You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Abhishek (Jira)" <ji...@apache.org> on 2022/04/22 08:49:00 UTC
[jira] [Created] (RANGER-3731) Ranger policy enforcement for Ozone does not seem consistent based on the policy resources
Abhishek created RANGER-3731:
--------------------------------
Summary: Ranger policy enforcement for Ozone does not seem consistent based on the policy resources
Key: RANGER-3731
URL: https://issues.apache.org/jira/browse/RANGER-3731
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Abhishek
With the following Ozone policy,
{code:java}
Policy resources - volume - *, bukcet - *, key - *
All access provided to hrt_1 user{code}
The hrt_1 user is able to perform the following ls operation :-
{code:java}
ozone fs -ls -R o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn
drwxrwxrwx - hrt_1 hrt_1 0 2022-04-22 04:23 o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn/dir1
drwxrwxrwx - hrt_1 hrt_1 0 2022-04-22 04:23 o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn/dir1/dir11 {code}
But with the following policy,
{code:java}
Policy resources - volume - *, bucket - *, key - test_dir_*_1
All access provided to hrt_1 user
{code}
The hrt_1 user is not able to access the key dir and the access is denied to the user
at the volume level itself. The user is not allowed access on the volume and to the bucket even if the policy resource has a wildcard "*" to allow access on bucket and volume.
{code:java}
ozone fs -ls -R o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn
22/04/22 07:08:00 WARN fs.FileSystem: Failed to initialize fileystem o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn: PERMISSION_DENIED org.apache.hadoop.ozone.om.exceptions.OMException: User hrt_1 doesn't have READ permission to access volume Volume:test-volume-nzxvfhn
ls: User hrt_1 doesn't have READ permission to access volume Volume:test-volume-nzxvfhn {code}
The behaviour does not seem consistent when the policy resource for key contains a "*" and when the policy resource for key contains a specific value.
The behavior should be consistent in both the cases
--
This message was sent by Atlassian Jira
(v8.20.7#820007)