[jira] [Commented] (HDDS-4020) ACL commands like getacl and setacl should return a response only when Native Authorizer is enabled

Tue, 28 Jul 2020 16:20:24 -0700 


    [ 
https://issues.apache.org/jira/browse/HDDS-4020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17166748#comment-17166748
 ] 

Bharat Viswanadham commented on HDDS-4020:
------------------------------------------

Hi [~pifta]
Thanks for the suggestion. 
This Jira is to solve the confusion of acl commands works, but turns out they 
don't take affect when external authorizer is configured. So, this Jira is to 
print a message to users when external authorizer is configured acl shell 
commands are not supported.

Yes, I agree with your suggestion on the improvement. Currently Ranger does not 
support ACLType of READ_ACL, WRITE_ACL, when ever ranger does not support that 
kind of AclType, it returns false and that is the reason we see the error when 
getAcl Operation. Ranger Authorizer Code link [link 
|https://github.com/apache/ranger/blob/master/plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java#L109]

I have a question to support this, we need to change IAccessAuthorizer to 
support getAcl, if that can be supported then why can't we also support set/Add 
Acl also. Just trying to understand about why only for readAcl operations, why 
not for all Acl Operations. 

In this Jira, I will just target to fix the Usability issue.

> ACL commands like getacl and setacl should return a response only when Native 
> Authorizer is enabled
> ---------------------------------------------------------------------------------------------------
>
>                 Key: HDDS-4020
>                 URL: https://issues.apache.org/jira/browse/HDDS-4020
>             Project: Hadoop Distributed Data Store
>          Issue Type: Task
>          Components: Ozone CLI, Ozone Manager
>    Affects Versions: 0.5.0
>            Reporter: Vivek Ratnavel Subramanian
>            Assignee: Bharat Viswanadham
>            Priority: Major
>
> Currently, the getacl and setacl commands return wrong information when an 
> external authorizer such as Ranger is enabled. There should be a check to 
> verify if Native Authorizer is enabled before returning any response for 
> these two commands.
> If an external authorizer is enabled, it should show a nice message about 
> managing acls in external authorizer.  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: ozone-issues-h...@hadoop.apache.org

Reply via email to