You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Kiyoshi Mizumaru (Jira)" <ji...@apache.org> on 2021/04/01 17:17:00 UTC

[jira] [Commented] (HDDS-5031) Documentation: How are ACLs applied w.r.t bucket links

    [ https://issues.apache.org/jira/browse/HDDS-5031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17313325#comment-17313325 ] 

Kiyoshi Mizumaru commented on HDDS-5031:
----------------------------------------

[~swagle] Sorry for the late reply. I'm afraid I'm not in a position to take on the role of updating the documentation. I've only recently become interested in Ozone and started to try it out, so as you know, I don't have a good understanding of the specs.

> Documentation: How are ACLs applied w.r.t bucket links 
> -------------------------------------------------------
>
>                 Key: HDDS-5031
>                 URL: https://issues.apache.org/jira/browse/HDDS-5031
>             Project: Apache Ozone
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 1.1.0
>         Environment: * CentOS Linux release 7.6.1810 (Core)
>  * OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)
>  * Ozone 1.1.0-SNAPSHOT (commit 79a9d39da7f33e71bc00183e280105562354cca4)
>  * Docker Engine - Community 20.10.5
>            Reporter: Kiyoshi Mizumaru
>            Priority: Major
>
> We have noticed the following facts and would like to confirm whether this is the intended behavior or a problem that needs to be fixed. As of now, a bucket can be accessed by creating a symlink and applying a different ACL to another access path. 
> For example, in the following session, /volume-for-anonymous/bucket-a and /s3v/bucket-a are pointing to the same bucket but have different ACL settings. Is this the intended behavior of the design?
> {code:java}
> λ ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/ master docker-compose ps
>       Name                    Command               State                        Ports
> ------------------------------------------------------------------------------------------------------------
> ozone_datanode_1   /usr/local/bin/dumb-init - ...   Up      0.0.0.0:49160->9864/tcp, 0.0.0.0:49159->9882/tcp
> ozone_om_1         /usr/local/bin/dumb-init - ...   Up      0.0.0.0:9862->9862/tcp, 0.0.0.0:9874->9874/tcp
> ozone_recon_1      /usr/local/bin/dumb-init - ...   Up      0.0.0.0:9888->9888/tcp
> ozone_s3g_1        /usr/local/bin/dumb-init - ...   Up      0.0.0.0:9878->9878/tcp
> ozone_scm_1        /usr/local/bin/dumb-init - ...   Up      0.0.0.0:9860->9860/tcp, 0.0.0.0:9876->9876/tcp
> λ ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/ master docker-compose exec datanode bash
> bash-4.2$ PATH=/opt/hadoop/bin:$PATH
> bash-4.2$ type ozone
> ozone is /opt/hadoop/bin/ozone
> bash-4.2$ ozone sh volume list
> {
>   "metadata" : { },
>   "name" : "s3v",
>   "admin" : "hadoop",
>   "owner" : "hadoop",
>   "quotaInBytes" : -1,
>   "quotaInNamespace" : -1,
>   "usedNamespace" : 0,
>   "creationTime" : "2021-03-25T12:07:42.203Z",
>   "modificationTime" : "2021-03-25T12:07:42.203Z",
>   "acls" : [ {
>     "type" : "USER",
>     "name" : "hadoop",
>     "aclScope" : "ACCESS",
>     "aclList" : [ "ALL" ]
>   }, {
>     "type" : "GROUP",
>     "name" : "users",
>     "aclScope" : "ACCESS",
>     "aclList" : [ "ALL" ]
>   } ]
> }
> bash-4.2$ id
> uid=1000(hadoop) gid=100(users) groups=100(users)
> bash-4.2$ sudo adduser anonymous
> bash-4.2$ id anonymous
> uid=1001(anonymous) gid=1001(anonymous) groups=1001(anonymous)
> bash-4.2$ ozone sh volume create volume-for-anonymous
> bash-4.2$ ozone sh bucket create volume-for-anonymous/bucket-a
> bash-4.2$ ozone sh bucket setacl -a=group:anonymous:a volume-for-anonymous/bucket-a
> ACLs set successfully.
> bash-4.2$ ozone sh bucket getacl volume-for-anonymous/bucket-a
> [ {
>   "type" : "GROUP",
>   "name" : "anonymous",
>   "aclScope" : "ACCESS",
>   "aclList" : [ "ALL" ]
> } ]
> bash-4.2$ ozone sh bucket link /volume-for-anonymous/bucket-a /s3v/bucket-a
> bash-4.2$ ozone sh bucket getacl s3v/bucket-a
> [ {
>   "type" : "USER",
>   "name" : "hadoop",
>   "aclScope" : "ACCESS",
>   "aclList" : [ "ALL" ]
> }, {
>   "type" : "GROUP",
>   "name" : "users",
>   "aclScope" : "ACCESS",
>   "aclList" : [ "ALL" ]
> } ]
> bash-4.2$
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org