[
https://issues.apache.org/jira/browse/HDDS-10253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hemant Kumar updated HDDS-10253:
--------------------------------
Summary: Prefix ACLs don't let access older keys after ACLs are added/set
for the user (was: Prefix ACL doesn't let access older keys after ACLs are
added/set for the user)
> Prefix ACLs don't let access older keys after ACLs are added/set for the user
> -----------------------------------------------------------------------------
>
> Key: HDDS-10253
> URL: https://issues.apache.org/jira/browse/HDDS-10253
> Project: Apache Ozone
> Issue Type: Bug
> Affects Versions: 1.4.0
> Reporter: Hemant Kumar
> Priority: Major
>
> In Ozone native ACL, Prefix ACL is just supposed to work like a *directory*
> ACL. In this sense, it is supposed to be applied to older keys as well.
> Meaning user should be able to access existing keys in the dir after ACLs are
> added using prefix ACL. Which is not the current case. User can't access the
> existing/Old keys in the dirs.
> {code:java}
> bash-4.2$ echo k1 > k1.orig
> bash-4.2$ kinit -kt /etc/security/keytabs/om.keytab om/[email protected]
> bash-4.2$ ozone sh volume create vol1
> bash-4.2$ ozone sh bucket create -l OBJECT_STORE vol1/buck1
> bash-4.2$ ozone sh volume addacl vol1 -a user:testuser2:a
> ACL user:testuser2:a[ACCESS] added successfully.
> bash-4.2$ ozone sh bucket addacl vol1/buck1 -a user:testuser2:a
> ACL user:testuser2:a[ACCESS] added successfully.
> bash-4.2$ ozone sh key put vol1/buck1/k1 k1.orig
> bash-4.2$ ozone sh key put vol1/buck1/dir1/k1 k1.orig
> bash-4.2$ ozone sh prefix addacl vol1/buck1/dir1/ -a user:testuser2:a[DEFAULT]
> ACL user:testuser2:a[DEFAULT] added successfully.
> bash-4.2$ ozone sh prefix addacl vol1/buck1/dir2/ -a user:testuser2:a[DEFAULT]
> ACL user:testuser2:a[DEFAULT] added successfully.
> bash-4.2$ ozone sh key put vol1/buck1/dir1/k2 k1.orig
> bash-4.2$ ozone sh key put vol1/buck1/dir1/k3 k1.orig
> bash-4.2$ ozone sh key put vol1/buck1/dir2/k1 k1.orig
> bash-4.2$ kdestroy
> bash-4.2$ kinit -kt /etc/security/keytabs/testuser2.keytab
> testuser2/[email protected]
> bash-4.2$ ozone sh key cat vol1/buck1/dir1/k1
> PERMISSION_DENIED User testuser2 doesn't have READ permission to access key
> Volume:vol1 Bucket:buck1 Key:dir1/k1
> bash-4.2$ ozone sh key cat vol1/buck1/dir1/k2
> k1
> bash-4.2$ ozone sh key cat vol1/buck1/dir1/k3
> k1
> bash-4.2$ ozone sh key cat vol1/buck1/dir2/k1
> k1
> {code}
> In the above example, *testuser2* can't access *dir1/k1* key because it was
> created before ACLs were added.
> cc: [~smeng]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
