Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-4755

Can't create key in non-owned bucket although it should be allowed by ACL

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.0.0
    • None
    • OM
    • None
    • Secure setup of Ozone 1.0.0

    Description

      Even though in case a bucket has ACL like "world::a" or "anonymous::a", no others than the owner cannot create any key in the bucket. I believe it's not only me and it's reproducible with following sequence:

      As an admin user:
      1. ozone sh volume addacl -a "world::a" /s3v
      2. ozone sh bucket create /s3v/sandbox
      3. ozone sh bucket addacl -a "world::a" /s3v/sandbox

      Which yields the following ACL state:

      $ bin/ozone sh volume getacl /s3v

      [

      { "type" : "USER", "name" : "ozone", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] }

      ,

      { "type" : "GROUP", "name" : "hadoop", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] }

      ,

      { "type" : "GROUP", "name" : "ozone", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] }

      ,

      { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [ "READ", "CREATE", "LIST", "READ_ACL" ] }

      ,

      { "type" : "ANONYMOUS", "name" : "ANONYMOUS", "aclScope" : "ACCESS", "aclList" : [ "READ", "LIST" ] }

      ]
      $ bin/ozone sh bucket getacl /s3v/sandbox
      [

      { "type" : "USER", "name" : "hdfs@PFN.IO", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] }

      ,

      { "type" : "GROUP", "name" : "hdfs", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] }

      ,

      { "type" : "GROUP", "name" : "hadoop", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] }

      ,

      { "type" : "WORLD", "name" : "WORLD", "aclScope" : "ACCESS", "aclList" : [ "ALL" ] }

      ]

      And then I tried to create a key as another user but fails: {quote}

      $ bin/ozone sh key put /s3v/sandbox/hello.txt hello.txt
      PERMISSION_DENIED User kota@PFN.IO doesn't have CREATE permission to access key

       

      I doubt checkAcls() here, which throws PERMISSION_DENIED rather than KEY_NOT_FOUND.

      Attachments

        Activity

          People

            Unassigned Unassigned
            kuenishi UENISHI Kota
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: