fmorg-git opened a new pull request, #10316: URL: https://github.com/apache/ozone/pull/10316
Please describe your PR in detail: * Currently, ACLs used by Ozone and Ranger are not granular enough. For example, read on volume, read on bucket, and write on key can be used by either s3:PutObjectTagging or s3:DeleteObjectTagging. Similarly, because s3:PutObject requires read on volume, read on bucket, and create and write on key, someone with s3:PutObject access can also call s3:PutObjectTagging (as an example). To prevent having more access than requested (or different access than requested), we need a means of restricting the ACL permissions further by S3 actions. To do this, we introduce an s3Action field in RequestContext so that if populated, the RangerOzoneAuthorizer would further restrict the permissions according to the S3 action. Additionally, the OzoneGrant would contain a Set representing the S3 actions that are allowed for an inline policy. If all actions are allowed, then the Set would be empty (or null). * This PR is to pull same commit from the master branch (https://github.com/apache/ozone/pull/10108) into Ozone 2.1 release branch so Ranger team can use it upstream in next Ozone release. It also required a prerequisite separate commit because of the refactoring done: https://github.com/apache/ozone/pull/9493 ## What is the link to the Apache JIRA https://issues.apache.org/jira/browse/HDDS-15064 ## How was this patch tested? smoke tests in feature branch -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
