[
https://issues.apache.org/jira/browse/HDDS-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17391933#comment-17391933
]
Neil Joshi commented on HDDS-4335:
----------------------------------
cc [~swagle] - mentioned this Jira during one of the meetings... with the
conditions quoted below and above comments, can we resolve this issue as a non
issue. What to do?
_Ozone fs shell POSIX permissions are not used for access control checks
against object read/write/view operations. Instead, currently access control
is checked against access control policies provided by ozone native ACL or
external Apache Ranger._
_Since permissions are provided and checked with object store access control
mechanisms, the POSIX file system permissions are hardcoded to read/write and
viewable for all users (owner,group,user - rwxrwxrwx)._
__
_The example provided with this Jira is not an issue as described as the ozone
setup will provide access control for ozone fs shell file creation and
modification given it is run on a secure cluster (enabled native acl / ranger)._
> No user access checks in Ozone FS
> ---------------------------------
>
> Key: HDDS-4335
> URL: https://issues.apache.org/jira/browse/HDDS-4335
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Shashikant Banerjee
> Assignee: Neil Joshi
> Priority: Major
>
> Currently, a dir/file created with hdfs user cab be deleted by any user.
> {code:java}
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ sudo -u hdfs ozone
> fs -mkdir o3fs://bucket1.vol1.ozone1/data/sandbox/poc/teragen
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ sudo -u hdfs ozone
> fs -ls o3fs://bucket1.vol1.ozone1/data/sandbox/poc/teragen
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ sudo -u hdfs ozone
> fs -ls o3fs://bucket1.vol1.ozone1/data/sandbox/poc/
> Found 1 items
> drwxrwxrwx - hdfs hdfs 0 2020-10-12 02:51
> o3fs://bucket1.vol1.ozone1/data/sandbox/poc/teragen
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ ozone fs -rm -r
> o3fs://bucket1.vol1.ozone1/data/sandbox/poc/
> 20/10/12 02:52:16 INFO Configuration.deprecation: io.bytes.per.checksum is
> deprecated. Instead, use dfs.bytes-per-checksum
> 20/10/12 02:52:16 INFO ozone.BasicOzoneFileSystem: Move to trash is disabled
> for o3fs, deleting instead: o3fs://bucket1.vol1.ozone1/data/sandbox/poc.
> Files or directories will NOT be retained in trash. Ignore the following
> TrashPolicyDefault message, if any.
> 20/10/12 02:52:16 INFO fs.TrashPolicyDefault: Moved:
> 'o3fs://bucket1.vol1.ozone1/data/sandbox/poc' to trash at:
> /.Trash/sbanerjee/Current/data/sandbox/poc1602496336480
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ sudo -u hdfs ozone
> fs -ls o3fs://bucket1.vol1.ozone1/data/sandbox/poc/
> ls: `o3fs://bucket1.vol1.ozone1/data/sandbox/poc/': No such file or directory
> {code}
> Whereas, the same seuquence fails with permission denied error in HDFS.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
