Mikhail Pochatkin created HDDS-7191:
---------------------------------------
Summary: Create separate property for s3 admin
Key: HDDS-7191
URL: https://issues.apache.org/jira/browse/HDDS-7191
Project: Apache Ozone
Issue Type: Improvement
Components: OM, Ozone CLI, S3
Affects Versions: 1.3.0
Reporter: Mikhail Pochatkin
Fix For: 1.3.0
Currently, all s3 operation via Ozone CLI use `ozone.administrators` or
`ozone.administrators.groups` property for define admins who can generate and
revoke s3 keys for any user. This approach doesn't provide possibility to split
s3 key generation to separate admin groups.
As s3 keys are security sensitive it will be useful to have possibility to
split responsibility between general admins and special s3 admins.
So, my proposal next:
1. Create new props `ozone.s3.administrators` and
`ozone.s3.administrators.groups`
2. In case when at least one of these props is defined all s3 shell operation
can be executed only by one of defined user as admin. Each user still should
have permission to generate keys for itself.
3. In case when these properties are empty admins should be taken from
`ozone.administrators` or `ozone.administrators.groups`.
As you can see these changes have backward compatibility by point 3.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
