Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-7461

NativeACL: Require CREATE right on volume instead of WRITE for CREATE_BUCKET operation

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Implemented
    • None
    • 1.4.0
    • None

    Description

      The current Native ACL has the problem of permission enlargement.

      When we grant `user1` WRITE permission to `/vol1/buk1`, the permissions we must grant to `user1` are:

      • WRITE permission for `vol1`
      • WRITE permission for `buk1`

      This allows `user1` to create other buckets on `vol1` at will, which is not what we expected.

      It's better to check user1's CREATE permission on vol1 when `user1` wants to create buckets. 

      Attachments

        Issue Links

          relates to

          Sub-task - The sub-task of the issue HDDS-7697 Restrict change of bucket properties to owner and admins in NativeACL

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #3938

          Activity

            People

              wanghongbing Hongbing Wang
              wanghongbing Hongbing Wang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: