Priyesh K created HDDS-15853:
--------------------------------
Summary: ACL Check Using ACLType.ALL Is Not Supported by Ranger
Key: HDDS-15853
URL: https://issues.apache.org/jira/browse/HDDS-15853
Project: Apache Ozone
Issue Type: Sub-task
Components: S3
Reporter: Priyesh K
Assignee: Priyesh K
In {{{}OMLifecycleConfigurationSetRequest#preExecute{}}}, the following ACL
check is performed:
{code:java}
if (ozoneManager.getAclsEnabled()) {
checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET,
OzoneObj.StoreType.OZONE,
IAccessAuthorizer.ACLType.ALL, resolvedBucket.realVolume(),
resolvedBucket.realBucket(), null);
} {code}
However, in the Ranger integration, ACL types are mapped separately using the
following method:
{{}}
{code:java}
private String mapToRangerAccessType(ACLType operation) {
final String rangerAccessType;
switch (operation) {
case READ:
rangerAccessType = ACCESS_TYPE_READ;
break;
case WRITE:
rangerAccessType = ACCESS_TYPE_WRITE;
break;
case CREATE:
rangerAccessType = ACCESS_TYPE_CREATE;
break;
case DELETE:
rangerAccessType = ACCESS_TYPE_DELETE;
break;
case LIST:
rangerAccessType = ACCESS_TYPE_LIST;
break;
case READ_ACL:
rangerAccessType = ACCESS_TYPE_READ_ACL;
break;
case WRITE_ACL:
rangerAccessType = ACCESS_TYPE_WRITE_ACL;
break;
default:
LOG.error("Unknown operation!");
rangerAccessType = null;
break;
}
return rangerAccessType;
} {code}
{{}}
Since {{ACLType.ALL}} is not handled in {{{}mapToRangerAccessType(){}}}, it
falls into the default case and returns {{{}null{}}}.
We should check how other OM requests that require bucket owner privileges
perform their ACL validation. If there is an established pattern for such
requests, it would make sense to follow the same approach here.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]