[jira] [Comment Edited] (HDDS-6986) Update ozone ranger plugin to handle snapshots

Wed, 31 Jan 2024 11:00:12 -0800 


    [ 
https://issues.apache.org/jira/browse/HDDS-6986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17812495#comment-17812495
 ] 

Hemant Kumar edited comment on HDDS-6986 at 1/31/24 6:59 PM:
-------------------------------------------------------------

 "If the policy exists for access to the corresponding key in active object 
store, that policy is used to authorize access to the snapshot. Otherwise the 
access is denied." has two concerns:
1. It doesn't work same way in Ozone native ACL. In native ACL, we use key's 
ACL from the snapshot. So if user has an access in active file system but not 
in snapshot, they can't access the key in Snapshot.
2. If key is deleted or renamed in active file system.

cc: [~aswinshakil], [~swamirishi] 


was (Author: JIRAUSER297350):
 "If the policy exists for access to the corresponding key in active object 
store, that policy is used to authorize access to the snapshot. Otherwise the 
access is denied." has two concerns:
1. It doesn't work same way in Ozone native ACL. In native ACL, we use key's 
ACL from the snapshot. So if user has an access in active file system but not 
in snapshot, they can't access the key in Snapshot.
2. If key is deleted in active file system.

cc: [~aswinshakil], [~swamirishi] 

> Update ozone ranger plugin to handle snapshots
> ----------------------------------------------
>
>                 Key: HDDS-6986
>                 URL: https://issues.apache.org/jira/browse/HDDS-6986
>             Project: Apache Ozone
>          Issue Type: Sub-task
>            Reporter: George Jahad
>            Assignee: George Jahad
>            Priority: Major
>              Labels: pull-request-available
>
> This plugin needs to be updated to handle snapshots:
> [https://github.com/apache/ranger/blob/71809108fd106b664b6f9d53e0efd86d4c5cd039/plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java]
>  
> If it is checking a snapshotted path, it should check if that path has an 
> explicit policy.  If so, it should apply that policy.
>  
> Otherwise it should fall back to checking for a corresponding policy on the 
> active filesystem path.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to