HDDS-15064. [STS] Artifacts for Ranger to Consider S3 Action when Authorizing#10316
Open
fmorg-git wants to merge 2 commits into
Open
HDDS-15064. [STS] Artifacts for Ranger to Consider S3 Action when Authorizing#10316fmorg-git wants to merge 2 commits into
fmorg-git wants to merge 2 commits into
Conversation
(cherry picked from commit 59ad0a1) Conflicts: hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/RequestContext.java
…horizing (apache#10108) (cherry picked from commit fdd20f0)
Contributor
Author
|
hi @ChenSammi @jojochuang - this PR is ready for review. Thanks! |
smengcl
requested changes
May 20, 2026
Contributor
There was a problem hiding this comment.
Uh-oh, I realized this has two commits. Because upstream PR here only allow squash merging, you need to raise backport for HDDS-14104 first, then this one HDDS-15064 . Otherwise two commits would get squashed into one (when merged via Github UI).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please describe your PR in detail:
Currently, ACLs used by Ozone and Ranger are not granular enough. For example, read on volume, read on bucket, and write on key can be used by either s3:PutObjectTagging or s3:DeleteObjectTagging. Similarly, because s3:PutObject requires read on volume, read on bucket, and create and write on key, someone with s3:PutObject access can also call s3:PutObjectTagging (as an example). To prevent having more access than requested (or different access than requested), we need a means of restricting the ACL permissions further by S3 actions.
To do this, we introduce an s3Action field in RequestContext so that if populated, the RangerOzoneAuthorizer would further restrict the permissions according to the S3 action.
Additionally, the OzoneGrant would contain a Set representing the S3 actions that are allowed for an inline policy. If all actions are allowed, then the Set would be empty (or null).
This PR is to pull same commit from the master branch (HDDS-15064. [STS] Artifacts for Ranger to Consider S3 Action when Authorizing #10108) into Ozone 2.1 release branch so Ranger team can use it upstream in next Ozone release (2.1.1). It also required a prerequisite separate commit because of the refactoring done: HDDS-14104. Refactor RequestContext creation #9493
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-15064
How was this patch tested?
smoke tests in feature branch