You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Maksim Myskov (Jira)" <ji...@apache.org> on 2022/01/17 20:05:00 UTC
[jira] [Created] (HDDS-6193) S3G allows to get directory listing if it's forbidden by ranger policy
Maksim Myskov created HDDS-6193:
-----------------------------------
Summary: S3G allows to get directory listing if it's forbidden by ranger policy
Key: HDDS-6193
URL: https://issues.apache.org/jira/browse/HDDS-6193
Project: Apache Ozone
Issue Type: Bug
Reporter: Maksim Myskov
I have Ozone configured with Kerberos and Ranger enabled. There are the following keys:
* myvolume/mybucket/key1
* myvolume/mybuckey/key1/subkey1
* myvolume/mybucket/key1/subkey2
I linked "mybucket" to "s3v" volume to get make it available via S3 Gateway.
I have a ranger deny policy for myvolume/mybucket/key1.
Finally, if I try to get list of subkeys via S3 API and ozone shell:
Ozone shell: (deny policy applied)
{quote}ozone fs -ls o3fs://mybucket.myvolume.ozone/key1/
ls: User myuser doesn't have READ permission to access key myvolume mybucket key1
{quote}
S3 CLI: (deny policy ignored)
{quote}aws s3 ls --endpoint http://myozonecluster:9878 s3://mybucket/key1/
PRE subkey1/
PRE subkey2/
2022-01-17 22:57:10 0
{quote}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org