You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by ad...@apache.org on 2022/07/02 06:57:50 UTC
[ozone] branch master updated: HDDS-6942. Ozone Buckets/Objects created via S3 should not allow group access (#3553)
This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new c5e374544c HDDS-6942. Ozone Buckets/Objects created via S3 should not allow group access (#3553)
c5e374544c is described below
commit c5e374544cad1244d28cd6b4c579dd77bc0a3e43
Author: Ritesh H Shukla <ke...@gmail.com>
AuthorDate: Fri Jul 1 23:57:45 2022 -0700
HDDS-6942. Ozone Buckets/Objects created via S3 should not allow group access (#3553)
---
hadoop-ozone/dist/src/main/smoketest/s3/bucketcreate.robot | 10 ++++++++++
hadoop-ozone/dist/src/main/smoketest/s3/commonawslib.robot | 3 ++-
.../java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java | 1 +
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/hadoop-ozone/dist/src/main/smoketest/s3/bucketcreate.robot b/hadoop-ozone/dist/src/main/smoketest/s3/bucketcreate.robot
index 9b9077fab5..aaf0da4b77 100644
--- a/hadoop-ozone/dist/src/main/smoketest/s3/bucketcreate.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/s3/bucketcreate.robot
@@ -40,3 +40,13 @@ Create bucket with invalid bucket name
${randStr} = Generate Ozone String
${result} = Execute AWSS3APICli and checkrc create-bucket --bucket invalid_bucket_${randStr} 255
Should contain ${result} InvalidBucketName
+Create new bucket and check no group ACL
+ ${bucket} = Create bucket
+ ${acl} = Execute ozone sh bucket getacl s3v/${bucket}
+ ${group} = Get Regexp Matches ${acl} "GROUP"
+ IF '${group}' is not '[]'
+ ${json} = Evaluate json.loads('''${acl}''') json
+ # make sure this check is for group acl
+ Should contain ${json}[1][type] GROUP
+ Should contain ${json}[1][aclList] NONE
+ END
\ No newline at end of file
diff --git a/hadoop-ozone/dist/src/main/smoketest/s3/commonawslib.robot b/hadoop-ozone/dist/src/main/smoketest/s3/commonawslib.robot
index 6f3bbef175..0b03f3c75e 100644
--- a/hadoop-ozone/dist/src/main/smoketest/s3/commonawslib.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/s3/commonawslib.robot
@@ -65,7 +65,8 @@ Setup v4 headers
Setup secure v4 headers
${result} = Execute ozone s3 getsecret ${OM_HA_PARAM}
${accessKey} = Get Regexp Matches ${result} (?<=awsAccessKey=).*
- ${accessKey} = Get Variable Value ${accessKey} sdsdasaasdasd
+ # Use a valid user that are created in the Docket image Ex: testuser if it is not a secure cluster
+ ${accessKey} = Get Variable Value ${accessKey} testuser
${secret} = Get Regexp Matches ${result} (?<=awsSecret=).*
${accessKey} = Set Variable ${accessKey[0]}
${secret} = Set Variable ${secret[0]}
diff --git a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
index ca8d32b48d..4df235cca3 100644
--- a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
+++ b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
@@ -66,6 +66,7 @@ public class OzoneClientProducer {
@Produces
public synchronized OzoneClient createClient() throws WebApplicationException,
IOException {
+ ozoneConfiguration.set("ozone.om.group.rights", "NONE");
client = getClient(ozoneConfiguration);
return client;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org