xBis7 opened a new pull request, #5613:
URL: https://github.com/apache/ozone/pull/5613
## What changes were proposed in this pull request?
Ozone native ACLs achieve a sticky-bit behavior for the shareable /tmp dir
by checking the key ACLs. Ranger would achieve the same by checking the
resource owner and comparing it with the value in the `{OWNER}` tag. For ozone
there is no file ownership concept and the user passed to the
`RangerOzoneAuthorizer` is always the bucket owner.
If file ownership is implemented, this approach will change but for now we
can workaround this issue with a hybrid solution.
If ACLs aren't native and an external authorizer is defined, we will check
the shareable /tmp dir flag. If the shareable /tmp dir is enabled, then we will
use a hybrid authorizer.
The hybrid authorizer checks the resources and if the path is `/tmp/tmp` we
will use `OzoneNativeAuthorizer` otherwise we will use the external authorizer.
## What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-9701
## How was this patch tested?
Unit tests were added. The patch was also tested manually with Ranger.
Green CI on my fork: https://github.com/xBis7/ozone/actions/runs/6881630936
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
