You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Aaron Fabbri (JIRA)" <ji...@apache.org> on 2018/06/08 21:25:00 UTC

[jira] [Commented] (HADOOP-15525) s3a: clarify / improve support for mixed ACL buckets

    [ https://issues.apache.org/jira/browse/HADOOP-15525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16506574#comment-16506574 ] 

Aaron Fabbri commented on HADOOP-15525:
---------------------------------------

Assigning to me for now. I'd like to write a doc here to describe an example with actual IAM policies so we can talk concretely about it.  Coincidentally, I'm about to go on vacation for two weeks but will try to post something when I get back. Meanwhile, comments welcomed.

> s3a: clarify / improve support for mixed ACL buckets
> ----------------------------------------------------
>
>                 Key: HADOOP-15525
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15525
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/s3
>    Affects Versions: 3.0.0
>            Reporter: Aaron Fabbri
>            Assignee: Aaron Fabbri
>            Priority: Major
>
> Scenario: customer wants to only give a Hadoop cluster access to a subtree of an S3 bucket.
> For example, assume Hadoop uses some IAM identity "hadoop", which they wish to grant full permission to everything under the following path:
> s3a://bucket/a/b/c/hadoop-dir
> they don't want hadoop user to be able to read/list/delete anything outside of the hadoop-dir "subdir"
> Problems: 
> To implement the "directory structure on flat key space" emulation logic we use to present a Hadoop FS on top of a blob store, we need to create / delete / list ancestors of {{hadoop-dir}}. (to maintain the invariants (1) zero-byte object with key ending in '/' exists iff empty directory is there and (2) files cannot live beneath files, only directories.)
> I'd like us to either (1) document a workaround (example IAM ACLs) that gets this basic functionality, and/or (2) make improvements to make this less painful.
> We've discussed some of these issues before but I didn't see a dedicated JIRA.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org