You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2022/04/13 22:42:33 UTC

[GitHub] [ozone] smengcl commented on a diff in pull request #3303: HDDS-6576. [Multi-Tenant] Update documentation around Ranger policy creation on bucket sharing

smengcl commented on code in PR #3303:
URL: https://github.com/apache/ozone/pull/3303#discussion_r849952553


##########
hadoop-hdds/docs/content/feature/S3-Multi-Tenancy-Access-Control.md:
##########
@@ -66,3 +67,17 @@ The Ranger Sync thread does the following:
 2. Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.
 3. Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
    - This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.). 
+
+
+## Sharing a bucket
+
+By default only the bucket owners have full access to the buckets they created.
+So in order to share a bucket with other users, a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.  
+
+Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket's policy,
+when manually creating a new Ozone policy in Ranger for that bucket,
+an admin will need to explicitly grant the bucket owner user (note: specify an actual user name, `{OWNER}` tag should not be used here) ALL permission

Review Comment:
   Sure. 'cause `{OWNER}` tag doesn't work with Ranger Web UI's "Delegated Admin" flag.
   
   The `{OWNER}` tag is **only** meaningful when OM is doing a permission (ACL) check, in the process of which OM fills in what this `{OWNER}` tag actually stands for (e.g. user `hive` when the operation is bucket list and `hive` is the bucket owner, plus another volume read permission check on the with `{OWNER}` equals `om` (say `om` is the volume owner) before this).
   
   This is also the exact reason why an admin might want to add this separate Ranger bucket policy here in the first place (in order for the bucket owner to be able to **edit** this newly added policy on their own), as we already have the default bucket policy with the `{OWNER}` tag having `ALL` permission on the policy. If they don't have such use case, they don't need to add this new policy for each bucket.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org