You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by GitBox <gi...@apache.org> on 2019/03/22 21:43:38 UTC
[GitHub] [hadoop] ajayydv commented on issue #634: HDDS-939. Add S3 access
check to Ozone manager. Contributed by Ajay Kumar.
ajayydv commented on issue #634: HDDS-939. Add S3 access check to Ozone manager. Contributed by Ajay Kumar.
URL: https://github.com/apache/hadoop/pull/634#issuecomment-475793501
> So instead of a md5Hex of Kerberos, we now store accessKey as original Kerberos user.
>
> So that for Ozone S3, in OM when acl check happens, it will be a kerberos user. So, ACL check for ozone s3 happens. (Not sure if my understanding is completely correct here?)
>
> But with this we have a issue, because internally when a bucket is created (S3 bucket), we consider volume name as awsaccessKeyID. With this, our volume name can have '/', '.' characters. The volume creation fails. (Because we do validate the name in RpcClient by calling verifyResourceName) We need to change the logic over there. Previously we don't see any issue because it md5Hex.
>
> I think if the awsAccessKey will not have realm, if it has just name we shall not see the issue.
@bharatviswa504 thanks for bringing this up. Updated PR to handle this by normalizing the userId if it is kerberos id.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org