Priyesh K created HDDS-15853:
--------------------------------

             Summary: ACL Check Using ACLType.ALL Is Not Supported by Ranger
                 Key: HDDS-15853
                 URL: https://issues.apache.org/jira/browse/HDDS-15853
             Project: Apache Ozone
          Issue Type: Sub-task
          Components: S3
            Reporter: Priyesh K
            Assignee: Priyesh K


In {{{}OMLifecycleConfigurationSetRequest#preExecute{}}}, the following ACL 
check is performed:
{code:java}
if (ozoneManager.getAclsEnabled()) {
      checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, 
OzoneObj.StoreType.OZONE,
          IAccessAuthorizer.ACLType.ALL, resolvedBucket.realVolume(),
          resolvedBucket.realBucket(), null);
    } {code}
However, in the Ranger integration, ACL types are mapped separately using the 
following method:

{{}}
{code:java}
private String mapToRangerAccessType(ACLType operation) {
        final String rangerAccessType;

        switch (operation) {
            case READ:
                rangerAccessType = ACCESS_TYPE_READ;
                break;
            case WRITE:
                rangerAccessType = ACCESS_TYPE_WRITE;
                break;
            case CREATE:
                rangerAccessType = ACCESS_TYPE_CREATE;
                break;
            case DELETE:
                rangerAccessType = ACCESS_TYPE_DELETE;
                break;
            case LIST:
                rangerAccessType = ACCESS_TYPE_LIST;
                break;
            case READ_ACL:
                rangerAccessType = ACCESS_TYPE_READ_ACL;
                break;
            case WRITE_ACL:
                rangerAccessType = ACCESS_TYPE_WRITE_ACL;
                break;
            default:
                LOG.error("Unknown operation!");
                rangerAccessType = null;
                break;
        }

        return rangerAccessType;
    } {code}
{{}}

Since {{ACLType.ALL}} is not handled in {{{}mapToRangerAccessType(){}}}, it 
falls into the default case and returns {{{}null{}}}.

We should check how other OM requests that require bucket owner privileges 
perform their ACL validation. If there is an established pattern for such 
requests, it would make sense to follow the same approach here.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to