[jira] [Created] (HDDS-10253) Prefix ACL doesn't let access older keys after ACLs are added/set for the user

Tue, 30 Jan 2024 13:53:04 -0800 

Hemant Kumar created HDDS-10253:
-----------------------------------

             Summary: Prefix ACL doesn't let access older keys after ACLs are 
added/set for the user
                 Key: HDDS-10253
                 URL: https://issues.apache.org/jira/browse/HDDS-10253
             Project: Apache Ozone
          Issue Type: Bug
    Affects Versions: 1.4.0
            Reporter: Hemant Kumar


In Ozone native ACL, Prefix ACL is just supposed to work like a *directory* 
ACL. In this sense, it is supposed to be applied to older keys as well. Meaning 
user should be able to access existing keys in the dir after ACLs are added 
using prefix ACL. Which is not the current case. User can't access the 
existing/Old keys in the dirs.

{code}
bash-4.2$ echo k1 > k1.orig
bash-4.2$ kinit -kt /etc/security/keytabs/om.keytab om/[email protected]
bash-4.2$ ozone sh volume create vol1
bash-4.2$ ozone sh bucket create -l OBJECT_STORE vol1/buck1
bash-4.2$ ozone sh volume addacl vol1 -a user:testuser2:a
ACL user:testuser2:a[ACCESS] added successfully.
bash-4.2$ ozone sh bucket addacl vol1/buck1 -a user:testuser2:a
ACL user:testuser2:a[ACCESS] added successfully.
bash-4.2$ ozone sh key put vol1/buck1/k1 k1.orig
bash-4.2$ ozone sh key put vol1/buck1/dir1/k1 k1.orig
bash-4.2$ ozone sh prefix addacl vol1/buck1/dir1/ -a user:testuser2:a[DEFAULT]
ACL user:testuser2:a[DEFAULT] added successfully.
bash-4.2$ ozone sh prefix addacl vol1/buck1/dir2/ -a user:testuser2:a[DEFAULT]
ACL user:testuser2:a[DEFAULT] added successfully.
bash-4.2$ ozone sh key put vol1/buck1/dir1/k2 k1.orig
bash-4.2$ ozone sh key put vol1/buck1/dir1/k3 k1.orig
bash-4.2$ ozone sh key put vol1/buck1/dir2/k1 k1.orig
bash-4.2$ kdestroy
bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab 
testuser2/[email protected]
bash-4.2$ ozone sh key cat vol1/buck1/dir1/k1
PERMISSION_DENIED User testuser2 doesn't have READ permission to access key 
Volume:vol1 Bucket:buck1 Key:dir1/k1
bash-4.2$ ozone sh key cat vol1/buck1/dir1/k2
k1
bash-4.2$ ozone sh key cat vol1/buck1/dir1/k3
k1
bash-4.2$ ozone sh key cat vol1/buck1/dir2/k1
k1
{code}

In the above example, *testuser2* can't access *dir1/k1* key because ti was 
created before ACLs were added. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to