[
https://issues.apache.org/jira/browse/HDDS-7191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Doroszlai updated HDDS-7191:
-----------------------------------
Resolution: Implemented
Status: Resolved (was: Patch Available)
> Create separate property for s3 admin
> --------------------------------------
>
> Key: HDDS-7191
> URL: https://issues.apache.org/jira/browse/HDDS-7191
> Project: Apache Ozone
> Issue Type: Improvement
> Components: OM, Ozone CLI, S3
> Affects Versions: 1.3.0
> Reporter: Mikhail Pochatkin
> Assignee: Mikhail Pochatkin
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.3.0
>
>
> Currently, all s3 operation via Ozone CLI use `ozone.administrators` or
> `ozone.administrators.groups` property for define admins who can generate and
> revoke s3 keys for any user. This approach doesn't provide possibility to
> split s3 key generation to separate admin groups.
> As s3 keys are security sensitive it will be useful to have possibility to
> split responsibility between general admins and special s3 admins.
> So, my proposal next:
> 1. Create new props `ozone.s3.administrators` and
> `ozone.s3.administrators.groups`
> 2. In case when at least one of these props is defined all s3 shell operation
> can be executed only by one of defined user as admin. Each user still should
> have permission to generate keys for itself.
> 3. In case when these properties are empty admins should be taken from
> `ozone.administrators` or `ozone.administrators.groups`.
> As you can see these changes have backward compatibility by point 3.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
