[HDDS-5031] Documentation: How are ACLs applied w.r.t bucket links - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 1.1.0
Fix Version/s: None
Component/s: Security
Labels:
None
Environment:
Hide

CentOS Linux release 7.6.1810 (Core)

OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)

Ozone 1.1.0-SNAPSHOT (commit 79a9d39da7f33e71bc00183e280105562354cca4)

Docker Engine - Community 20.10.5
Show
CentOS Linux release 7.6.1810 (Core) OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS) Ozone 1.1.0-SNAPSHOT (commit 79a9d39da7f33e71bc00183e280105562354cca4) Docker Engine - Community 20.10.5

Description

We have noticed the following facts and would like to confirm whether this is the intended behavior or a problem that needs to be fixed. As of now, a bucket can be accessed by creating a symlink and applying a different ACL to another access path.

For example, in the following session, /volume-for-anonymous/bucket-a and /s3v/bucket-a are pointing to the same bucket but have different ACL settings. Is this the intended behavior of the design?

λ ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/ master docker-compose ps
      Name                    Command               State                        Ports
------------------------------------------------------------------------------------------------------------
ozone_datanode_1   /usr/local/bin/dumb-init - ...   Up      0.0.0.0:49160->9864/tcp, 0.0.0.0:49159->9882/tcp
ozone_om_1         /usr/local/bin/dumb-init - ...   Up      0.0.0.0:9862->9862/tcp, 0.0.0.0:9874->9874/tcp
ozone_recon_1      /usr/local/bin/dumb-init - ...   Up      0.0.0.0:9888->9888/tcp
ozone_s3g_1        /usr/local/bin/dumb-init - ...   Up      0.0.0.0:9878->9878/tcp
ozone_scm_1        /usr/local/bin/dumb-init - ...   Up      0.0.0.0:9860->9860/tcp, 0.0.0.0:9876->9876/tcp
λ ~/IdeaProjects/ozone/hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/compose/ozone/ master docker-compose exec datanode bash
bash-4.2$ PATH=/opt/hadoop/bin:$PATH
bash-4.2$ type ozone
ozone is /opt/hadoop/bin/ozone
bash-4.2$ ozone sh volume list
{
  "metadata" : { },
  "name" : "s3v",
  "admin" : "hadoop",
  "owner" : "hadoop",
  "quotaInBytes" : -1,
  "quotaInNamespace" : -1,
  "usedNamespace" : 0,
  "creationTime" : "2021-03-25T12:07:42.203Z",
  "modificationTime" : "2021-03-25T12:07:42.203Z",
  "acls" : [ {
    "type" : "USER",
    "name" : "hadoop",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  }, {
    "type" : "GROUP",
    "name" : "users",
    "aclScope" : "ACCESS",
    "aclList" : [ "ALL" ]
  } ]
}
bash-4.2$ id
uid=1000(hadoop) gid=100(users) groups=100(users)
bash-4.2$ sudo adduser anonymous
bash-4.2$ id anonymous
uid=1001(anonymous) gid=1001(anonymous) groups=1001(anonymous)
bash-4.2$ ozone sh volume create volume-for-anonymous
bash-4.2$ ozone sh bucket create volume-for-anonymous/bucket-a
bash-4.2$ ozone sh bucket setacl -a=group:anonymous:a volume-for-anonymous/bucket-a
ACLs set successfully.
bash-4.2$ ozone sh bucket getacl volume-for-anonymous/bucket-a
[ {
  "type" : "GROUP",
  "name" : "anonymous",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]
bash-4.2$ ozone sh bucket link /volume-for-anonymous/bucket-a /s3v/bucket-a
bash-4.2$ ozone sh bucket getacl s3v/bucket-a
[ {
  "type" : "USER",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "users",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]
bash-4.2$

Attachments

Issue Links

is related to

HDDS-4715 ACL on link bucket

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: Kiyoshi Mizumaru

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 25/Mar/21 13:24

Updated:: 20/May/23 20:12