[
https://issues.apache.org/jira/browse/HDDS-5031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siddharth Wagle updated HDDS-5031:
----------------------------------
Summary: Documentation: How are ACLs applied w.r.t bucket links (was:
Different ACLs depending on the access path)
> Documentation: How are ACLs applied w.r.t bucket links
> -------------------------------------------------------
>
> Key: HDDS-5031
> URL: https://issues.apache.org/jira/browse/HDDS-5031
> Project: Apache Ozone
> Issue Type: Improvement
> Components: Security
> Affects Versions: 1.1.0
> Environment: * CentOS Linux release 7.6.1810 (Core)
> * OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)
> * Ozone 1.1.0-SNAPSHOT (commit 79a9d39da7f33e71bc00183e280105562354cca4)
> * Docker Engine - Community 20.10.5
> Reporter: Kiyoshi Mizumaru
> Priority: Major
>
> We have noticed the following facts and would like to confirm whether this is
> the intended behavior or a problem that needs to be fixed. As of now, a
> bucket can be accessed by creating a symlink and applying a different ACL to
> another access path.
> For example, in the following session, /volume-for-anonymous/bucket-a and
> /s3v/bucket-a are pointing to the same bucket but have different ACL
> settings. Is this the intended behavior of the design?
> {code:java}
> λ
> ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/
> master docker-compose ps
> Name Command State
> Ports
> ------------------------------------------------------------------------------------------------------------
> ozone_datanode_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:49160->9864/tcp, 0.0.0.0:49159->9882/tcp
> ozone_om_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9862->9862/tcp, 0.0.0.0:9874->9874/tcp
> ozone_recon_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9888->9888/tcp
> ozone_s3g_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9878->9878/tcp
> ozone_scm_1 /usr/local/bin/dumb-init - ... Up
> 0.0.0.0:9860->9860/tcp, 0.0.0.0:9876->9876/tcp
> λ
> ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/
> master docker-compose exec datanode bash
> bash-4.2$ PATH=/opt/hadoop/bin:$PATH
> bash-4.2$ type ozone
> ozone is /opt/hadoop/bin/ozone
> bash-4.2$ ozone sh volume list
> {
> "metadata" : { },
> "name" : "s3v",
> "admin" : "hadoop",
> "owner" : "hadoop",
> "quotaInBytes" : -1,
> "quotaInNamespace" : -1,
> "usedNamespace" : 0,
> "creationTime" : "2021-03-25T12:07:42.203Z",
> "modificationTime" : "2021-03-25T12:07:42.203Z",
> "acls" : [ {
> "type" : "USER",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "users",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> }
> bash-4.2$ id
> uid=1000(hadoop) gid=100(users) groups=100(users)
> bash-4.2$ sudo adduser anonymous
> bash-4.2$ id anonymous
> uid=1001(anonymous) gid=1001(anonymous) groups=1001(anonymous)
> bash-4.2$ ozone sh volume create volume-for-anonymous
> bash-4.2$ ozone sh bucket create volume-for-anonymous/bucket-a
> bash-4.2$ ozone sh bucket setacl -a=group:anonymous:a
> volume-for-anonymous/bucket-a
> ACLs set successfully.
> bash-4.2$ ozone sh bucket getacl volume-for-anonymous/bucket-a
> [ {
> "type" : "GROUP",
> "name" : "anonymous",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> bash-4.2$ ozone sh bucket link /volume-for-anonymous/bucket-a /s3v/bucket-a
> bash-4.2$ ozone sh bucket getacl s3v/bucket-a
> [ {
> "type" : "USER",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "users",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> bash-4.2$
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
