Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
With the following Ozone policy,
Policy resources - volume - *, bukcet - *, key - * All access provided to hrt_1 user
The hrt_1 user is able to perform the following ls operation :-
ozone fs -ls -R o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn drwxrwxrwx - hrt_1 hrt_1 0 2022-04-22 04:23 o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn/dir1 drwxrwxrwx - hrt_1 hrt_1 0 2022-04-22 04:23 o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn/dir1/dir11
But with the following policy,
Policy resources - volume - *, bucket - *, key - test_dir_*_1 All access provided to hrt_1 user
The hrt_1 user is not able to access the key dir and the access is denied to the user
at the volume level itself. The user is not allowed access on the volume and to the bucket even if the policy resource has a wildcard "*" to allow access on bucket and volume.
ozone fs -ls -R o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn 22/04/22 07:08:00 WARN fs.FileSystem: Failed to initialize fileystem o3fs://test-bucket-nzxvfhn.test-volume-nzxvfhn.ozone1/test_dir_nzxvfhn_1/dir1_nzxvfhn: PERMISSION_DENIED org.apache.hadoop.ozone.om.exceptions.OMException: User hrt_1 doesn't have READ permission to access volume Volume:test-volume-nzxvfhn ls: User hrt_1 doesn't have READ permission to access volume Volume:test-volume-nzxvfhn
The behaviour does not seem consistent when the policy resource for key contains a "*" and when the policy resource for key contains a specific value.
The behavior should be consistent in both the cases