You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Abhishek (Jira)" <ji...@apache.org> on 2022/04/22 08:49:00 UTC

[jira] [Created] (RANGER-3731) Ranger policy enforcement for Ozone does not seem consistent based on the policy resources

Abhishek created RANGER-3731:
--------------------------------

             Summary: Ranger policy enforcement for Ozone does not seem consistent based on the policy resources
                 Key: RANGER-3731
                 URL: https://issues.apache.org/jira/browse/RANGER-3731
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Abhishek


With the following Ozone policy,
{code:java}
Policy resources - volume - *, bukcet - *, key - *
All access provided to hrt_1 user{code}

The hrt_1 user is able to perform the following ls operation :-
{code:java}
ozone fs -ls -R o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn
drwxrwxrwx   - hrt_1 hrt_1          0 2022-04-22 04:23 o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn/dir1
drwxrwxrwx   - hrt_1 hrt_1          0 2022-04-22 04:23 o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn/dir1/dir11 {code}

But with the following policy,
{code:java}
Policy resources - volume - *, bucket - *, key - test_dir_*_1
All access provided to hrt_1 user 
{code}

The hrt_1 user is not able to access the key dir and the access is denied to the user
at the volume level itself. The user is not allowed access on the volume and to the bucket even if the policy resource has a wildcard "*" to allow access on bucket and volume.
{code:java}
ozone fs -ls -R o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn
22/04/22 07:08:00 WARN fs.FileSystem: Failed to initialize fileystem o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn: PERMISSION_DENIED org.apache.hadoop.ozone.om.exceptions.OMException: User hrt_1 doesn't have READ permission to access volume Volume:test-volume-nzxvfhn 
ls: User hrt_1 doesn't have READ permission to access volume Volume:test-volume-nzxvfhn  {code}

The behaviour does not seem consistent when the policy resource for key contains a "*" and when the policy resource for key contains a specific value.
The behavior should be consistent in both the cases



--
This message was sent by Atlassian Jira
(v8.20.7#820007)