You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "neils-dev (via GitHub)" <gi...@apache.org> on 2023/02/21 22:08:52 UTC

[GitHub] [ozone] neils-dev commented on pull request #4291: HDDS 6986. Update ozone ranger plugin to handle snapshots

neils-dev commented on PR #4291:
URL: https://github.com/apache/ozone/pull/4291#issuecomment-1439153815

   Thanks @smengcl for the comments and questions.
   
   > A new snapshotName field alone may or may not suffice. Currently we only support the snapshot scope of a single bucket, but we would at least expand the snapshot scope to a volume.
   
   Snapshot path + snapshot name or UUID of snapshot should be a unique identifier.
   
   
   
   As an aside, this patch is for the Ranger authorizer for snapshot buckets that have an explicit policy defined for it (policy set by the admin for the particular snapshotpath/snapshot).  If no explicit policy exists, then the "Active" bucket policy (current policy) is used for authorization checks.  A couple of points that may help.
   
   i.) The patch is for tweaking the Ranger to use an explicit policy defined for the snapshot if it exists.  Originally, I believe, we were going to use ranger to check if such an explicit policy exists for the snapshot, however it can be checked but I think it can't be applied for the access check - and so we were looking to make some changes for it.
   
   > It should be easy to add support for Ozone native ACL in OzoneNativeAuthorizer as well.
   
   ii.) Ozone native authorizer is unaffected.  In the snapshot design Ozone native authoriizer checks should be unaffected as the acls from the snapshot are used for access control for snapshots (captured in snapshot).    
    


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org