You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Kiyoshi Mizumaru (Jira)" <ji...@apache.org> on 2021/03/25 13:25:00 UTC
[jira] [Created] (HDDS-5031) Different ACLs depending on the access
path
Kiyoshi Mizumaru created HDDS-5031:
--------------------------------------
Summary: Different ACLs depending on the access path
Key: HDDS-5031
URL: https://issues.apache.org/jira/browse/HDDS-5031
Project: Apache Ozone
Issue Type: Bug
Components: Security
Affects Versions: 1.1.0
Environment: * CentOS Linux release 7.6.1810 (Core)
* OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)
* Ozone 1.1.0-SNAPSHOT (commit 79a9d39da7f33e71bc00183e280105562354cca4)
* Docker Engine - Community 20.10.5
Reporter: Kiyoshi Mizumaru
We have noticed the following facts and would like to confirm whether this is the intended behavior or a problem that needs to be fixed. As of now, a bucket can be accessed by creating a symlink and applying a different ACL to another access path.
For example, in the following session, /volume-for-anonymous/bucket-a and /s3v/bucket-a are pointing to the same bucket but have different ACL settings. Is this the intended behavior of the design?
{code:java}
λ ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/ master docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------------
ozone_datanode_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:49160->9864/tcp, 0.0.0.0:49159->9882/tcp
ozone_om_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:9862->9862/tcp, 0.0.0.0:9874->9874/tcp
ozone_recon_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:9888->9888/tcp
ozone_s3g_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:9878->9878/tcp
ozone_scm_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:9860->9860/tcp, 0.0.0.0:9876->9876/tcp
λ ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/ master docker-compose exec datanode bash
bash-4.2$ PATH=/opt/hadoop/bin:$PATH
bash-4.2$ type ozone
ozone is /opt/hadoop/bin/ozone
bash-4.2$ ozone sh volume list
{
"metadata" : { },
"name" : "s3v",
"admin" : "hadoop",
"owner" : "hadoop",
"quotaInBytes" : -1,
"quotaInNamespace" : -1,
"usedNamespace" : 0,
"creationTime" : "2021-03-25T12:07:42.203Z",
"modificationTime" : "2021-03-25T12:07:42.203Z",
"acls" : [ {
"type" : "USER",
"name" : "hadoop",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "users",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ]
}
bash-4.2$ id
uid=1000(hadoop) gid=100(users) groups=100(users)
bash-4.2$ sudo adduser anonymous
bash-4.2$ id anonymous
uid=1001(anonymous) gid=1001(anonymous) groups=1001(anonymous)
bash-4.2$ ozone sh volume create volume-for-anonymous
bash-4.2$ ozone sh bucket create volume-for-anonymous/bucket-a
bash-4.2$ ozone sh bucket setacl -a=group:anonymous:a volume-for-anonymous/bucket-a
ACLs set successfully.
bash-4.2$ ozone sh bucket getacl volume-for-anonymous/bucket-a
[ {
"type" : "GROUP",
"name" : "anonymous",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ]
bash-4.2$ ozone sh bucket link /volume-for-anonymous/bucket-a /s3v/bucket-a
bash-4.2$ ozone sh bucket getacl s3v/bucket-a
[ {
"type" : "USER",
"name" : "hadoop",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
}, {
"type" : "GROUP",
"name" : "users",
"aclScope" : "ACCESS",
"aclList" : [ "ALL" ]
} ]
bash-4.2$
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org