ozone_s3g_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9878->9878/tcp
> ozone_scm_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9860->9860/tcp, 0.0.0.0:9876->9876/tcp
> λ
> ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/
> master docker-compose exec datanode bash
> bash-4.2$ PATH=/opt/hadoop/bin:$PATH
> bash-4.2$ type ozone
> ozone is /opt/hadoop/bin/ozone
> bash-4.2$ ozone sh volume list
> {
> "metadata" : { },
> "name" : "s3v",
> "admin" : "hadoop",
> "owner" : "hadoop",
> "quotaInBytes" : -1,
> "quotaInNamespace" : -1,
> "usedNamespace" : 0,
> "creationTime" : "2021-03-25T12:07:42.203Z",
> "modificationTime" : "2021-03-25T12:07:42.203Z",
> "acls" : [ {
> "type" : "USER",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "users",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> }
> bash-4.2$ id
> uid=1000(hadoop) gid=100(users) groups=100(users)
> bash-4.2$ sudo adduser anonymous
> bash-4.2$ id anonymous
> uid=1001(anonymous) gid=1001(anonymous) groups=1001(anonymous)
> bash-4.2$ ozone sh volume create volume-for-anonymous
> bash-4.2$ ozone sh bucket create volume-for-anonymous/bucket-a
> bash-4.2$ ozone sh bucket setacl -a=group:anonymous:a
> volume-for-anonymous/bucket-a
> ACLs set successfully.
> bash-4.2$ ozone sh bucket getacl volume-for-anonymous/bucket-a
> [ {
> "type" : "GROUP",
> "name" : "anonymous",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> bash-4.2$ ozone sh bucket link /volume-for-anonymous/bucket-a /s3v/bucket-a
> bash-4.2$ ozone sh bucket getacl s3v/bucket-a
> [ {
> "type" : "USER",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "users",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> bash-4.2$
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
