[HDDS-7191] Create separate property for s3 admin - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Implemented
Affects Version/s: 1.3.0
Fix Version/s: 1.3.0
Component/s: OM, Ozone CLI, S3
Labels:
- pull-request-available

Description

Currently, all s3 operation via Ozone CLI use `ozone.administrators` or `ozone.administrators.groups` property for define admins who can generate and revoke s3 keys for any user. This approach doesn't provide possibility to split s3 key generation to separate admin groups.

As s3 keys are security sensitive it will be useful to have possibility to split responsibility between general admins and special s3 admins.

So, my proposal next:
1. Create new props `ozone.s3.administrators` and `ozone.s3.administrators.groups`
2. In case when at least one of these props is defined all s3 shell operation can be executed only by one of defined user as admin. Each user still should have permission to generate keys for itself.
3. In case when these properties are empty admins should be taken from `ozone.administrators` or `ozone.administrators.groups`.

As you can see these changes have backward compatibility by point 3.

Attachments

Issue Links

is a child of

HDDS-8132 Secure S3 keys management

Open

links to

GitHub Pull Request #3732

Activity

People

Assignee:: Mikhail Pochatkin

Reporter:: Mikhail Pochatkin

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 31/Aug/22 16:05

Updated:: 03/Apr/23 15:57

Resolved:: 07/Sep/22 11:25