[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-09-06 Thread Anu Engineer (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16156025#comment-16156025
 ] 

Anu Engineer commented on HDFS-12147:
-

[~cheersyang] Sorry for the delay in replying. I have created short note on 
what is the security work items in Ozone that needs to be done. But we should 
target that work item to post ozone merge.


> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
>  Labels: OzonePostMerge
> Attachments: HDFS-12147-HDFS-7240.000.patch, 
> HDFS-12147-HDFS-7240.001.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-16 Thread Hadoop QA (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1604#comment-1604
 ] 

Hadoop QA commented on HDFS-12147:
--

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m 
20s{color} | {color:blue} Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green}  0m  
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green}  0m 
 0s{color} | {color:green} The patch appears to include 2 new or modified test 
files. {color} |
|| || || || {color:brown} HDFS-7240 Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m 
16s{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 14m 
31s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  1m 
32s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 
42s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  1m 
36s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  3m 
33s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m 
36s{color} | {color:green} HDFS-7240 passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m  
8s{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:red}-1{color} | {color:red} mvninstall {color} | {color:red}  0m 
31s{color} | {color:red} hadoop-hdfs in the patch failed. {color} |
| {color:red}-1{color} | {color:red} compile {color} | {color:red}  0m 
55s{color} | {color:red} hadoop-hdfs-project in the patch failed. {color} |
| {color:red}-1{color} | {color:red} cc {color} | {color:red}  0m 55s{color} | 
{color:red} hadoop-hdfs-project in the patch failed. {color} |
| {color:red}-1{color} | {color:red} javac {color} | {color:red}  0m 55s{color} 
| {color:red} hadoop-hdfs-project in the patch failed. {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 
40s{color} | {color:green} hadoop-hdfs-project: The patch generated 0 new + 1 
unchanged - 1 fixed = 1 total (was 2) {color} |
| {color:red}-1{color} | {color:red} mvnsite {color} | {color:red}  0m 
33s{color} | {color:red} hadoop-hdfs in the patch failed. {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green}  0m 
 0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red}  0m 
15s{color} | {color:red} hadoop-hdfs in the patch failed. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m 
31s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  1m 
15s{color} | {color:green} hadoop-hdfs-client in the patch passed. {color} |
| {color:red}-1{color} | {color:red} unit {color} | {color:red}  0m 32s{color} 
| {color:red} hadoop-hdfs in the patch failed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green}  0m 
18s{color} | {color:green} The patch does not generate ASF License warnings. 
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 34m 59s{color} | 
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker |  Image:yetus/hadoop:14b5c93 |
| JIRA Issue | HDFS-12147 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12877467/HDFS-12147-HDFS-7240.000.patch
 |
| Optional Tests |  asflicense  compile  javac  javadoc  mvninstall  mvnsite  
unit  findbugs  checkstyle  cc  |
| uname | Linux df4273e1a5f2 3.13.0-116-generic #163-Ubuntu SMP Fri Mar 31 
14:13:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh 
|
| git revision | HDFS-7240 / 8f122a7 |
| Default Java | 1.8.0_131 |
| findbugs | v3.1.0-RC1 |
| mvninstall | 
https://builds.apache.org/job/PreCommit-HDFS-Build/20294/artifact/patchprocess/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs.txt
 |
| compile | 
https://builds.apache.org/job/PreCommit-HDFS-Build/20294/artifact/patchprocess/patch-compile-hadoop-hdfs-project.txt
 |
| cc | 
https://builds.apac

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-16 Thread Anu Engineer (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16089016#comment-16089016
 ] 

Anu Engineer commented on HDFS-12147:
-

[~nandakumar131] I think this issue might be due to the fact that this patch 
might need a rebase.

> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
> Attachments: HDFS-12147-HDFS-7240.000.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-16 Thread Nandakumar (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16089044#comment-16089044
 ] 

Nandakumar commented on HDFS-12147:
---

Thanks [~anu] for the update, patch v1 is on top of latest commit after rebase.

> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
> Attachments: HDFS-12147-HDFS-7240.000.patch, 
> HDFS-12147-HDFS-7240.001.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-16 Thread Hadoop QA (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16089095#comment-16089095
 ] 

Hadoop QA commented on HDFS-12147:
--

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m 
14s{color} | {color:blue} Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green}  0m  
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green}  0m 
 0s{color} | {color:green} The patch appears to include 2 new or modified test 
files. {color} |
|| || || || {color:brown} HDFS-7240 Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m  
8s{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 14m 
39s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  1m 
33s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 
42s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  1m 
35s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  3m 
30s{color} | {color:green} HDFS-7240 passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m 
38s{color} | {color:green} HDFS-7240 passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m  
8s{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  1m 
26s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  1m 
32s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} cc {color} | {color:green}  1m 
32s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green}  1m 
32s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 
40s{color} | {color:green} hadoop-hdfs-project: The patch generated 0 new + 1 
unchanged - 1 fixed = 1 total (was 2) {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  1m 
30s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green}  0m 
 0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  3m 
41s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m 
34s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  1m 
15s{color} | {color:green} hadoop-hdfs-client in the patch passed. {color} |
| {color:red}-1{color} | {color:red} unit {color} | {color:red} 66m 30s{color} 
| {color:red} hadoop-hdfs in the patch failed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green}  0m 
21s{color} | {color:green} The patch does not generate ASF License warnings. 
{color} |
| {color:black}{color} | {color:black} {color} | {color:black}104m  3s{color} | 
{color:black} {color} |
\\
\\
|| Reason || Tests ||
| Failed junit tests | hadoop.ozone.scm.TestContainerSQLCli |
|   | hadoop.ozone.web.client.TestBuckets |
|   | hadoop.ozone.container.replication.TestContainerReplicationManager |
|   | hadoop.ozone.web.client.TestBucketsRatis |
|   | hadoop.ozone.container.ozoneimpl.TestOzoneContainer |
|   | hadoop.ozone.container.common.TestDatanodeStateMachine |
\\
\\
|| Subsystem || Report/Notes ||
| Docker |  Image:yetus/hadoop:14b5c93 |
| JIRA Issue | HDFS-12147 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12877484/HDFS-12147-HDFS-7240.001.patch
 |
| Optional Tests |  asflicense  compile  javac  javadoc  mvninstall  mvnsite  
unit  findbugs  checkstyle  cc  |
| uname | Linux 107a3a47f41a 3.13.0-119-generic #166-Ubuntu SMP Wed May 3 
12:18:55 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh 
|
| git revision | HDFS-7240 / 1bec6a1 |
| Default Java | 1.8.0_131 |
| findbugs | v3.1.0-RC1 |
| u

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-17 Thread Chen Liang (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16090823#comment-16090823
 ] 

Chen Liang commented on HDFS-12147:
---

Thanks [~nandakumar131] for the patch! v001 patch looks pretty good to me 
overall, only some minor comments:
1. there are quite a few of places of java docs like {{Checks if the specified 
user with a role can access this bucket.}} It says user while it is actually 
taking an {{OzoneAcl}} object. Maybe we should change the doc a little bit?
2. {{checkBucketAccess()}} returns a boolean representing whether it as access 
or not, I think maybe it's better to change the method to either something like 
{{boolean hasBucketAccess(...)}}, or {{void checkBucketAccess(...) throws 
AccessControlException}}. I think current HDFS takes the later approach of 
throwing exception.

Additionally, seems that no one is calling {{checkBucketAccess()}} currently, 
e.g. deleteBucket does not call check access so anyone can delete any bucket. 
So as a future follow-up work, we should enforce access control at some point.

> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
> Attachments: HDFS-12147-HDFS-7240.000.patch, 
> HDFS-12147-HDFS-7240.001.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-17 Thread Weiwei Yang (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16091091#comment-16091091
 ] 

Weiwei Yang commented on HDFS-12147:


Hi [~nandakumar131], [~vagarychen]

I am a bit confused with this patch.

1. Why the checkBucketAccess is exposed as a RPC call in KSM? Is it something 
that should be done internally in KSM while read/write/delete keys in a bucket? 
I am not sure why this is necessary to be exposed via 
{{KeySpaceManagerProtocol}}.

2. {{OzoneMetadataManager#checkBucketAccess}} loads the acls of a bucket from 
KSM db and compare that to the value passing by argument {{OzoneAcl}}, why we 
are comparing OzoneAcl ? I thought OzoneAcl was used to verify if a given 
user/group have a particular permission, e.g we could have OzoneAcl like 
following

  user:bilbo:rw

which means user {{bilbo}} has read as well as write permission to the bucket. 
So it's pretty nature to check against user and group name. I don't understand 
the check in line 843 - 853, can you elaborate please ?

Thank you.

> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
> Attachments: HDFS-12147-HDFS-7240.000.patch, 
> HDFS-12147-HDFS-7240.001.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-17 Thread Nandakumar (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16091136#comment-16091136
 ] 

Nandakumar commented on HDFS-12147:
---

Hi [~cheersyang],

bq. Why the checkBucketAccess is exposed as a RPC call in KSM?
According to {{DistributedStorageHandler}} we are exposing 
{{checkBucketAccess}}, which can be used by user to check if they have required 
permission on a bucket. Similar to {{checkVolumeAccess}} for Ozone Volumes.
{code}
  @Override
  public void checkBucketAccess(BucketArgs args)
  throws IOException, OzoneException {
throw new UnsupportedOperationException(
"checkBucketAccess not implemented");
  }
{code}

bq. why we are comparing OzoneAcl?
The client has flexibility to check permission on user, group or world. So the 
client has to pass {{OzoneAcl}} which will tell us on which user/group/world 
and the permission that has to be checked.

Internal checks (for addBucketProperty, deleteBucket) will directly use user 
name and or group name as you mentioned.

> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
> Attachments: HDFS-12147-HDFS-7240.000.patch, 
> HDFS-12147-HDFS-7240.001.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-17 Thread Nandakumar (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16091138#comment-16091138
 ] 

Nandakumar commented on HDFS-12147:
---

Thanks [~vagarychen] for the review.

bq. Maybe we should change the doc a little bit?
I will change the doc accordingly.
bq. void checkBucketAccess(...) throws AccessControlException
According to {{StorageHandler}} definition  {{checkBucketAccess}} originally 
had void as return type, I wanted {{checkBucketAccess}} to be consistent with 
{{checkVolumeAccess}} that is the reason for having boolean as return type.
I'm ok with {{void checkBucketAccess(...) throws AccessControlException}}, will 
file a jira to change {{checkVolumeAccess}}'s behavior.

> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
> Attachments: HDFS-12147-HDFS-7240.000.patch, 
> HDFS-12147-HDFS-7240.001.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-18 Thread Weiwei Yang (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16091335#comment-16091335
 ] 

Weiwei Yang commented on HDFS-12147:


Hi [~nandakumar131]

Thank you. But even we want to expose them to clients, the API arguments still 
look odd to me. How would a client to compose an OzoneAcl in the request when 
it wants to check a certain access? Semantically we often check against an 
{{User Identity}} and an {{operation}} (e.g read/write/delete). Use this patch, 
does it work like following?

Suppose a bucket has following ACL

{noformat}
user:bilbo:rw
user:john:r
user:mike:w
{noformat}

and a client pass an OzoneAcl like following

{{user:mike:w}}

this means I want to check if user mike has the write permission to the bucket? 
And this case it has the access.

What if the bucket ACL is like following

{noformat}
user:bilbo:rw
user:john:r
group:hadoop:w
{noformat}

and mike belongs to hadoop group, when I verify {{user:mike:w}}, will it give 
me an access control exception?

> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
> Attachments: HDFS-12147-HDFS-7240.000.patch, 
> HDFS-12147-HDFS-7240.001.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-18 Thread Nandakumar (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16091347#comment-16091347
 ] 

Nandakumar commented on HDFS-12147:
---

Good point [~cheersyang].
I agree that current implementation of passing {{OzoneAcl}} is not intuitive.
bq. mike belongs to hadoop group, when I verify user:mike:w, will it give me an 
access control exception?
Sadly yes, with current implementation the client explicitly has to check for 
{{group:hadoop:w}}.
I'm open to suggestions here.

Getting user name from client and internally checking for user/group/world 
access makes more sense, let me update the patch with this logic.

> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
> Attachments: HDFS-12147-HDFS-7240.000.patch, 
> HDFS-12147-HDFS-7240.001.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-12147) Ozone: KSM: Add checkBucketAccess

2017-07-18 Thread Weiwei Yang (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16091358#comment-16091358
 ] 

Weiwei Yang commented on HDFS-12147:


Hi [~nandakumar131]

Please hold on submitting a new patch, lets route this discussion to [~anu] as 
he reviewed HDFS-11771 for checkVolumeAccess. Can we revisit this 2 APIs and 
get them consisted? Ping [~anu], please take a look and let us know your 
thought, thanks.

My thought if we are going to support ACLs, then we need to have an overall 
picture what places will need these checks and make sure they are all 
addressed. Otherwise it will be like some place working, some place not.

Thank you.

> Ozone: KSM: Add checkBucketAccess
> -
>
> Key: HDFS-12147
> URL: https://issues.apache.org/jira/browse/HDFS-12147
> Project: Hadoop HDFS
>  Issue Type: Sub-task
>  Components: ozone
>Reporter: Nandakumar
>Assignee: Nandakumar
> Attachments: HDFS-12147-HDFS-7240.000.patch, 
> HDFS-12147-HDFS-7240.001.patch
>
>
> Checks if the caller has access to a given bucket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org