[
https://issues.apache.org/jira/browse/HDDS-5031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17311631#comment-17311631
]
Kiyoshi Mizumaru commented on HDDS-5031:
----------------------------------------
[~vivekratnavel] No. IMHO, I don't think one bucket should have different ACLs.
My expectation is that the target bucket has the same set of ACLs as the source
bucket. And if someone changed the ACLs of the source bucket, the linked bucket
should be changed to have the same ACLs.
> Different ACLs depending on the access path
> -------------------------------------------
>
> Key: HDDS-5031
> URL: https://issues.apache.org/jira/browse/HDDS-5031
> Project: Apache Ozone
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.1.0
> Environment: * CentOS Linux release 7.6.1810 (Core)
> * OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)
> * Ozone 1.1.0-SNAPSHOT (commit 79a9d39da7f33e71bc00183e280105562354cca4)
> * Docker Engine - Community 20.10.5
> Reporter: Kiyoshi Mizumaru
> Priority: Major
>
> We have noticed the following facts and would like to confirm whether this is
> the intended behavior or a problem that needs to be fixed. As of now, a
> bucket can be accessed by creating a symlink and applying a different ACL to
> another access path.
> For example, in the following session, /volume-for-anonymous/bucket-a and
> /s3v/bucket-a are pointing to the same bucket but have different ACL
> settings. Is this the intended behavior of the design?
> {code:java}
> λ
> ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/
> master docker-compose ps
> Name Command State
> Ports
> ------------------------------------------------------------------------------------------------------------
> ozone_datanode_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:49160->9864/tcp, 0.0.0.0:49159->9882/tcp
> ozone_om_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9862->9862/tcp, 0.0.0.0:9874->9874/tcp
> ozone_recon_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9888->9888/tcp
> ozone_s3g_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9878->9878/tcp
> ozone_scm_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9860->9860/tcp, 0.0.0.0:9876->9876/tcp
> λ
> ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/
> master docker-compose exec datanode bash
> bash-4.2$ PATH=/opt/hadoop/bin:$PATH
> bash-4.2$ type ozone
> ozone is /opt/hadoop/bin/ozone
> bash-4.2$ ozone sh volume list
> {
> "metadata" : { },
> "name" : "s3v",
> "admin" : "hadoop",
> "owner" : "hadoop",
> "quotaInBytes" : -1,
> "quotaInNamespace" : -1,
> "usedNamespace" : 0,
> "creationTime" : "2021-03-25T12:07:42.203Z",
> "modificationTime" : "2021-03-25T12:07:42.203Z",
> "acls" : [ {
> "type" : "USER",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "users",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> }
> bash-4.2$ id
> uid=1000(hadoop) gid=100(users) groups=100(users)
> bash-4.2$ sudo adduser anonymous
> bash-4.2$ id anonymous
> uid=1001(anonymous) gid=1001(anonymous) groups=1001(anonymous)
> bash-4.2$ ozone sh volume create volume-for-anonymous
> bash-4.2$ ozone sh bucket create volume-for-anonymous/bucket-a
> bash-4.2$ ozone sh bucket setacl -a=group:anonymous:a
> volume-for-anonymous/bucket-a
> ACLs set successfully.
> bash-4.2$ ozone sh bucket getacl volume-for-anonymous/bucket-a
> [ {
> "type" : "GROUP",
> "name" : "anonymous",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> bash-4.2$ ozone sh bucket link /volume-for-anonymous/bucket-a /s3v/bucket-a
> bash-4.2$ ozone sh bucket getacl s3v/bucket-a
> [ {
> "type" : "USER",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "users",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> bash-4.2$
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
