sumitagrawl commented on code in PR #4439:
URL: https://github.com/apache/ozone/pull/4439#discussion_r1146307279
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer.java:
##########
@@ -104,34 +106,45 @@ public boolean checkAccess(IOzoneObj ozObject,
RequestContext context)
// Refined the parent context
// OP |CHILD |PARENT
- // CREATE NONE WRITE (parent:'CREATE' when 'create
bucket')
- // DELETE DELETE WRITE
- // WRITE WRITE WRITE
- // WRITE_ACL WRITE_ACL WRITE (V1 WRITE_ACL=>WRITE)
+ // CREATE NONE WRITE (parent:'CREATE' when 'create bucket')
+ // DELETE DELETE READ
+ // WRITE WRITE WRITE (For key/prefix, volume is READ)
+ // WRITE_ACL WRITE_ACL READ (V1 WRITE_ACL=>WRITE)
- // READ READ READ
- // LIST LIST READ (V1 LIST=>READ)
- // READ_ACL READ_ACL READ (V1 READ_ACL=>READ)
+ // READ READ READ
+ // LIST LIST READ (V1 LIST=>READ)
+ // READ_ACL READ_ACL READ (V1 READ_ACL=>READ)
ACLType aclRight = context.getAclRights();
ACLType parentAclRight = aclRight;
- if (aclRight == ACLType.CREATE || aclRight == ACLType.DELETE ||
- aclRight == ACLType.WRITE_ACL) {
+ if (aclRight == ACLType.CREATE) {
parentAclRight = ACLType.WRITE;
- } else if (aclRight == ACLType.READ_ACL || aclRight == ACLType.LIST) {
+ } else if (aclRight == ACLType.READ_ACL || aclRight == ACLType.LIST
+ || aclRight == ACLType.WRITE_ACL || aclRight == ACLType.DELETE) {
parentAclRight = ACLType.READ;
}
// To prevent ACL enlargement, parent should be 'CREATE'
// when op is 'create bucket'. see HDDS-7461.
Review Comment:
@ChenSammi updated
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
