[jira] [Created] (HDDS-4755) Can't create key in non-owned bucket although it should be allowed by ACL

Wed, 27 Jan 2021 02:59:05 -0800 

UENISHI Kota created HDDS-4755:
----------------------------------

             Summary: Can't create key in non-owned bucket although it should 
be allowed by ACL
                 Key: HDDS-4755
                 URL: https://issues.apache.org/jira/browse/HDDS-4755
             Project: Hadoop Distributed Data Store
          Issue Type: Bug
          Components: OM
    Affects Versions: 1.0.0
         Environment: Secure setup of Ozone 1.0.0
            Reporter: UENISHI Kota


Even though in case a bucket has ACL like "world::a" or "anonymous::a", no 
others than the owner cannot create any key in the bucket. I believe it's not 
only me and it's reproducible with following sequence:

As an admin user:
1. ozone sh volume addacl -a "world::a" /s3v
2. ozone sh bucket create /s3v/sandbox
3. ozone sh bucket addacl -a "world::a" /s3v/sandbox

Which yields the ACL state:
{quote}$ bin/ozone sh volume getacl /s3v

[ {
  "type" : "USER",
  "name" : "ozone",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "ozone",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "WORLD",
  "name" : "WORLD",
  "aclScope" : "ACCESS",
  "aclList" : [ "READ", "CREATE", "LIST", "READ_ACL" ]
}, {
  "type" : "ANONYMOUS",
  "name" : "ANONYMOUS",
  "aclScope" : "ACCESS",
  "aclList" : [ "READ", "LIST" ]
} ]
$ bin/ozone sh bucket getacl /s3v/sandbox
[ {
  "type" : "USER",
  "name" : "h...@pfn.io",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "hdfs",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "hadoop",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "WORLD",
  "name" : "WORLD",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]{quote}

And then I tried to create a key as another user but fails:
{quote}$ bin/ozone sh key put /s3v/sandbox/hello.txt hello.txt
PERMISSION_DENIED User k...@pfn.io doesn't have CREATE permission to access 
key{quote}

I doubt checkAcls() 
[here|https://github.com/apache/ozone/blob/6fe3e8ae89fc7fb1701ca420c54c68d87724154b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java#L2162-L2163],
 which throws PERMISSION_DENIED rather than KEY_NOT_FOUND.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org
For additional commands, e-mail: issues-h...@ozone.apache.org

Reply via email to