[
https://issues.apache.org/jira/browse/HDDS-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fabian Morgan updated HDDS-14899:
---------------------------------
Description:
Smoke testing revealed that the acls that IamSessionPolicyResolver produced for
certain APIs did not match the acls that Ozone checked against. Specifically
the following:
1) PutBucketAcl requires READ and READ_ACL (in addition to the already existing
WRITE_ACL) on the bucket
2) AbortMultipartUpload requires WRITE on the key not DELETE
3) DeleteObjectTagging requires WRITE on the key not DELETE
This ticket addresses these acl updates. Separately, GetBucketLocation is not
implemented so remove from the IamSessionPolicyResolver.
was:
Smoke testing revealed that the acls that IamSessionPolicyResolver produced for
certain APIs did not match the acls that Ozone checked against. Specifically
the following:
1) PutBucketAcl requires READ and READ_ACL (in addition to the already existing
WRITE_ACL) on the bucket
2) AbortMultipartUpload requires WRITE on the key not DELETE
3) DeleteObjectTagging requires WRITE on the key not DELETE
4) Acl checks were added to ListParts in
https://github.com/apache/ozone/pull/9976 so use LIST on the key instead of
READ (in order to prevent giving download permission with just ListParts
authorization)
This ticket addresses these acl updates. Separately, GetBucketLocation is not
implemented so remove from the IamSessionPolicyResolver.
> [STS] Updates to ACLs in IamSessionPolicyResolver
> -------------------------------------------------
>
> Key: HDDS-14899
> URL: https://issues.apache.org/jira/browse/HDDS-14899
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Fabian Morgan
> Assignee: Fabian Morgan
> Priority: Major
> Labels: pull-request-available
>
> Smoke testing revealed that the acls that IamSessionPolicyResolver produced
> for certain APIs did not match the acls that Ozone checked against.
> Specifically the following:
> 1) PutBucketAcl requires READ and READ_ACL (in addition to the already
> existing WRITE_ACL) on the bucket
> 2) AbortMultipartUpload requires WRITE on the key not DELETE
> 3) DeleteObjectTagging requires WRITE on the key not DELETE
> This ticket addresses these acl updates. Separately, GetBucketLocation is not
> implemented so remove from the IamSessionPolicyResolver.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
