[
https://issues.apache.org/jira/browse/HDDS-7577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17683181#comment-17683181
]
Siyao Meng commented on HDDS-7577:
----------------------------------
Thanks [~XiChen] for the design and [~erose] for the comment.
bq. I would say to use access ID in this case, since we can get the kerberos
principal from the access ID but not the other way around.
IMO user name might be the better choice.
IIRC we are using user name rather than access ID for the *bucket owner* in
multi-tenancy volumes, just like regular buckets.
In multi-tenancy, access ID (and secret key) is only used for authentication
and volume selection. Then the access ID is converted into a user name. The
rest, including authorization, would use that user name.
It is certainly possible to use access ID in key owner field. But this would
require an extra step to do the access ID to user name conversion before
calling checkAcls() because Ranger stores only user names.
Is there a case where the user name wouldn't suffice?
> Add Key owner field
> -------------------
>
> Key: HDDS-7577
> URL: https://issues.apache.org/jira/browse/HDDS-7577
> Project: Apache Ozone
> Issue Type: New Feature
> Components: Ozone Manager
> Reporter: ChenXi
> Assignee: ChenXi
> Priority: Major
>
> https://docs.google.com/document/d/1NwnfxPQCUwP-CV8RjerKeuR3puFiOsxjKBxP8rE6P2k/edit?usp=sharing
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
