fmorg-git commented on code in PR #9315:
URL: https://github.com/apache/ozone/pull/9315#discussion_r2596941657
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/iam/IamSessionPolicyResolver.java:
##########
@@ -526,24 +521,28 @@ private static void processBucketResource(String
volumeName, Set<S3Action> mappe
// bucket name of "*". To align with AWS, make sure that in this
// specific case we also grant the volume-level permissions for
volume-scoped
// actions (currently s3:ListAllMyBuckets).
- if (action.kind == ActionKind.BUCKET || action == S3Action.ALL_S3 ||
- action.kind == ActionKind.VOLUME && "*".equals(resourceSpec.bucket))
{ // this handles s3:ListAllMyBuckets
+ if (action.kind == ActionKind.BUCKET ||
+ (action.kind == ActionKind.VOLUME &&
"*".equals(resourceSpec.bucket))) { // this handles s3:ListAllMyBuckets
addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), action.bucketPerms);
+ } else if (action == S3Action.ALL_S3) {
+ // For s3:*, ALL should only apply at the bucket level; grant READ at
volume for navigation
+ addAclsForObj(objToAclsMap, volumeObj(volumeName), EnumSet.of(READ));
+ addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), action.bucketPerms);
}
- if (action == S3Action.LIST_BUCKET) {
+ if (action == S3Action.LIST_BUCKET || action == S3Action.ALL_S3) {
// If condition prefixes are present, these would constrain the object
permissions if the action
- // is s3:ListBucket
+ // is s3:ListBucket or s3:* (which includes s3:ListBucket)
if (prefixes != null && !prefixes.isEmpty()) {
for (String prefix : prefixes) {
createObjectResourcesFromConditionPrefix(
- volumeName, authorizerType, resourceSpec, prefix,
objToAclsMap, action.objectPerms);
+ volumeName, authorizerType, resourceSpec, prefix,
objToAclsMap, EnumSet.of(READ));
Review Comment:
I see - let me try to clarify. This method is `processBucketResource` which
is for bucket resources. `s3:ListBucket` is a bucket-related action that works
on bucket resources, but it is used for s3 api's like `list objects`. I tested
in Ranger that we need `READ` access on the key for `list objects` to work,
i.e. `READ, LIST` on the bucket only was `NOT` sufficient. Therefore, for the
`s3:ListBucket` case (or for the `ALL_S3` case which includes `s3:ListBucket`),
I need to add `READ` on the object permission.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
