smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849958727
##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
2. Checks if default tenant roles are out-of-sync (could be caused by OM crash
during user assign/revoke operation). Overwrites them if this is the case.
3. Performs all Ranger update (write) operations queued by Ozone tenant
commands from the last sync, if any.
- This implies there will be a delay before Ranger policies and roles are
updated for any tenant write operations (tenant create/delete, tenant user
assign/revoke/assignadmin/revokeadmin, etc.).
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant
admin will needs to manually create a new Ozone policy in Ranger for that
bucket.
Review Comment:
Good question. AFAIK resource denial takes precedence over any other allow
rules, as depicted in this flow chart:
https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-ranger-authorization/topics/security-ranger-tags-and-policy-evaluation.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
