[jira] [Commented] (HDDS-7961) Anonymous scope in Ozone ACL does not grant rights to non-logged-in users

Mon, 08 Jan 2024 00:44:54 -0800 


    [ 
https://issues.apache.org/jira/browse/HDDS-7961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17804172#comment-17804172
 ] 

Mohammad Arafat Khan commented on HDDS-7961:
--------------------------------------------

Based on the executed commands in the CLI, we are utilising the *native ACLs* 
created for Ozone which supports Users of type {*}User{*}, {*}Group{*}, 
{*}World{*}, *Anonymous* etc.. While this is a correct step, it's worth noting 
that the native ACLs feature in Ozone is currently in an early stage and not 
yet fully stable. However, it's important to mention that, at present, the *S3 
gateway(S3G)* doesn't support access for *anonymous* users, hence due to which 
permissions for them have been denied by the S3G. A majority of our users and 
customers rely on *Ranger* for enforcing policies due to its higher reliability 
and fewer issues. Thus, we recommend using Ranger for policy enforcement for 
the time being. As of now, there are no immediate plans to implement Ozone 
native ACLs for all AWS predefined groups, and certain groups are not supported 
in Ozone's S3 ACL operations.

Should we undertake work in this area in the future, one potential solution 
might involve relaxing S3 secrets validation when the ACL has an anonymous 
scope. This could entail fetching ACLs of the object before processing S3 
secrets at the S3 gateway side.

> Anonymous scope in Ozone ACL does not grant rights to non-logged-in users
> -------------------------------------------------------------------------
>
>                 Key: HDDS-7961
>                 URL: https://issues.apache.org/jira/browse/HDDS-7961
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: OM, S3
>            Reporter: Kohei Sugihara
>            Assignee: Mohammad Arafat Khan
>            Priority: Major
>
> h2. Overview
> A key in the S3 bucket cannot access without authentication, even though each 
> bucket/volume allows anonymous reading and listing in its ACLs.
> h2. Configuraiton
> Create a bucket in a volume, make it accessible from S3, and then put the ACL 
> {{anonymous::rl}} to them.
> {code:java}
> # create a bucket accessible via S3 and put a key
> ozone sh bucket create /volume/bucket-for-anonymous
> ozone sh bucket link /volume/bucket-for-anonymous /s3v/bucket-for-anonymous
> aws s3 --endpoint ... cp README s3://bucket-for-anonymous
> # set ACLs for anonymous access to the source/s3v buckets, the source/s3v 
> volumes and the key
> ozone sh bucket addacl volume/bucket-for-anonymous -a anonymous::rl
> ozone sh bucket addacl s3v/bucket-for-anonymous -a anonymous::rl
> ozone sh volume addacl volume -a anonymous::rl
> ozone sh volume addacl s3v -a anonymous::rl
> # set ACL for the key
> ozone sh key addacl volume/bucket-for-anonymous/README -a anonymous::r{code}
> h2. Case: Access without authentication using wget will fail with 403
> Attempting to access to the key, but it fails with 403.
> {code:java}
> % wget -qO https://HOST/bucket-for-anonymous/README -S
>   HTTP/1.1 403 Forbidden
>   Date: Mon, 13 Feb 2023 07:55:58 GMT
>   Cache-Control: no-cache
>   Expires: Mon, 13 Feb 2023 07:55:58 GMT
>   Pragma: no-cache
>   Content-Type: text/plain
>   X-Content-Type-Options: nosniff
>   X-XSS-Protection: 1; mode=block
>   X-FRAME-OPTIONS: SAMEORIGIN
>   Server: Ozone
>   x-amz-id-2: gT8na4osJZlG
>   x-amz-request-id: c139bbcf-3d93-4f4f-a6a2-43f75bc0de83
>   Content-Length: 187 {code}
>  
> S3G outputs an error message: "Malformed s3 header" as a DEBUG-level message 
> from OzoneClientProducer. This situation means that S3G rejects the access at 
> S3 secrets validation checks.
> {code:java}
> 2023-02-13 15:00:05,079 [qtp731829978-166] DEBUG 
> org.eclipse.jetty.servlet.ServletHandler: 
> chain=Chain@68772dce(NoCacheFilter==org.apache.hadoop.hdds.server.http.NoCacheFilter@740d2e78{inst=true,async=true,src=EMBEDDED:null})->Chain@286a9870(safety==org.apache.hadoop.hdds.server.http.HttpServer2$QuotingInputFilter@6aa3a905{inst=true,async=true,src=EMBEDDED:null})->Chain@2232456a(optional-content-type==org.apache.hadoop.ozone.s3.EmptyContentTypeFilter@d4ab71a{inst=true,async=false,src=DESCRIPTOR:file:///tmp/jetty-0_0_0_0-9879-ozone-s3gateway-1_2_9995006_jar-_-any-17931241039680298355/webapp/WEB-INF/web.xml})->Chain@2629e2cc(info-page-redirect==org.apache.hadoop.ozone.s3.RootPageDisplayFilter@3b4ef7{inst=true,async=false,src=DESCRIPTOR:file:///tmp/jetty-0_0_0_0-9879-ozone-s3gateway-1_2_9995006_jar-_-any-17931241039680298355/webapp/WEB-INF/web.xml})->ChainEnd@7761a29a(jaxrs==org.glassfish.jersey.servlet.ServletContainer@603a422{jsp=null,order=1,inst=true,async=false,src=DESCRIPTOR:file:///tmp/jetty-0_0_0_0-9879-ozone-s3gateway-1_2_9995006_jar-_-any-17931241039680298355/webapp/WEB-INF/web.xml,STARTED})
> 2023-02-13 15:00:05,085 [qtp731829978-166] DEBUG 
> org.apache.hadoop.ozone.s3.OzoneClientProducer: Malformed s3 header. 
> awsAccessID:
> 2023-02-13 15:00:05,314 [qtp731829978-166] DEBUG 
> org.apache.hadoop.ozone.s3.OzoneClientProducer: Error during Client Creation:
> 2023-02-13 15:00:05,378 [qtp731829978-166] DEBUG 
> org.apache.hadoop.ozone.s3.exception.OS3Exception: toXml val is <Error>
> 2023-02-13 15:00:05,392 [qtp731829978-166] DEBUG 
> org.eclipse.jetty.server.HttpOutput: write(array 
> HeapByteBuffer@5fe2ddf1[p=0,l=187,c=8192,r=187]={<<<<?xml version="1.0" 
> encod... 
> <RequestId/>\n</Error>\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00})
> 2023-02-13 15:00:05,392 [qtp731829978-166] DEBUG 
> org.eclipse.jetty.server.HttpOutput: write(array) 
> s=CLOSING,api=BLOCKED,sc=false,e=null last=true agg=false flush=true 
> async=false, len=187 null
> 2023-02-13 15:00:05,392 [qtp731829978-166] DEBUG 
> org.eclipse.jetty.server.HttpChannel: sendResponse info=null 
> content=HeapByteBuffer@354f401a[p=0,l=187,c=8192,r=187]={<<<<?xml 
> version="1.0" encod... 
> <RequestId/>\n</Error>\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}
>  complete=true committing=true callback=Blocker@56ca79aa{null}
> 2023-02-13 15:00:05,394 [qtp731829978-166] DEBUG 
> org.eclipse.jetty.server.HttpChannel: COMMIT for /bucket-for-anonymous/README 
> on HttpChannelOverHttp@43f236bf{s=HttpChannelState@340e7dcf{s=HANDLING 
> rs=BLOCKING os=COMMITTED is=IDLE awp=false se=false i=true 
> al=0},r=1,c=false/false,a=HANDLING,uri=https://HOST/bucket-for-anonymous/README,age=321}
> 2023-02-13 15:00:05,394 [qtp731829978-166] DEBUG 
> org.eclipse.jetty.server.HttpConnection: generate: NEED_HEADER for 
> SendCallback@322df2c9[PROCESSING][i=HTTP/1.1{s=403,h=12,cl=187},cb=org.eclipse.jetty.server.HttpChannel$SendCallback@7b69ac28]
>  (null,[p=0,l=187,c=8192,r=187],true)@START
> 2023-02-13 15:00:05,394 [qtp731829978-166] DEBUG 
> org.eclipse.jetty.http.HttpGenerator: generateHeaders 
> HTTP/1.1{s=403,h=12,cl=187} last=true 
> content=HeapByteBuffer@354f401a[p=0,l=187,c=8192,r=187]={<<<<?xml 
> version="1.0" encod... 
> <RequestId/>\n</Error>\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}
>  {code}
> One possible solution is relaxing S3 secrets validation when ACL has the 
> anonymous scope. So requires fetching ACLs before processing S3 secrets at 
> S3G-side or offloading S3 token validation to OM.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to