You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "Maksim Myskov (Jira)" <ji...@apache.org> on 2022/01/17 20:05:00 UTC

[jira] [Created] (HDDS-6193) S3G allows to get directory listing if it's forbidden by ranger policy

Maksim Myskov created HDDS-6193:
-----------------------------------

             Summary: S3G allows to get directory listing if it's forbidden by ranger policy
                 Key: HDDS-6193
                 URL: https://issues.apache.org/jira/browse/HDDS-6193
             Project: Apache Ozone
          Issue Type: Bug
            Reporter: Maksim Myskov


I have Ozone configured with Kerberos and Ranger enabled. There are the following keys:
 * myvolume/mybucket/key1
 * myvolume/mybuckey/key1/subkey1
 * myvolume/mybucket/key1/subkey2

I linked "mybucket" to "s3v" volume to get make it available via S3 Gateway. 

I have a ranger deny policy for myvolume/mybucket/key1.

Finally, if I try to get list of subkeys via S3 API and ozone shell:

 Ozone shell: (deny policy applied)
{quote}ozone fs -ls o3fs://mybucket.myvolume.ozone/key1/

ls: User myuser doesn't have READ permission to access key myvolume mybucket key1
{quote}
S3 CLI: (deny policy ignored)
{quote}aws s3 ls  --endpoint http://myozonecluster:9878  s3://mybucket/key1/

                           PRE subkey1/

                           PRE subkey2/

2022-01-17 22:57:10          0
{quote}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org