Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-7191

Create separate property for s3 admin

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      Currently, all s3 operation via Ozone CLI use `ozone.administrators` or `ozone.administrators.groups` property for define admins who can generate and revoke s3 keys for any user. This approach doesn't provide possibility to split s3 key generation to separate admin groups.

      As s3 keys are security sensitive it will be useful to have possibility to split responsibility between general admins and special s3 admins.

      So, my proposal next:
      1. Create new props `ozone.s3.administrators` and `ozone.s3.administrators.groups`
      2. In case when at least one of these props is defined all s3 shell operation can be executed only by one of defined user as admin. Each user still should have permission to generate keys for itself.
      3. In case when these properties are empty admins should be taken from `ozone.administrators` or `ozone.administrators.groups`.

      As you can see these changes have backward compatibility by point 3.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Mikhail Pochatkin Mikhail Pochatkin Assign to me
            Mikhail Pochatkin Mikhail Pochatkin
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment