[
https://issues.apache.org/jira/browse/HDDS-15064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siyao Meng updated HDDS-15064:
------------------------------
Fix Version/s: 2.1.1
> [STS] Artifacts for Ranger to Consider S3 Action when Authorizing
> -----------------------------------------------------------------
>
> Key: HDDS-15064
> URL: https://issues.apache.org/jira/browse/HDDS-15064
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Fabian Morgan
> Assignee: Fabian Morgan
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.2.0, 2.1.1
>
>
> Currently, ACLs used by Ozone and Ranger are not granular enough. For
> example, *read* on volume, *read* on bucket, and *write* on key can be used
> by either *s3:PutObjectTagging* or *s3:DeleteObjectTagging*. Similarly,
> because *s3:PutObject* requires *read* on volume, *read* on bucket, and
> *create* and *write* on key, someone with *s3:PutObject* access can also call
> *s3:PutObjectTagging* (as an example). To prevent having more access than
> requested (or different access than requested), we need a means of
> restricting the ACL permissions further by S3 actions.
> To do this, we introduce an *s3Action* field in *RequestContext* so that if
> populated, the RangerOzoneAuthorizer would further restrict the permissions
> according to the S3 action.
> Additionally, the *OzoneGrant* would contain a *Set<String>* representing the
> S3 actions that are allowed for an inline policy. If all actions are
> allowed, then the *Set<String>* would be empty.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
