You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Ashish Kumar (Jira)" <ji...@apache.org> on 2023/01/02 07:40:00 UTC

[jira] [Assigned] (HDDS-4755) Can't create key in non-owned bucket although it should be allowed by ACL

     [ https://issues.apache.org/jira/browse/HDDS-4755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ashish Kumar reassigned HDDS-4755:
----------------------------------

    Assignee: Ashish Kumar

> Can't create key in non-owned bucket although it should be allowed by ACL
> -------------------------------------------------------------------------
>
>                 Key: HDDS-4755
>                 URL: https://issues.apache.org/jira/browse/HDDS-4755
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: OM
>    Affects Versions: 1.0.0
>         Environment: Secure setup of Ozone 1.0.0
>            Reporter: UENISHI Kota
>            Assignee: Ashish Kumar
>            Priority: Major
>
> Even though in case a bucket has ACL like "world::a" or "anonymous::a", no others than the owner cannot create any key in the bucket. I believe it's not only me and it's reproducible with following sequence:
> As an admin user:
>  1. ozone sh volume addacl -a "world::a" /s3v
>  2. ozone sh bucket create /s3v/sandbox
>  3. ozone sh bucket addacl -a "world::a" /s3v/sandbox
> Which yields the following ACL state:
>  $ bin/ozone sh volume getacl /s3v
> [ {
>  "type" : "USER",
>  "name" : "ozone",
>  "aclScope" : "ACCESS",
>  "aclList" : [ "ALL" ]
>  }, {
>  "type" : "GROUP",
>  "name" : "hadoop",
>  "aclScope" : "ACCESS",
>  "aclList" : [ "ALL" ]
>  }, {
>  "type" : "GROUP",
>  "name" : "ozone",
>  "aclScope" : "ACCESS",
>  "aclList" : [ "ALL" ]
>  }, {
>  "type" : "WORLD",
>  "name" : "WORLD",
>  "aclScope" : "ACCESS",
>  "aclList" : [ "READ", "CREATE", "LIST", "READ_ACL" ]
>  }, {
>  "type" : "ANONYMOUS",
>  "name" : "ANONYMOUS",
>  "aclScope" : "ACCESS",
>  "aclList" : [ "READ", "LIST" ]
>  } ]
>  $ bin/ozone sh bucket getacl /s3v/sandbox
>  [ {
>  "type" : "USER",
>  "name" : "hdfs@PFN.IO",
>  "aclScope" : "ACCESS",
>  "aclList" : [ "ALL" ]
>  }, {
>  "type" : "GROUP",
>  "name" : "hdfs",
>  "aclScope" : "ACCESS",
>  "aclList" : [ "ALL" ]
>  }, {
>  "type" : "GROUP",
>  "name" : "hadoop",
>  "aclScope" : "ACCESS",
>  "aclList" : [ "ALL" ]
>  },
> { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] } ]
> And then I tried to create a key as another user but fails: \{quote}
> $ bin/ozone sh key put /s3v/sandbox/hello.txt hello.txt
>  PERMISSION_DENIED User kota@PFN.IO doesn't have CREATE permission to access key
>  
> I doubt checkAcls() [here|https://github.com/apache/ozone/blob/6fe3e8ae89fc7fb1701ca420c54c68d87724154b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L2162-L2163], which throws PERMISSION_DENIED rather than KEY_NOT_FOUND.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org