[GitHub] [ozone] xiaoyuyao edited a comment on pull request #2012: HDDS-4913. Refine the native authorizer parent context right check.

[GitBox <gi...@apache.org>]

xiaoyuyao edited a comment on pull request #2012:
URL: https://github.com/apache/ozone/pull/2012#issuecomment-797115802


   > @xiaoyuyao , currently parent context check of a key applies to both bucket and volume. While the volume is the parent of bucket, not the parent of key, so shall we consider to have seperate parent context for bucket and volume? Say, If I want to create key1 under volume1/bucket1, write permission on bucket1 is required, but write permission on volume1 seems not necessary.
   
   Based on offline discussion with @arp7, he raised a good point that the requirement of write permission on volume gives admin a quick way to prevent user access to all the resources (buckets/keys) in one change at volume level instead of individual changes at buckets/keys level. 
   
   For @arp7 's requirement, we can have a tool or CLI command to achieve this.  If we think of volume/bucket/key as a FileSystem tree, it's not very make sense that write a grand-child node need the write permission of it's grand-parent. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org