[
https://issues.apache.org/jira/browse/HDDS-1611?focusedWorklogId=268875&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-268875
]
ASF GitHub Bot logged work on HDDS-1611:
----------------------------------------
Author: ASF GitHub Bot
Created on: 27/Jun/19 21:56
Start Date: 27/Jun/19 21:56
Worklog Time Spent: 10m
Work Description: hadoop-yetus commented on pull request #973: HDDS-1611.
Evaluate ACL on volume bucket key and prefix to authorize access. Contributed
by Ajay Kumar.
URL: https://github.com/apache/hadoop/pull/973#discussion_r298385875
##########
File path: hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot
##########
@@ -91,7 +91,41 @@ Test key Acls
${result} = Execute ozone sh key removeacl
${volume3}/bk1/key1 -a user:superuser1:xy
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
- ${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al user:superuser1:rwxy,group:superuser1:a
+ ${result} = Execute ozone sh key setacl
${volume3}/bk1/key1 -al
user:superuser1:rwxy,group:superuser1:a,user:testuser/s...@example.com:rwxyc
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" :
\"USER\",\n.*\"name\" : \"superuser1*\",\n.*\"aclList\" : . \"READ\",
\"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
- Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
\ No newline at end of file
+ Should Match Regexp ${result} \"type\" :
\"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclList\" : . \"ALL\"
+
+Test native authorizer
+ Execute ozone sh volume removeacl ${volume3} -a group:root:a
+ Execute kdestroy
+ Run Keyword Kinit test user testuser2 testuser2.keytab
+ ${result} = Execute And Ignore Error ozone sh bucket list
/${volume3}/
+ Should contain ${result} PERMISSION_DENIED
+ ${result} = Execute And Ignore Error ozone sh key list
/${volume3}/bk1
+ Should contain ${result} PERMISSION_DENIED
+ ${result} = Execute And Ignore Error ozone sh volume addacl
${volume3} -a user:testuser2/s...@example.com:xy
+ Should contain ${result} PERMISSION_DENIED User
testuser2/s...@example.com doesn't have WRITE_ACL permission to access volume
+ Execute kdestroy
+ Run Keyword Kinit test user testuser testuser.keytab
+ Execute ozone sh volume addacl ${volume3} -a
user:testuser2/s...@example.com:xyrw
+ Execute kdestroy
+ Run Keyword Kinit test user testuser2 testuser2.keytab
+ ${result} = Execute And Ignore Error ozone sh bucket list
/${volume3}/
+ Should contain ${result} PERMISSION_DENIED
org.apache.hadoop.ozone.om.exceptions.OMException: User
testuser2/s...@example.com doesn't have LIST permission to access volume
+ Execute ozone sh volume addacl ${volume3} -a
user:testuser2/s...@example.com:l
+ Execute ozone sh bucket list /${volume3}/
+ Execute ozone sh volume getacl /${volume3}/
Review comment:
whitespace:end of line
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 268875)
Time Spent: 2h 10m (was: 2h)
> Evaluate ACL on volume bucket key and prefix to authorize access
> -----------------------------------------------------------------
>
> Key: HDDS-1611
> URL: https://issues.apache.org/jira/browse/HDDS-1611
> Project: Hadoop Distributed Data Store
> Issue Type: Sub-task
> Reporter: Xiaoyu Yao
> Assignee: Ajay Kumar
> Priority: Major
> Labels: pull-request-available
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
