You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Kiyoshi Mizumaru (Jira)" <ji...@apache.org> on 2021/04/01 17:17:00 UTC
[jira] [Commented] (HDDS-5031) Documentation: How are ACLs applied
w.r.t bucket links
[ https://issues.apache.org/jira/browse/HDDS-5031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17313325#comment-17313325 ]
Kiyoshi Mizumaru commented on HDDS-5031:
----------------------------------------
[~swagle] Sorry for the late reply. I'm afraid I'm not in a position to take on the role of updating the documentation. I've only recently become interested in Ozone and started to try it out, so as you know, I don't have a good understanding of the specs.
> Documentation: How are ACLs applied w.r.t bucket links
> -------------------------------------------------------
>
> Key: HDDS-5031
> URL: https://issues.apache.org/jira/browse/HDDS-5031
> Project: Apache Ozone
> Issue Type: Improvement
> Components: Security
> Affects Versions: 1.1.0
> Environment: * CentOS Linux release 7.6.1810 (Core)
> * OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)
> * Ozone 1.1.0-SNAPSHOT (commit 79a9d39da7f33e71bc00183e280105562354cca4)
> * Docker Engine - Community 20.10.5
> Reporter: Kiyoshi Mizumaru
> Priority: Major
>
> We have noticed the following facts and would like to confirm whether this is the intended behavior or a problem that needs to be fixed. As of now, a bucket can be accessed by creating a symlink and applying a different ACL to another access path.
> For example, in the following session, /volume-for-anonymous/bucket-a and /s3v/bucket-a are pointing to the same bucket but have different ACL settings. Is this the intended behavior of the design?
> {code:java}
> λ ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/ master docker-compose ps
> Name Command State Ports
> ------------------------------------------------------------------------------------------------------------
> ozone_datanode_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:49160->9864/tcp, 0.0.0.0:49159->9882/tcp
> ozone_om_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:9862->9862/tcp, 0.0.0.0:9874->9874/tcp
> ozone_recon_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:9888->9888/tcp
> ozone_s3g_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:9878->9878/tcp
> ozone_scm_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:9860->9860/tcp, 0.0.0.0:9876->9876/tcp
> λ ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/ master docker-compose exec datanode bash
> bash-4.2$ PATH=/opt/hadoop/bin:$PATH
> bash-4.2$ type ozone
> ozone is /opt/hadoop/bin/ozone
> bash-4.2$ ozone sh volume list
> {
> "metadata" : { },
> "name" : "s3v",
> "admin" : "hadoop",
> "owner" : "hadoop",
> "quotaInBytes" : -1,
> "quotaInNamespace" : -1,
> "usedNamespace" : 0,
> "creationTime" : "2021-03-25T12:07:42.203Z",
> "modificationTime" : "2021-03-25T12:07:42.203Z",
> "acls" : [ {
> "type" : "USER",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "users",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> }
> bash-4.2$ id
> uid=1000(hadoop) gid=100(users) groups=100(users)
> bash-4.2$ sudo adduser anonymous
> bash-4.2$ id anonymous
> uid=1001(anonymous) gid=1001(anonymous) groups=1001(anonymous)
> bash-4.2$ ozone sh volume create volume-for-anonymous
> bash-4.2$ ozone sh bucket create volume-for-anonymous/bucket-a
> bash-4.2$ ozone sh bucket setacl -a=group:anonymous:a volume-for-anonymous/bucket-a
> ACLs set successfully.
> bash-4.2$ ozone sh bucket getacl volume-for-anonymous/bucket-a
> [ {
> "type" : "GROUP",
> "name" : "anonymous",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> bash-4.2$ ozone sh bucket link /volume-for-anonymous/bucket-a /s3v/bucket-a
> bash-4.2$ ozone sh bucket getacl s3v/bucket-a
> [ {
> "type" : "USER",
> "name" : "hadoop",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> }, {
> "type" : "GROUP",
> "name" : "users",
> "aclScope" : "ACCESS",
> "aclList" : [ "ALL" ]
> } ]
> bash-4.2$
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org