Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.4.0
-
None
-
None
Description
We upgraded our Ozone cluster to 1.4.0 from 1.3.1 with following configurations:
- Secure Mode (w/ Kerberos)
- Native ACL (w/o Ranger)
After 1.4.0 upgrade from 1.3.x, the cluster rejects to the access existing bucket and keys (Ozone 1.3.x allowed us to access to the same key). These bucket and keys were already configured by Native ACLs with Kerberos Realm like this:
% aws s3 --endpoint https://... ls s3://ksugihara/kubernetes-2024032100/CHANGELOG.md An error occurred (AccessDenied) when calling the ListObjectsV2 operation: User doesn't have the right to access this resource. % ozone sh key getacl /ksugihara/ksugihara/kubernetes-2024032100/CHANGELOG.md [ { "type" : "USER", "name" : "ksugihara@EXAMPLE.COM", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] }, ... ]
I think HDDS-5043 is the related issue and that switches to a new ACL behavior, and which removed the support for user ACL with Kerberos realm. However, if we have an existent cluster from 1.3.x, that requires us to migrate all Key ACLs to support the short name and actually we need to replace Key ACLs to the short name for all keys because we're using Native ACLs. One of the solutions is supporting a compatible mode for new ACL behaviors for non-fresh installation.