priyeshkaratha opened a new pull request, #10753:
URL: https://github.com/apache/ozone/pull/10753

   ## What changes were proposed in this pull request?
   
   Lifecycle configuration set and delete requests previously called 
checkAcls(...) with ACLType.ALL unconditionally whenever ACLs were enabled. 
This does not map correctly onto Ranger-based (non-native) authorization: 
Ranger policies are expressed in terms of the standard S3/Ozone access types, 
and demanding ALL on the bucket is both incorrect and stricter than intended 
for these operations.
   
   This PR splits the permission check into a dedicated checkAclPermission(...) 
helper in both OMLifecycleConfigurationSetRequest and 
OMLifecycleConfigurationDeleteRequest:
   
   - Native authorizer: enforce that the caller is either a cluster admin or 
the bucket owner. Otherwise, the request fails with PERMISSION_DENIED and a 
clear message ("Lifecycle configuration can only be set/deleted by bucket Admin 
or Owner").
   - Non-native authorizer (e.g. Ranger): delegate to checkAcls(...) requiring 
ACLType.WRITE on the bucket, which is the appropriate access type for mutating 
bucket-level configuration and validates correctly against Ranger policies.
   
   This keeps the two authorization models consistent with how the rest of the 
OM performs bucket-level permission checks and fixes Ranger ACL validation for 
lifecycle requests.
   
   ## What is the link to the Apache JIRA
   
   HDDS-15853
   
   ## How was this patch tested?
   
   Tested manually using ranger integation
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to