[jira] [Updated] (HDDS-10627) Add a compatible mode or migration script for user's long ACL format in secure mode

Sun, 31 Mar 2024 20:46:29 -0700 


     [ 
https://issues.apache.org/jira/browse/HDDS-10627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kohei Sugihara updated HDDS-10627:
----------------------------------
    Summary: Add a compatible mode or migration script for user's long ACL 
format in secure mode  (was: Add a compatible mode or migration script of long 
ACL format in secure mode)

> Add a compatible mode or migration script for user's long ACL format in 
> secure mode
> -----------------------------------------------------------------------------------
>
>                 Key: HDDS-10627
>                 URL: https://issues.apache.org/jira/browse/HDDS-10627
>             Project: Apache Ozone
>          Issue Type: Improvement
>          Components: OM
>    Affects Versions: 1.4.0
>            Reporter: Kohei Sugihara
>            Priority: Major
>
> We upgraded our Ozone cluster to 1.4.0 from 1.3.1 with following 
> configurations:
> - Secure Mode (w/ Kerberos)
> - Native ACL (w/o Ranger)
> After 1.4.0 upgrade from 1.3.x, the cluster rejects to the access existing 
> bucket and keys (Ozone 1.3.x allowed us to access to the same key). These 
> bucket and keys were already configured by Native ACLs with Kerberos Realm 
> like this:
> {code:java}
> % aws s3 --endpoint https://... ls 
> s3://ksugihara/kubernetes-2024032100/CHANGELOG.md
> An error occurred (AccessDenied) when calling the ListObjectsV2 operation: 
> User doesn't have the right to access this resource.
> % ozone sh key getacl /ksugihara/ksugihara/kubernetes-2024032100/CHANGELOG.md
> [ {
>   "type" : "USER",
>   "name" : "[email protected]",
>   "aclScope" : "ACCESS",
>   "aclList" : [ "ALL" ]
> }, ... ] {code}
> I think HDDS-5043 is the related issue and that switches to a new ACL 
> behavior, and which removed the support for user ACL with Kerberos realm. 
> However, if we have an existent cluster from 1.3.x, that requires us to 
> migrate all Key ACLs to support the short name and actually we need to 
> replace Key ACLs to the short name for all keys because we're using Native 
> ACLs. One of the solutions is supporting a compatible mode for new ACL 
> behaviors for non-fresh installation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to