Re: [PR] HDDS-13942. [STS] Part 4 - Create utility to convert IAM policy to groupings of OzoneObj and Acls [ozone]

Sun, 07 Dec 2025 20:40:03 -0800 


ChenSammi commented on code in PR #9315:
URL: https://github.com/apache/ozone/pull/9315#discussion_r2597013021


##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/iam/IamSessionPolicyResolver.java:
##########
@@ -526,24 +521,28 @@ private static void processBucketResource(String 
volumeName, Set<S3Action> mappe
       // bucket name of "*".  To align with AWS, make sure that in this
       // specific case we also grant the volume-level permissions for 
volume-scoped
       // actions (currently s3:ListAllMyBuckets).
-      if (action.kind == ActionKind.BUCKET || action == S3Action.ALL_S3 ||
-          action.kind == ActionKind.VOLUME && "*".equals(resourceSpec.bucket)) 
{ // this handles s3:ListAllMyBuckets
+      if (action.kind == ActionKind.BUCKET ||
+          (action.kind == ActionKind.VOLUME && 
"*".equals(resourceSpec.bucket))) { // this handles s3:ListAllMyBuckets
         addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
         addAclsForObj(objToAclsMap, bucketObj(volumeName, 
resourceSpec.bucket), action.bucketPerms);
+      } else if (action == S3Action.ALL_S3) {
+        // For s3:*, ALL should only apply at the bucket level; grant READ at 
volume for navigation

Review Comment:
   For reference, there are the permission showed by three tests which test 
s3:* and "*" "*/*" resources,
   
   ```
   testAllActionsOnAllResources         action: s3:*, resource:*,               
     volume acl: read&list,  bucket acl:all,  key acl: all
   testAllActionsOnAllBucketResources   action: s3:*, resource:arn:aws:s3:::*,  
     volume acl: read,       bucket acl:all,  key acl: read
   testAllActionsOnAllObjectResources   action: s3:*, 
resource:arn:arn:aws:s3:::*/*, volume acl: read,       bucket acl:read, key 
acl: all
   
   ```
   
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to