[jira] [Work logged] (HADOOP-17261) s3a rename() now requires s3:deleteObjectVersion permission

Fri, 18 Sep 2020 10:24:07 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-17261?focusedWorklogId=486293&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-486293
 ]

ASF GitHub Bot logged work on HADOOP-17261:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 18/Sep/20 17:23
            Start Date: 18/Sep/20 17:23
    Worklog Time Spent: 10m 
      Work Description: steveloughran commented on pull request #2303:
URL: https://github.com/apache/hadoop/pull/2303#issuecomment-694989215


   @bgaborg - could you look @ this when you have a chance?
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 486293)
    Time Spent: 1h 10m  (was: 1h)

> s3a rename() now requires s3:deleteObjectVersion permission
> -----------------------------------------------------------
>
>                 Key: HADOOP-17261
>                 URL: https://issues.apache.org/jira/browse/HADOOP-17261
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.4.0
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> With the directory marker change (HADOOP-13230) you need the 
> s3:deleteObjectVersion permission in your role, else the operation will fail 
> in the bulk delete, *if S3Guard is in use*
> Root cause
> -if fileStatus has a versionId, we pass that in to the delete KeyVersion pair
> -an unguarded listing doesn't get that versionId, so this is not an issue
> -but if files in a directory were previously created such that S3Guard has 
> their versionId in its tables, that is used in the request
> -which then fails if the caller doesn't have the permission
> Although we say "you need s3:delete*", this is a regression as any IAM role 
> without the permission will have rename fail during delete



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to