[jira] (HDDS-8653) Let directory inherit parent default ACLs

Tue, 27 Feb 2024 01:35:04 -0800 


    [ https://issues.apache.org/jira/browse/HDDS-8653 ]


    Hongbing Wang deleted comment on HDDS-8653:
    -------------------------------------

was (Author: wanghongbing):
`RequestContext#isRecursiveAccessCheck` uses sub-dir logic, and works only when 
`IAccessAuthorizer.ACLType.DELETE`. (I have not checked carefully whether this 
is expected.)

> Let directory inherit parent default ACLs
> -----------------------------------------
>
>                 Key: HDDS-8653
>                 URL: https://issues.apache.org/jira/browse/HDDS-8653
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: OM
>    Affects Versions: 1.3.0
>            Reporter: Hongbing Wang
>            Assignee: Hongbing Wang
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.4.0
>
>
> Dir and file inherited ACLs are not consistent, which seems to be confusing 
> and wrong ACLs. Case as follows:
> {code:java}
> // setup
> $ ozone sh vol create vol1
> $ ozone sh vol addacl -a=user:user1:rlw vol1
> $ ozone sh bucket create vol1/buk1
> $ ozone sh bucket addacl -a=user:user1:rlw[DEFAULT] vol1/buk1
> $ ozone sh bucket addacl -a=user:group1:rlw[DEFAULT] vol1/buk1
> $ export HADOOP_USER_NAME=user1
> $ hadoop fs -mkdir -p ofs://ip:9862/vol1/buk1/d11/d22
> $ hadoop fs -put /etc/hosts ofs://ip:9862/vol1/buk1/d11/d22/f1
> // GOOD CASE: user1 is owner, so user1 has ALL acl, also inherits bucket alcs
> $ ozone sh key getacl vol1/buk1/d11/d22/f1
> [ {
>   "type" : "USER",
>   "name" : "user1",
>   "aclScope" : "ACCESS",
>   "aclList" : [ "READ", "WRITE", "LIST", "ALL" ]
> }, {
>   "type" : "USER",
>   "name" : "group1",
>   "aclScope" : "ACCESS",
>   "aclList" : [ "READ", "WRITE", "LIST" ]
> } ] 
> // BAD CASE 1: dir22 only has owner alcs, NOT inherit
> $ ozone sh key getacl vol1/buk1/d11/d22/
> [ {
>   "type" : "USER",
>   "name" : "user1",
>   "aclScope" : "ACCESS",
>   "aclList" : [ "ALL" ]
> } ]
> // BAD CASE 2: dir11 does NOT have owner alcs, but inherits bucket both 
> DEFAULT and ACCESS acls
> $ ozone sh key getacl vol1/buk1/d11/
> [ {
>   "type" : "USER",
>   "name" : "hadoop",
>   "aclScope" : "ACCESS",
>   "aclList" : [ "ALL" ]
> }, {
>   "type" : "GROUP",
>   "name" : "hadoop",
>   "aclScope" : "ACCESS",
>   "aclList" : [ "ALL" ]
> }, {
>   "type" : "USER",
>   "name" : "user1",
>   "aclScope" : "DEFAULT",
>   "aclList" : [ "READ", "WRITE", "LIST" ]
> }, {
>   "type" : "USER",
>   "name" : "group1",
>   "aclScope" : "DEFAULT",
>   "aclList" : [ "READ", "WRITE", "LIST" ]
> } ]{code}
> This Jira fixes bad cases above.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org
For additional commands, e-mail: issues-h...@ozone.apache.org

Reply via email to