[
https://issues.apache.org/jira/browse/HDDS-6576?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siyao Meng updated HDDS-6576:
-----------------------------
Description:
If a cluster admin or tenant admin wants the bucket owner (who is a regular
tenant user without superuser privileges) to be able to edit their own bucket's
policy, an admin needs to manually create a new Ozone policy in Ranger for that
bucket, explicitly granting the bucket owner ALL permission on the bucket and
making the bucket owner a "delegated admin" for that policy. (Note: the
flexible `{OWNER}` tag cannot be used in this policy.)
With this new policy, as long as the bucket owner can log in to the Ranger Web
UI, he/she could edit this bucket policy on his own, for example, to share the
bucket with others without an admin's manual intervention.
We are not providing a dedicated multi-tenancy CLI for that.
was:
If a cluster admin or tenant admin wants the bucket owner (who is a regular
tenant user without superuser privileges) to be able to edit their own bucket's
policy, an admin needs to manually create a new Ozone policy in Ranger for that
bucket, explicitly granting the bucket owner ALL permission on the bucket and
making the bucket owner a "delegated admin" for that policy. (Note: the
flexible {OWNER} tag cannot be used in this policy.)
With this new policy, as long as the bucket owner can log in to the Ranger Web
UI, he/she could edit this bucket policy on his own, for example, to share the
bucket with others without an admin's manual intervention.
We are not providing a dedicated multi-tenancy CLI for that.
> [Multi-Tenant] Update documentation around Ranger policy on bucket sharing
> ---------------------------------------------------------------------------
>
> Key: HDDS-6576
> URL: https://issues.apache.org/jira/browse/HDDS-6576
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Siyao Meng
> Assignee: Siyao Meng
> Priority: Major
>
> If a cluster admin or tenant admin wants the bucket owner (who is a regular
> tenant user without superuser privileges) to be able to edit their own
> bucket's policy, an admin needs to manually create a new Ozone policy in
> Ranger for that bucket, explicitly granting the bucket owner ALL permission
> on the bucket and making the bucket owner a "delegated admin" for that
> policy. (Note: the flexible `{OWNER}` tag cannot be used in this policy.)
> With this new policy, as long as the bucket owner can log in to the Ranger
> Web UI, he/she could edit this bucket policy on his own, for example, to
> share the bucket with others without an admin's manual intervention.
> We are not providing a dedicated multi-tenancy CLI for that.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
