Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-16829 Über-jira: S3A Hadoop 3.3.1 features
  3. HADOOP-17261

s3a rename() now requires s3:deleteObjectVersion permission

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.4.0
    • 3.3.1
    • fs/s3

    Description

      With the directory marker change (HADOOP-13230) you need the s3:deleteObjectVersion permission in your role, else the operation will fail in the bulk delete, if S3Guard is in use

      Root cause
      -if fileStatus has a versionId, we pass that in to the delete KeyVersion pair
      -an unguarded listing doesn't get that versionId, so this is not an issue
      -but if files in a directory were previously created such that S3Guard has their versionId in its tables, that is used in the request
      -which then fails if the caller doesn't have the permission

      Although we say "you need s3:delete*", this is a regression as any IAM role without the permission will have rename fail during delete

      Attachments

        Issue Links

          Activity

            People

              stevel@apache.org Steve Loughran
              stevel@apache.org Steve Loughran
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h 20m
                  2h 20m