You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2022/04/12 18:53:17 UTC

[GitHub] [ozone] smengcl opened a new pull request, #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

smengcl opened a new pull request, #3303:
URL: https://github.com/apache/ozone/pull/3303

   ## What changes were proposed in this pull request?
   
   Update documentation around Ranger policy creation on bucket sharing.
   
   See the PR content for details. Should be self-explanatory. :)
   
   ## What is the link to the Apache JIRA
   
   https://issues.apache.org/jira/browse/HDDS-6576
   
   ## How was this patch tested?
   
   n/a


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849952553


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an actual user name, `{OWNER}` tag should not be used here) ALL permission

Review Comment:
   Sure. 'cause `{OWNER}` tag doesn't work with Ranger policy's "Delegated Admin" checkbox in Ranger's Web UI.
   
   The `{OWNER}` tag is **only** meaningful when OM is doing a permission (ACL) check, and in the process of which OM fills in what this `{OWNER}` tag actually stands for. For example, `{OWNER}` is user `hive` when the operation is bucket list and `hive` is the bucket owner (realistically there would be another volume read permission check before this bucket permission check, with `{OWNER}` equals `om`, say `om` is the volume owner).
   
   This is also the exact reason why an admin might want to add this separate Ranger bucket policy here in the first place (in order for the bucket owner to be able to **edit** this newly added policy on their own), as we already have the default bucket policy with the `{OWNER}` tag having `ALL` permission on the policy. If they don't have such use case, they don't need to add this new policy for each bucket.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849952553


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an actual user name, `{OWNER}` tag should not be used here) ALL permission

Review Comment:
   Sure. 'cause `{OWNER}` tag doesn't work with Ranger policy's "Delegated Admin" checkbox in Ranger's Web UI.
   
   The `{OWNER}` tag is **only** meaningful when OM is doing a permission (ACL) check, and in the process of which OM fills in what this `{OWNER}` tag actually stands for. For example, `{OWNER}` is user `hive` when the operation is bucket list and `hive` is the bucket owner (realistically there would be another volume read permission check before this bucket permission check, with `{OWNER}` equals `om`, say `om` is the volume owner).
   
   This is also the exact reason why an admin might want to add this separate Ranger bucket policy here in the first place (in order for the bucket owner to be able to **edit** this newly added policy **on their own**), as we already have the default bucket policy with the `{OWNER}` tag having `ALL` permission on the policy. If they don't have such use case, they don't need to add this new policy for each bucket.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] errose28 commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

errose28 commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849806971


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an actual user name, `{OWNER}` tag should not be used here) ALL permission

Review Comment:
   Can we add a quick explanation why {OWNER} cannot be used?



##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  

Review Comment:
   Have we tested this process? Is the bucket policy going to conflict with the bucket policy being created as part of the tenant?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849952553


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an actual user name, `{OWNER}` tag should not be used here) ALL permission

Review Comment:
   Sure. 'cause `{OWNER}` tag doesn't work with Ranger policy's "Delegated Admin" checkbox in Ranger's Web UI.
   
   The `{OWNER}` tag is **only** meaningful when OM is doing a permission (ACL) check, and in the process of which OM fills in what this `{OWNER}` tag actually stands for. For example, `{OWNER}` is user `hive` when the operation is bucket list and `hive` is the bucket owner (realistically there would be another volume read permission check before this bucket permission check, with `{OWNER}` equals `om`, say `om` is the bucket's parent volume's owner).
   
   This is also the exact reason why an admin might want to manually add this new Ranger policy for a bucket in the first place (in order for the bucket owner to be able to **edit** this newly added policy **on their own**). We already have the default bucket policy with the `{OWNER}` tag having `ALL` permission (so bucket owners already have full permission to the buckets they own, but in order to share the bucket they have to edit the Ranger policy to open up the permission for others. This is where the "Delegated Admin" checkbox comes in.). If they don't have such use case, they don't need to add this new policy for each bucket.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] errose28 commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

errose28 commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r853526322


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  

Review Comment:
   We tested this and it works without conflict.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849952553


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an actual user name, `{OWNER}` tag should not be used here) ALL permission

Review Comment:
   Sure. 'cause `{OWNER}` tag doesn't work with Ranger Web UI's "Delegated Admin" flag.
   
   The `{OWNER}` tag is **only** meaningful when OM is doing a permission (ACL) check, in the process of which OM fills in what this `{OWNER}` tag actually stands for (e.g. user `hive` when the operation is bucket list and `hive` is the bucket owner, plus another volume read permission check on the with `{OWNER}` equals `om` (say `om` is the volume owner) before this).
   
   This is also the exact reason why an admin might want to add this separate Ranger bucket policy here in the first place (in order for the bucket owner to be able to **edit** this newly added policy on their own), as we already have the default bucket policy with the `{OWNER}` tag having `ALL` permission on the policy. If they don't have such use case, they don't need to add this new policy for each bucket.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl merged pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl merged PR #3303:
URL: https://github.com/apache/ozone/pull/3303


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849952553


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an actual user name, `{OWNER}` tag should not be used here) ALL permission

Review Comment:
   Sure. 'cause `{OWNER}` tag doesn't work with Ranger Web UI's "Delegated Admin" flag.
   
   The `{OWNER}` tag is **only** meaningful when OM is doing a permission (ACL) check, in the process of which OM fills in what this `{OWNER}` tag actually stands for (e.g. user `hive` when the operation is bucket list and `hive` is the bucket owner, apart from another volume read permission check on the with `{OWNER}` equals `om` (say `om` is the volume owner) that should happen before this bucket permission check).
   
   This is also the exact reason why an admin might want to add this separate Ranger bucket policy here in the first place (in order for the bucket owner to be able to **edit** this newly added policy on their own), as we already have the default bucket policy with the `{OWNER}` tag having `ALL` permission on the policy. If they don't have such use case, they don't need to add this new policy for each bucket.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849958727


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  

Review Comment:
   Good question. AFAIK resource denial takes precedence over any other allow rules, as depicted in this flow chart: https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-ranger-authorization/topics/security-ranger-tags-and-policy-evaluation.html



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849952553


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an actual user name, `{OWNER}` tag should not be used here) ALL permission

Review Comment:
   Sure. 'cause `{OWNER}` tag doesn't work with Ranger policy's "Delegated Admin" checkbox in Ranger's Web UI.
   
   The `{OWNER}` tag is **only** meaningful when OM is doing a permission (ACL) check, and in the process of which OM fills in what this `{OWNER}` tag actually stands for. For example, `{OWNER}` is user `hive` when the operation is bucket list and `hive` is the bucket owner (realistically there would be another volume read permission check before this bucket permission check, with `{OWNER}` equals `om`, say `om` is the volume owner).
   
   This is also the exact reason why an admin might want to manually add this new Ranger policy for a bucket in the first place (in order for the bucket owner to be able to **edit** this newly added policy **on their own**). We already have the default bucket policy with the `{OWNER}` tag having `ALL` permission (so bucket owners already have full permission to the buckets they own, but in order to share the bucket they have to edit the Ranger policy to open up the permission for others. This is where the "Delegated Admin" checkbox comes in.). If they don't have such use case, they don't need to add this new policy for each bucket.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849952553


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an actual user name, `{OWNER}` tag should not be used here) ALL permission

Review Comment:
   Sure. 'cause `{OWNER}` tag doesn't work with Ranger policy's "Delegated Admin" checkbox in Ranger's Web UI.
   
   The `{OWNER}` tag is **only** meaningful when OM is doing a permission (ACL) check, and in the process of which OM fills in what this `{OWNER}` tag actually stands for. For example, `{OWNER}` is user `hive` when the operation is bucket list and `hive` is the bucket owner (realistically there would be another volume read permission check before this bucket permission check, with `{OWNER}` equals `om`, say `om` is the volume owner).
   
   This is also the exact reason why an admin might want to manually add this new Ranger policy for a bucket in the first place (in order for the bucket owner to be able to **edit** this newly added policy **on their own**). We already have the default bucket policy with the `{OWNER}` tag having `ALL` permission (so bucket owners have full permission to the buckets they own). If they don't have such use case, they don't need to add this new policy for each bucket.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] smengcl commented on pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

Posted by GitBox <gi...@apache.org>.

smengcl commented on PR #3303:
URL: https://github.com/apache/ozone/pull/3303#issuecomment-1104260550

   Thanks @errose28 for the review!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org