[jira] [Commented] (HDDS-4020) ACL commands like getacl and setacl should return a response only when Native Authorizer is enabled

Thu, 23 Jul 2020 10:13:25 -0700 


    [ 
https://issues.apache.org/jira/browse/HDDS-4020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17163785#comment-17163785
 ] 

Istvan Fajth commented on HDDS-4020:
------------------------------------

I would like to suggest a few things for consideration on this.

If we have an external authorizer, like Ranger, then we should fail any ACL 
creation or modification commands, with a proper error message that says 
modification of any ACL should happen via the external authorizer used.
On the other hand read operations should not fail.
Now we get this error message on a getACL when external authorizer is enabled:
{{[# ozone sh volume getacl o3://ozone1/test}}
{{PERMISSION_DENIED User u...@example.com doesn't have READ_ACL permission to 
access volume}}

I think, reading the ACLs from the external authorizer, and showing it to the 
users would be a way more nicer approach, though I agree this should probably 
go into a separate JIRA as this might need modifications in the 
IAccessAuthorizer that has to be followed up by the Ranger plugin itself as 
well.

> ACL commands like getacl and setacl should return a response only when Native 
> Authorizer is enabled
> ---------------------------------------------------------------------------------------------------
>
>                 Key: HDDS-4020
>                 URL: https://issues.apache.org/jira/browse/HDDS-4020
>             Project: Hadoop Distributed Data Store
>          Issue Type: Task
>          Components: Ozone CLI, Ozone Manager
>    Affects Versions: 0.5.0
>            Reporter: Vivek Ratnavel Subramanian
>            Assignee: Bharat Viswanadham
>            Priority: Major
>
> Currently, the getacl and setacl commands return wrong information when an 
> external authorizer such as Ranger is enabled. There should be a check to 
> verify if Native Authorizer is enabled before returning any response for 
> these two commands.
> If an external authorizer is enabled, it should show a nice message about 
> managing acls in external authorizer.  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: ozone-issues-h...@hadoop.apache.org

Reply via email to