You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2018/07/05 10:33:00 UTC
[jira] [Commented] (HADOOP-15572) Test S3Guard ops with assumed
roles & verify required permissions
[ https://issues.apache.org/jira/browse/HADOOP-15572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16533491#comment-16533491 ]
Steve Loughran commented on HADOOP-15572:
-----------------------------------------
HADOOP-15569 documents the permissions needed, as obtained through manual setup.
What can be added is automated tests for restricted reader and admin permissions, so that any (unintentional) changes in requirements get picked up.
Proposed:
#* test for s3guard init/prune/destroy commands with perms restricted to admin set of roles
# test for restricted user role with read, list & update operations all working, but S3Guard tool operations blocked as appropriate.
test #1 could be done just by restricting the role for some of the existing tests, though it may be tricky to get right there (shared filesystems, etc)
> Test S3Guard ops with assumed roles & verify required permissions
> -----------------------------------------------------------------
>
> Key: HADOOP-15572
> URL: https://issues.apache.org/jira/browse/HADOOP-15572
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 3.1.0
> Reporter: Steve Loughran
> Priority: Major
>
> We haven't documented permissions for S3Guard (WiP of mine); when I try to test using the AssumedRoleCredentialProvider & a role nominally restricted to R/W of S3guard *but not create/delete*, I can still create and destroy buckets
> Either I've got my list wrong, or how S3Guard sets up its auth isn't right & somehow falling back to the full role
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org