smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849952553
##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
2. Checks if default tenant roles are out-of-sync (could be caused by OM crash
during user assign/revoke operation). Overwrites them if this is the case.
3. Performs all Ranger update (write) operations queued by Ozone tenant
commands from the last sync, if any.
- This implies there will be a delay before Ranger policies and roles are
updated for any tenant write operations (tenant create/delete, tenant user
assign/revoke/assignadmin/revokeadmin, etc.).
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant
admin will needs to manually create a new Ozone policy in Ranger for that
bucket.
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a
regular tenant user without any superuser privileges) to be able to edit that
bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an
actual user name, `{OWNER}` tag should not be used here) ALL permission
Review Comment:
Sure. 'cause `{OWNER}` tag doesn't work with Ranger policy's "Delegated
Admin" checkbox in Ranger's Web UI.
The `{OWNER}` tag is **only** meaningful when OM is doing a permission (ACL)
check, and in the process of which OM fills in what this `{OWNER}` tag actually
stands for. For example, `{OWNER}` is user `hive` when the operation is bucket
list and `hive` is the bucket owner (realistically there would be another
volume read permission check before this bucket permission check, with
`{OWNER}` equals `om`, say `om` is the volume owner).
This is also the exact reason why an admin might want to add this separate
Ranger bucket policy here in the first place (in order for the bucket owner to
be able to **edit** this newly added policy on their own), as we already have
the default bucket policy with the `{OWNER}` tag having `ALL` permission on the
policy. If they don't have such use case, they don't need to add this new
policy for each bucket.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
