You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Jyotinder Singh (Jira)" <ji...@apache.org> on 2022/02/17 04:12:00 UTC
[jira] [Created] (HDDS-6337) [FSO] Disable recursive access check flag for directories with no children.
Jyotinder Singh created HDDS-6337:
-------------------------------------
Summary: [FSO] Disable recursive access check flag for directories with no children.
Key: HDDS-6337
URL: https://issues.apache.org/jira/browse/HDDS-6337
Project: Apache Ozone
Issue Type: Sub-task
Reporter: Jyotinder Singh
Assignee: Jyotinder Singh
If a directory under an FSO bucket does not contain any subfiles/directories - set the recursive flag for Ranger#getAcl call to false.
h2. Scenario:
*Ranger Policy 1:*
h6. Key Resource - dir1/dir11, dir1/dir11/
h6. Permission - Read, Write, Delete
h6. User - user2
*Ranger Policy 2:*
h6. Key resource - dir*
h6. Permission - Read, Write, Delete
h6. User - user1
*Case:*
1) user2 has created a directory dir1/dir11. Since the explicit policy defined for user2, it will successfully create the directories.
2) user1 has recursive permission, he can create any dirs under " dir* ". Say, user1 created a file under directory "dir1/dir11/file".
3) user2 issues recursive delete on "dir1/dir11". {*}(Recursive flag is sent to Ranger from internal Ozone call){*}.
{code:java}
$ kinit user2
$ ozone fs -rm -R skipTrash o3fs://fso-buycket.vol1.fso-bucket/dir1/dir11{code}
*Expected Result:*
Fail to delete directory.
*Actual Result:*
Permission denied by Ranger.
*Comments:*
* Since there is no permission for user2 with policy key resource dir*, Ranger is denying permission for users as access is not determined. Ranger has taken a conservative approach against all the defined policy paths irrespective of the given user who issues the recursive delete operation.
* Since there is a file under "dir1/dir11", we shouldn't allow this directory to be deleted, otherwise, this will lead to data loss.
h2. *Impact:*
- user2 will never be able to delete "dir1/dir11" since Ozone is always sending the recursive flag to the Ranger plugin - *which is undesirable.*
h2. *Solution:*
If no child exists under "dir1/dir11" then set the recursive flag to False and invoke Ranger#checkAcl.
*Cost:*
There will be an additional getChildren call on both DirectoryTable and FileTable at the Ozone side. Each of these would be a deterministic time call to RocksDB.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org