You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by si...@apache.org on 2022/04/20 18:07:56 UTC
[ozone] branch HDDS-4944 updated: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing (#3303)
This is an automated email from the ASF dual-hosted git repository.
siyao pushed a commit to branch HDDS-4944
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/HDDS-4944 by this push:
new f127fa9944 HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing (#3303)
f127fa9944 is described below
commit f127fa9944babae59b18a535993745ba698da3b9
Author: Siyao Meng <50...@users.noreply.github.com>
AuthorDate: Wed Apr 20 11:07:50 2022 -0700
HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing (#3303)
---
.../feature/S3-Multi-Tenancy-Access-Control.md | 25 ++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md b/hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md
index a31b8953f1..47151014b0 100644
--- a/hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md
+++ b/hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md
@@ -38,6 +38,7 @@ Ranger admin is responsible for manually adding new policies to grant or deny an
It is recommended to add new policies instead of editing the default tenant policies created by Ozone. **DO NOT** remove the **Policy Label** on those default tenant policies, or else the Ozone Manager might fail to sync with Ranger for those policies.
+
### Ranger Roles
These new Ranger policies would have the corresponding **Ranger roles** added in their **Allow Conditions**.
@@ -66,3 +67,27 @@ The Ranger Sync thread does the following:
2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
- This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.).
+
+
+## Adding new bucket policies when sharing a bucket
+
+By default, only the bucket owners have full access to the buckets they created. Other regular users won't be able to access the content of buckets they don't own.
+
+So in order to share a bucket with other users without relaxing the default bucket policy (e.g. allow all tenant users LIST and READ access to all buckets),
+a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user ALL permission on the bucket AND tick the bucket owner user's "Delegated Admin" checkbox for that policy.
+
+Note:
+1. An actual user name (e.g. `hive`) need to be specified here. The flexible `{OWNER}` tag will not work with Ranger's "Delegated Admin" checkbox. For more Technical details:
+ - The `{OWNER}` tag is only meaningful when Ozone Manager (OM) is performing a permission check. And in that permission check process OM fills in what this `{OWNER}` tag actually stands for.
+ - For example, `{OWNER}` will become user `hive` during a bucket list permission check in OM, assuming `hive` is the bucket owner;
+ - Bonus: because of OM's hierarchical permission check, right before the bucket permission check, `{OWNER}` will become user `om` during a volume read permission check before this bucket permission check, assuming `om` is the bucket's parent volume's owner.
+2. Do not confuse the "Delegated Admin" checkbox in Ranger Web UI with tenant delegated admin. They are conceptually similar (have extra privilege), but different.
+ - With Ranger policies' "Delegated Admin" checkbox in a policy rule. That **user**, or users in that **group**, or users in that **role** will be able to edit that policy as long as the user can log in to Ranger Web UI.
+ - Tenant delegated admin has the permission to assign and revoke tenant admins from a tenant.
+
+With this new Ranger policy, as long as the bucket owners can log in to the Ranger Web UI,
+they could edit the bucket policies on their own, for example, to share the bucket with others without an administrator's manual intervention.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org