[
https://issues.apache.org/jira/browse/HDDS-6193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17748098#comment-17748098
]
Tejaskriya Madhan edited comment on HDDS-6193 at 7/27/23 11:25 AM:
-------------------------------------------------------------------
This issue is not seen on the current apache/ozone master branch. It must have
been resolved in the recent merges. This is the behaviour I observed while
testing in Ozone configured with Kerberos and Ranger enabled-
I have added a deny policy for vol1/bucket1/dir1, the user is zookeeper.
This bucket is linked to s3v/bucket1
Ozone shell:
{quote}ozone fs -ls ofs://ozone1/s3v/bucket1/dir1/
ls: User zookeeper doesn't have READ permission to access key Volume:vol1
Bucket:bucket1 Key:dir1
{quote}
S3 CLI:
{quote}aws s3 ls --endpoint
[https://tej2-1.tej2.root.hwx.site:9879|https://tej2-1.tej2.root.hwx.site:9879/]
s3://bucket1/dir1/
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: User
doesn't have the right to access this resource.
{quote}
This can be marked as resolved as it is outdated.
was (Author: JIRAUSER298878):
This issue is not seen on the current apache/ozone master branch. It must have
been resolved in the recent merges. This is the behaviour I observed while
testing in Ozone configured with Kerberos and Ranger enabled-
I have added a deny policy for vol1/bucket1/dir1, the user is zookeeper
Ozone shell:
{quote}ozone fs -ls ofs://ozone1/s3v/bucket1/dir1/
ls: User zookeeper doesn't have READ permission to access key Volume:vol1
Bucket:bucket1 Key:dir1
{quote}
S3 CLI:
{quote}aws s3 ls --endpoint https://tej2-1.tej2.root.hwx.site:9879
s3://bucket1/dir1/
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: User
doesn't have the right to access this resource.
{quote}
This can be marked as resolved as it is outdated.
> S3G allows to get directory listing if it's forbidden by ranger policy
> ----------------------------------------------------------------------
>
> Key: HDDS-6193
> URL: https://issues.apache.org/jira/browse/HDDS-6193
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Maksim Myskov
> Assignee: Tejaskriya Madhan
> Priority: Major
>
> I have Ozone configured with Kerberos and Ranger enabled. There are the
> following keys:
> * myvolume/mybucket/key1
> * myvolume/mybuckey/key1/subkey1
> * myvolume/mybucket/key1/subkey2
> I linked "mybucket" to "s3v" volume to get make it available via S3 Gateway.
> I have a ranger deny policy for myvolume/mybucket/key1.
> Finally, if I try to get list of subkeys via S3 API and ozone shell:
> Ozone shell: (deny policy applied)
> {quote}ozone fs -ls o3fs://mybucket.myvolume.ozone/key1/
> ls: User myuser doesn't have READ permission to access key myvolume mybucket
> key1
> {quote}
> S3 CLI: (deny policy ignored)
> {quote}aws s3 ls --endpoint http://myozonecluster:9878 s3://mybucket/key1/
> PRE subkey1/
> PRE subkey2/
> 2022-01-17 22:57:10 0
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
