You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Abhishek Shukla (Jira)" <ji...@apache.org> on 2020/06/19 11:44:00 UTC
[jira] [Comment Edited] (RANGER-2857) Create volume fails for a
policy with specific volume/bucket/key names
[ https://issues.apache.org/jira/browse/RANGER-2857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17140467#comment-17140467 ]
Abhishek Shukla edited comment on RANGER-2857 at 6/19/20, 11:43 AM:
--------------------------------------------------------------------
Resolved after adding separate ranger policy providing required permissions at volume resource type for the test users.
was (Author: shukla):
Resolved after adding separate ranger policy providing required permissions at volume resource type for the test users.
* [|https://jira.cloudera.com/secure/AddComment!default.jspa?id=863176]
> Create volume fails for a policy with specific volume/bucket/key names
> ----------------------------------------------------------------------
>
> Key: RANGER-2857
> URL: https://issues.apache.org/jira/browse/RANGER-2857
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.1.0
> Reporter: Abhishek Shukla
> Priority: Major
>
> *Test Policy Contents:*
> {noformat}
> {
> "resources": {
> "volume": {
> "values": [
> "volume-ojzj-1",
> "volume-ojzj-2"
> ],
> "isExcludes": false,
> "isRecursive": false
> },
> "bucket": {
> "values": [
> "bucket-jezv-1",
> "bucket-jezv-2"
> ],
> "isExcludes": false,
> "isRecursive": false
> },
> "key": {
> "values": [
> "key-wssb_1",
> "key-wssb_2"
> ],
> "isExcludes": false,
> "isRecursive": false
> }
> },
> "policyItems": [
> {
> "accesses": [
> {
> "type": "read",
> "isAllowed": true
> },
> {
> "type": "write",
> "isAllowed": true
> },
> {
> "type": "create",
> "isAllowed": true
> },
> {
> "type": "delete",
> "isAllowed": true
> }
> ],
> "users": [
> "hrt_qa"
> ],
> "groups": [],
> "roles": [],
> "conditions": [],
> "delegateAdmin": false
> }
> ],
> "denyPolicyItems": [],
> "allowExceptions": [],
> "denyExceptions": [],
> "dataMaskPolicyItems": [],
> "rowFilterPolicyItems": [],
> "serviceType": "ozone",
> "options": {},
> "validitySchedules": [],
> "policyLabels": [],
> "zoneName": "",
> "isDenyAllElse": false
> }{noformat}
>
> *Ozone Client Commands:*
> {noformat}
> $ ozone sh volume create o3://ozone1/volume-ojzj-1
> INFO rpc.RpcClient: Creating Volume: volume-ojzj-1, with hrt_qa as owner.
> PERMISSION_DENIED User hrt_qa doesn't have CREATE permission to access volume
> $ ozone sh volume delete o3://ozone1/volume-ojzj-1
> PERMISSION_DENIED User hrt_qa doesn't have DELETE permission to access volume
> {noformat}
>
> Now in the same test policy, if I select bucket as *none* or give wildcard [*] for the bucket and key resources, the access is provided to create/delete the volume.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)