You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Neil Joshi (Jira)" <ji...@apache.org> on 2021/08/03 03:39:00 UTC
[jira] [Commented] (HDDS-4335) No user access checks in Ozone FS
[ https://issues.apache.org/jira/browse/HDDS-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17391933#comment-17391933 ]
Neil Joshi commented on HDDS-4335:
----------------------------------
cc [~swagle] - mentioned this Jira during one of the meetings... with the conditions quoted below and above comments, can we resolve this issue as a non issue. What to do?
_Ozone fs shell POSIX permissions are not used for access control checks against object read/write/view operations. Instead, currently access control is checked against access control policies provided by ozone native ACL or external Apache Ranger._
_Since permissions are provided and checked with object store access control mechanisms, the POSIX file system permissions are hardcoded to read/write and viewable for all users (owner,group,user - rwxrwxrwx)._
__
_The example provided with this Jira is not an issue as described as the ozone setup will provide access control for ozone fs shell file creation and modification given it is run on a secure cluster (enabled native acl / ranger)._
> No user access checks in Ozone FS
> ---------------------------------
>
> Key: HDDS-4335
> URL: https://issues.apache.org/jira/browse/HDDS-4335
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Shashikant Banerjee
> Assignee: Neil Joshi
> Priority: Major
>
> Currently, a dir/file created with hdfs user cab be deleted by any user.
> {code:java}
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ sudo -u hdfs ozone fs -mkdir o3fs://bucket1.vol1.ozone1/data/sandbox/poc/teragen
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ sudo -u hdfs ozone fs -ls o3fs://bucket1.vol1.ozone1/data/sandbox/poc/teragen
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ sudo -u hdfs ozone fs -ls o3fs://bucket1.vol1.ozone1/data/sandbox/poc/
> Found 1 items
> drwxrwxrwx - hdfs hdfs 0 2020-10-12 02:51 o3fs://bucket1.vol1.ozone1/data/sandbox/poc/teragen
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ ozone fs -rm -r o3fs://bucket1.vol1.ozone1/data/sandbox/poc/
> 20/10/12 02:52:16 INFO Configuration.deprecation: io.bytes.per.checksum is deprecated. Instead, use dfs.bytes-per-checksum
> 20/10/12 02:52:16 INFO ozone.BasicOzoneFileSystem: Move to trash is disabled for o3fs, deleting instead: o3fs://bucket1.vol1.ozone1/data/sandbox/poc. Files or directories will NOT be retained in trash. Ignore the following TrashPolicyDefault message, if any.
> 20/10/12 02:52:16 INFO fs.TrashPolicyDefault: Moved: 'o3fs://bucket1.vol1.ozone1/data/sandbox/poc' to trash at: /.Trash/sbanerjee/Current/data/sandbox/poc1602496336480
> [sbanerjee@vd1308 MapReduce-Performance_Testing-master]$ sudo -u hdfs ozone fs -ls o3fs://bucket1.vol1.ozone1/data/sandbox/poc/
> ls: `o3fs://bucket1.vol1.ozone1/data/sandbox/poc/': No such file or directory
> {code}
> Whereas, the same seuquence fails with permission denied error in HDFS.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org