priyeshkaratha opened a new pull request, #10753:
URL: https://github.com/apache/ozone/pull/10753
## What changes were proposed in this pull request?
Lifecycle configuration set and delete requests previously called
checkAcls(...) with ACLType.ALL unconditionally whenever ACLs were enabled.
This does not map correctly onto Ranger-based (non-native) authorization:
Ranger policies are expressed in terms of the standard S3/Ozone access types,
and demanding ALL on the bucket is both incorrect and stricter than intended
for these operations.
This PR splits the permission check into a dedicated checkAclPermission(...)
helper in both OMLifecycleConfigurationSetRequest and
OMLifecycleConfigurationDeleteRequest:
- Native authorizer: enforce that the caller is either a cluster admin or
the bucket owner. Otherwise, the request fails with PERMISSION_DENIED and a
clear message ("Lifecycle configuration can only be set/deleted by bucket Admin
or Owner").
- Non-native authorizer (e.g. Ranger): delegate to checkAcls(...) requiring
ACLType.WRITE on the bucket, which is the appropriate access type for mutating
bucket-level configuration and validates correctly against Ranger policies.
This keeps the two authorization models consistent with how the rest of the
OM performs bucket-level permission checks and fixes Ranger ACL validation for
lifecycle requests.
## What is the link to the Apache JIRA
HDDS-15853
## How was this patch tested?
Tested manually using ranger integation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]