[
https://issues.apache.org/jira/browse/HDDS-10627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kohei Sugihara updated HDDS-10627:
----------------------------------
Summary: Add a compatible mode or migration script for user's long ACL
format in secure mode (was: Add a compatible mode or migration script of long
ACL format in secure mode)
> Add a compatible mode or migration script for user's long ACL format in
> secure mode
> -----------------------------------------------------------------------------------
>
> Key: HDDS-10627
> URL: https://issues.apache.org/jira/browse/HDDS-10627
> Project: Apache Ozone
> Issue Type: Improvement
> Components: OM
> Affects Versions: 1.4.0
> Reporter: Kohei Sugihara
> Priority: Major
>
> We upgraded our Ozone cluster to 1.4.0 from 1.3.1 with following
> configurations:
> - Secure Mode (w/ Kerberos)
> - Native ACL (w/o Ranger)
> After 1.4.0 upgrade from 1.3.x, the cluster rejects to the access existing
> bucket and keys (Ozone 1.3.x allowed us to access to the same key). These
> bucket and keys were already configured by Native ACLs with Kerberos Realm
> like this:
> {code:java}
> % aws s3 --endpoint https://... ls
> s3://ksugihara/kubernetes-2024032100/CHANGELOG.md
> An error occurred (AccessDenied) when calling the ListObjectsV2 operation:
> User doesn't have the right to access this resource.
> % ozone sh key getacl /ksugihara/ksugihara/kubernetes-2024032100/CHANGELOG.md
> [ {
> "type" : "USER",
> "name" : "[email protected]",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, ... ] {code}
> I think HDDS-5043 is the related issue and that switches to a new ACL
> behavior, and which removed the support for user ACL with Kerberos realm.
> However, if we have an existent cluster from 1.3.x, that requires us to
> migrate all Key ACLs to support the short name and actually we need to
> replace Key ACLs to the short name for all keys because we're using Native
> ACLs. One of the solutions is supporting a compatible mode for new ACL
> behaviors for non-fresh installation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]