Kohei Sugihara created HDDS-7527:
------------------------------------
Summary: ozone.om.group.rights should respect configuration file
for S3G
Key: HDDS-7527
URL: https://issues.apache.org/jira/browse/HDDS-7527
Project: Apache Ozone
Issue Type: Bug
Components: S3
Affects Versions: 1.3.0
Reporter: Kohei Sugihara
After HDDS-6942, `ozone.om.group.rights` configuration is overwritten by NONE
at S3G. This change cuts default group permission to have secure ACL by default.
However, for example, if we need to share files within a Unix group using
designated buckets, we need to modify each ACLs for each keys after each
uploads. AFAIK, we do not have a feature to modify ACL using S3 interface, so
we need modify ACLs using Ozone CLI. Ozone CLI requires Java runtime so I think
this is heavy to ensure that environment. To this patch works well, we need to
have an option to modify permission without Ozone CLI.
Indeed, before that patch introduced, the default key ACL allows full access
for all groups that create user belongs to. But this is not literally allowing
access these keys. Ozone ACL can restricts access using three levels: Volume,
Bucket, Key. An accessor user is required to satisfy all level of ACLs access
to the keys. So I think that old permission is acceptable and not to
overwritten for S3G and the policy should be configurable by administrator. As
a patch, hardening can be done by tweaking default permission instead of
configuration overwrite.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
