[
https://issues.apache.org/jira/browse/HADOOP-15572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16533491#comment-16533491
]
Steve Loughran commented on HADOOP-15572:
-----------------------------------------
HADOOP-15569 documents the permissions needed, as obtained through manual setup.
What can be added is automated tests for restricted reader and admin
permissions, so that any (unintentional) changes in requirements get picked up.
Proposed:
#* test for s3guard init/prune/destroy commands with perms restricted to admin
set of roles
# test for restricted user role with read, list & update operations all
working, but S3Guard tool operations blocked as appropriate.
test #1 could be done just by restricting the role for some of the existing
tests, though it may be tricky to get right there (shared filesystems, etc)
> Test S3Guard ops with assumed roles & verify required permissions
> -----------------------------------------------------------------
>
> Key: HADOOP-15572
> URL: https://issues.apache.org/jira/browse/HADOOP-15572
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 3.1.0
> Reporter: Steve Loughran
> Priority: Major
>
> We haven't documented permissions for S3Guard (WiP of mine); when I try to
> test using the AssumedRoleCredentialProvider & a role nominally restricted to
> R/W of S3guard *but not create/delete*, I can still create and destroy buckets
> Either I've got my list wrong, or how S3Guard sets up its auth isn't right &
> somehow falling back to the full role
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
