[
https://issues.apache.org/jira/browse/HADOOP-15525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aaron Fabbri updated HADOOP-15525:
----------------------------------
Description:
Scenario: customer wants to only give a Hadoop cluster access to a subtree of
an S3 bucket.
For example, assume Hadoop uses some IAM identity "hadoop", which they wish to
grant full permission to everything under the following path:
s3a://bucket/a/b/c/hadoop-dir
they don't want hadoop user to be able to read/list/delete anything outside of
the hadoop-dir "subdir"
Problems:
To implement the "directory structure on flat key space" emulation logic we use
to present a Hadoop FS on top of a blob store, we need to create / delete /
list ancestors of {{hadoop-dir}}. (to maintain the invariants (1) zero-byte
object with key ending in '/' exists iff empty directory is there and (2) files
cannot live beneath files, only directories.)
I'd like us to either (1) document a workaround (example IAM ACLs) that gets
this basic functionality, and/or (2) make improvements to make this less
painful.
We've discussed some of these issues before but I didn't see a dedicated JIRA.
was:
Scenario: customer wants to only give a Hadoop cluster access to a subtree of
an S3 bucket.
For example, assume Hadoop uses some IAM identity "hadoop", which they wish to
grant full permission to everything under the following path:
s3a://bucket/a/b/c/hadoop-dir
they don't want hadoop user to be able to read/list/delete anything outside of
the hadoop-dir "subdir"
Problems:
To implement the "directory structure on flat key space" emulation logic we use
to present a Hadoop FS on top of a blob store, we need to create / delete /
list ancestors of {{hadoop-dir}}.
I'd like us to either (1) document a workaround (example IAM ACLs) that gets
this basic functionality, and/or (2) make improvements to make this less
painful.
We've discussed some of these issues before but I didn't see a dedicated JIRA.
> s3a: clarify / improve support for mixed ACL buckets
> ----------------------------------------------------
>
> Key: HADOOP-15525
> URL: https://issues.apache.org/jira/browse/HADOOP-15525
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/s3
> Affects Versions: 3.0.0
> Reporter: Aaron Fabbri
> Priority: Major
>
> Scenario: customer wants to only give a Hadoop cluster access to a subtree of
> an S3 bucket.
> For example, assume Hadoop uses some IAM identity "hadoop", which they wish
> to grant full permission to everything under the following path:
> s3a://bucket/a/b/c/hadoop-dir
> they don't want hadoop user to be able to read/list/delete anything outside
> of the hadoop-dir "subdir"
> Problems:
> To implement the "directory structure on flat key space" emulation logic we
> use to present a Hadoop FS on top of a blob store, we need to create / delete
> / list ancestors of {{hadoop-dir}}. (to maintain the invariants (1) zero-byte
> object with key ending in '/' exists iff empty directory is there and (2)
> files cannot live beneath files, only directories.)
> I'd like us to either (1) document a workaround (example IAM ACLs) that gets
> this basic functionality, and/or (2) make improvements to make this less
> painful.
> We've discussed some of these issues before but I didn't see a dedicated JIRA.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
