You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "Istvan Fajth (Jira)" <ji...@apache.org> on 2020/07/23 17:13:00 UTC

[jira] [Commented] (HDDS-4020) ACL commands like getacl and setacl should return a response only when Native Authorizer is enabled

    [ https://issues.apache.org/jira/browse/HDDS-4020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17163785#comment-17163785 ] 

Istvan Fajth commented on HDDS-4020:
------------------------------------

I would like to suggest a few things for consideration on this.

If we have an external authorizer, like Ranger, then we should fail any ACL creation or modification commands, with a proper error message that says modification of any ACL should happen via the external authorizer used.
On the other hand read operations should not fail.
Now we get this error message on a getACL when external authorizer is enabled:
{{[# ozone sh volume getacl o3://ozone1/test}}
{{PERMISSION_DENIED User user@EXAMPLE.COM doesn't have READ_ACL permission to access volume}}

I think, reading the ACLs from the external authorizer, and showing it to the users would be a way more nicer approach, though I agree this should probably go into a separate JIRA as this might need modifications in the IAccessAuthorizer that has to be followed up by the Ranger plugin itself as well.

> ACL commands like getacl and setacl should return a response only when Native Authorizer is enabled
> ---------------------------------------------------------------------------------------------------
>
>                 Key: HDDS-4020
>                 URL: https://issues.apache.org/jira/browse/HDDS-4020
>             Project: Hadoop Distributed Data Store
>          Issue Type: Task
>          Components: Ozone CLI, Ozone Manager
>    Affects Versions: 0.5.0
>            Reporter: Vivek Ratnavel Subramanian
>            Assignee: Bharat Viswanadham
>            Priority: Major
>
> Currently, the getacl and setacl commands return wrong information when an external authorizer such as Ranger is enabled. There should be a check to verify if Native Authorizer is enabled before returning any response for these two commands.
> If an external authorizer is enabled, it should show a nice message about managing acls in external authorizer.  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org