You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Mohammad Arafat Khan (Jira)" <ji...@apache.org> on 2024/01/08 08:44:00 UTC

[jira] [Commented] (HDDS-7961) Anonymous scope in Ozone ACL does not grant rights to non-logged-in users

    [ https://issues.apache.org/jira/browse/HDDS-7961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17804172#comment-17804172 ] 

Mohammad Arafat Khan commented on HDDS-7961:
--------------------------------------------

Based on the executed commands in the CLI, we are utilising the *native ACLs* created for Ozone which supports Users of type {*}User{*}, {*}Group{*}, {*}World{*}, *Anonymous* etc.. While this is a correct step, it's worth noting that the native ACLs feature in Ozone is currently in an early stage and not yet fully stable. However, it's important to mention that, at present, the *S3 gateway(S3G)* doesn't support access for *anonymous* users, hence due to which permissions for them have been denied by the S3G. A majority of our users and customers rely on *Ranger* for enforcing policies due to its higher reliability and fewer issues. Thus, we recommend using Ranger for policy enforcement for the time being. As of now, there are no immediate plans to implement Ozone native ACLs for all AWS predefined groups, and certain groups are not supported in Ozone's S3 ACL operations.

Should we undertake work in this area in the future, one potential solution might involve relaxing S3 secrets validation when the ACL has an anonymous scope. This could entail fetching ACLs of the object before processing S3 secrets at the S3 gateway side.

> Anonymous scope in Ozone ACL does not grant rights to non-logged-in users
> -------------------------------------------------------------------------
>
>                 Key: HDDS-7961
>                 URL: https://issues.apache.org/jira/browse/HDDS-7961
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: OM, S3
>            Reporter: Kohei Sugihara
>            Assignee: Mohammad Arafat Khan
>            Priority: Major
>
> h2. Overview
> A key in the S3 bucket cannot access without authentication, even though each bucket/volume allows anonymous reading and listing in its ACLs.
> h2. Configuraiton
> Create a bucket in a volume, make it accessible from S3, and then put the ACL {{anonymous::rl}} to them.
> {code:java}
> # create a bucket accessible via S3 and put a key
> ozone sh bucket create /volume/bucket-for-anonymous
> ozone sh bucket link /volume/bucket-for-anonymous /s3v/bucket-for-anonymous
> aws s3 --endpoint ... cp README s3://bucket-for-anonymous
> # set ACLs for anonymous access to the source/s3v buckets, the source/s3v volumes and the key
> ozone sh bucket addacl volume/bucket-for-anonymous -a anonymous::rl
> ozone sh bucket addacl s3v/bucket-for-anonymous -a anonymous::rl
> ozone sh volume addacl volume -a anonymous::rl
> ozone sh volume addacl s3v -a anonymous::rl
> # set ACL for the key
> ozone sh key addacl volume/bucket-for-anonymous/README -a anonymous::r{code}
> h2. Case: Access without authentication using wget will fail with 403
> Attempting to access to the key, but it fails with 403.
> {code:java}
> % wget -qO https://HOST/bucket-for-anonymous/README -S
>   HTTP/1.1 403 Forbidden
>   Date: Mon, 13 Feb 2023 07:55:58 GMT
>   Cache-Control: no-cache
>   Expires: Mon, 13 Feb 2023 07:55:58 GMT
>   Pragma: no-cache
>   Content-Type: text/plain
>   X-Content-Type-Options: nosniff
>   X-XSS-Protection: 1; mode=block
>   X-FRAME-OPTIONS: SAMEORIGIN
>   Server: Ozone
>   x-amz-id-2: gT8na4osJZlG
>   x-amz-request-id: c139bbcf-3d93-4f4f-a6a2-43f75bc0de83
>   Content-Length: 187 {code}
>  
> S3G outputs an error message: "Malformed s3 header" as a DEBUG-level message from OzoneClientProducer. This situation means that S3G rejects the access at S3 secrets validation checks.
> {code:java}
> 2023-02-13 15:00:05,079 [qtp731829978-166] DEBUG org.eclipse.jetty.servlet.ServletHandler: chain=Chain@68772dce(NoCacheFilter==org.apache.hadoop.hdds.server.http.NoCacheFilter@740d2e78{inst=true,async=true,src=EMBEDDED:null})->Chain@286a9870(safety==org.apache.hadoop.hdds.server.http.HttpServer2$QuotingInputFilter@6aa3a905{inst=true,async=true,src=EMBEDDED:null})->Chain@2232456a(optional-content-type==org.apache.hadoop.ozone.s3.EmptyContentTypeFilter@d4ab71a{inst=true,async=false,src=DESCRIPTOR:file:///tmp/jetty-0_0_0_0-9879-ozone-s3gateway-1_2_9995006_jar-_-any-17931241039680298355/webapp/WEB-INF/web.xml})->Chain@2629e2cc(info-page-redirect==org.apache.hadoop.ozone.s3.RootPageDisplayFilter@3b4ef7{inst=true,async=false,src=DESCRIPTOR:file:///tmp/jetty-0_0_0_0-9879-ozone-s3gateway-1_2_9995006_jar-_-any-17931241039680298355/webapp/WEB-INF/web.xml})->ChainEnd@7761a29a(jaxrs==org.glassfish.jersey.servlet.ServletContainer@603a422{jsp=null,order=1,inst=true,async=false,src=DESCRIPTOR:file:///tmp/jetty-0_0_0_0-9879-ozone-s3gateway-1_2_9995006_jar-_-any-17931241039680298355/webapp/WEB-INF/web.xml,STARTED})
> 2023-02-13 15:00:05,085 [qtp731829978-166] DEBUG org.apache.hadoop.ozone.s3.OzoneClientProducer: Malformed s3 header. awsAccessID:
> 2023-02-13 15:00:05,314 [qtp731829978-166] DEBUG org.apache.hadoop.ozone.s3.OzoneClientProducer: Error during Client Creation:
> 2023-02-13 15:00:05,378 [qtp731829978-166] DEBUG org.apache.hadoop.ozone.s3.exception.OS3Exception: toXml val is <Error>
> 2023-02-13 15:00:05,392 [qtp731829978-166] DEBUG org.eclipse.jetty.server.HttpOutput: write(array HeapByteBuffer@5fe2ddf1[p=0,l=187,c=8192,r=187]={<<<<?xml version="1.0" encod... <RequestId/>\n</Error>\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00})
> 2023-02-13 15:00:05,392 [qtp731829978-166] DEBUG org.eclipse.jetty.server.HttpOutput: write(array) s=CLOSING,api=BLOCKED,sc=false,e=null last=true agg=false flush=true async=false, len=187 null
> 2023-02-13 15:00:05,392 [qtp731829978-166] DEBUG org.eclipse.jetty.server.HttpChannel: sendResponse info=null content=HeapByteBuffer@354f401a[p=0,l=187,c=8192,r=187]={<<<<?xml version="1.0" encod... <RequestId/>\n</Error>\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00} complete=true committing=true callback=Blocker@56ca79aa{null}
> 2023-02-13 15:00:05,394 [qtp731829978-166] DEBUG org.eclipse.jetty.server.HttpChannel: COMMIT for /bucket-for-anonymous/README on HttpChannelOverHttp@43f236bf{s=HttpChannelState@340e7dcf{s=HANDLING rs=BLOCKING os=COMMITTED is=IDLE awp=false se=false i=true al=0},r=1,c=false/false,a=HANDLING,uri=https://HOST/bucket-for-anonymous/README,age=321}
> 2023-02-13 15:00:05,394 [qtp731829978-166] DEBUG org.eclipse.jetty.server.HttpConnection: generate: NEED_HEADER for SendCallback@322df2c9[PROCESSING][i=HTTP/1.1{s=403,h=12,cl=187},cb=org.eclipse.jetty.server.HttpChannel$SendCallback@7b69ac28] (null,[p=0,l=187,c=8192,r=187],true)@START
> 2023-02-13 15:00:05,394 [qtp731829978-166] DEBUG org.eclipse.jetty.http.HttpGenerator: generateHeaders HTTP/1.1{s=403,h=12,cl=187} last=true content=HeapByteBuffer@354f401a[p=0,l=187,c=8192,r=187]={<<<<?xml version="1.0" encod... <RequestId/>\n</Error>\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00} {code}
> One possible solution is relaxing S3 secrets validation when ACL has the anonymous scope. So requires fetching ACLs before processing S3 secrets at S3G-side or offloading S3 token validation to OM.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org