You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Aaron Fabbri (JIRA)" <ji...@apache.org> on 2018/06/08 21:14:00 UTC
[jira] [Updated] (HADOOP-15525) s3a: clarify / improve support for
mixed ACL buckets
[ https://issues.apache.org/jira/browse/HADOOP-15525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron Fabbri updated HADOOP-15525:
----------------------------------
Description:
Scenario: customer wants to only give a Hadoop cluster access to a subtree of an S3 bucket.
For example, assume Hadoop uses some IAM identity "hadoop", which they wish to grant full permission to everything under the following path:
s3a://bucket/a/b/c/hadoop-dir
they don't want hadoop user to be able to read/list/delete anything outside of the hadoop-dir "subdir"
Problems:
To implement the "directory structure on flat key space" emulation logic we use to present a Hadoop FS on top of a blob store, we need to create / delete / list ancestors of {{hadoop-dir}}. (to maintain the invariants (1) zero-byte object with key ending in '/' exists iff empty directory is there and (2) files cannot live beneath files, only directories.)
I'd like us to either (1) document a workaround (example IAM ACLs) that gets this basic functionality, and/or (2) make improvements to make this less painful.
We've discussed some of these issues before but I didn't see a dedicated JIRA.
was:
Scenario: customer wants to only give a Hadoop cluster access to a subtree of an S3 bucket.
For example, assume Hadoop uses some IAM identity "hadoop", which they wish to grant full permission to everything under the following path:
s3a://bucket/a/b/c/hadoop-dir
they don't want hadoop user to be able to read/list/delete anything outside of the hadoop-dir "subdir"
Problems:
To implement the "directory structure on flat key space" emulation logic we use to present a Hadoop FS on top of a blob store, we need to create / delete / list ancestors of {{hadoop-dir}}.
I'd like us to either (1) document a workaround (example IAM ACLs) that gets this basic functionality, and/or (2) make improvements to make this less painful.
We've discussed some of these issues before but I didn't see a dedicated JIRA.
> s3a: clarify / improve support for mixed ACL buckets
> ----------------------------------------------------
>
> Key: HADOOP-15525
> URL: https://issues.apache.org/jira/browse/HADOOP-15525
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/s3
> Affects Versions: 3.0.0
> Reporter: Aaron Fabbri
> Priority: Major
>
> Scenario: customer wants to only give a Hadoop cluster access to a subtree of an S3 bucket.
> For example, assume Hadoop uses some IAM identity "hadoop", which they wish to grant full permission to everything under the following path:
> s3a://bucket/a/b/c/hadoop-dir
> they don't want hadoop user to be able to read/list/delete anything outside of the hadoop-dir "subdir"
> Problems:
> To implement the "directory structure on flat key space" emulation logic we use to present a Hadoop FS on top of a blob store, we need to create / delete / list ancestors of {{hadoop-dir}}. (to maintain the invariants (1) zero-byte object with key ending in '/' exists iff empty directory is there and (2) files cannot live beneath files, only directories.)
> I'd like us to either (1) document a workaround (example IAM ACLs) that gets this basic functionality, and/or (2) make improvements to make this less painful.
> We've discussed some of these issues before but I didn't see a dedicated JIRA.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org