[ 
https://issues.apache.org/jira/browse/HDDS-15853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated HDDS-15853:
----------------------------------
    Labels: pull-request-available  (was: )

> ACL Check Using ACLType.ALL Is Not Supported by Ranger
> ------------------------------------------------------
>
>                 Key: HDDS-15853
>                 URL: https://issues.apache.org/jira/browse/HDDS-15853
>             Project: Apache Ozone
>          Issue Type: Sub-task
>          Components: S3
>            Reporter: Priyesh K
>            Assignee: Priyesh K
>            Priority: Major
>              Labels: pull-request-available
>
> In {{{}OMLifecycleConfigurationSetRequest#preExecute{}}}, the following ACL 
> check is performed:
> {code:java}
> if (ozoneManager.getAclsEnabled()) {
>       checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, 
> OzoneObj.StoreType.OZONE,
>           IAccessAuthorizer.ACLType.ALL, resolvedBucket.realVolume(),
>           resolvedBucket.realBucket(), null);
>     } {code}
> However, in the Ranger integration, ACL types are mapped separately using the 
> following method:
> {{}}
> {code:java}
> private String mapToRangerAccessType(ACLType operation) {
>         final String rangerAccessType;
>         switch (operation) {
>             case READ:
>                 rangerAccessType = ACCESS_TYPE_READ;
>                 break;
>             case WRITE:
>                 rangerAccessType = ACCESS_TYPE_WRITE;
>                 break;
>             case CREATE:
>                 rangerAccessType = ACCESS_TYPE_CREATE;
>                 break;
>             case DELETE:
>                 rangerAccessType = ACCESS_TYPE_DELETE;
>                 break;
>             case LIST:
>                 rangerAccessType = ACCESS_TYPE_LIST;
>                 break;
>             case READ_ACL:
>                 rangerAccessType = ACCESS_TYPE_READ_ACL;
>                 break;
>             case WRITE_ACL:
>                 rangerAccessType = ACCESS_TYPE_WRITE_ACL;
>                 break;
>             default:
>                 LOG.error("Unknown operation!");
>                 rangerAccessType = null;
>                 break;
>         }
>         return rangerAccessType;
>     } {code}
> {{}}
> Since {{ACLType.ALL}} is not handled in {{{}mapToRangerAccessType(){}}}, it 
> falls into the default case and returns {{{}null{}}}.
> We should check how other OM requests that require bucket owner privileges 
> perform their ACL validation. If there is an established pattern for such 
> requests, it would make sense to follow the same approach here.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to