hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15572) Test S3Guard ops with assumed roles & verify required permissions
Date Thu, 05 Jul 2018 10:33:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16533491#comment-16533491
] 

Steve Loughran commented on HADOOP-15572:
-----------------------------------------

HADOOP-15569 documents the permissions needed, as obtained through manual setup.

What can be added is automated tests for restricted reader and admin permissions, so that
any (unintentional) changes in requirements get picked up.

Proposed: 
#* test for s3guard init/prune/destroy commands with perms restricted to admin set of roles
 # test for restricted user role with read, list & update operations all working, but
S3Guard tool operations blocked as appropriate.

test #1 could be done just by restricting the role for some of the existing tests, though
it may be tricky to get right there (shared filesystems, etc)

 

> Test S3Guard ops with assumed roles & verify required permissions
> -----------------------------------------------------------------
>
>                 Key: HADOOP-15572
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15572
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.1.0
>            Reporter: Steve Loughran
>            Priority: Major
>
> We haven't documented permissions for S3Guard (WiP of mine); when I try to test using
the AssumedRoleCredentialProvider & a role nominally restricted to R/W of S3guard *but
not create/delete*, I can still create and destroy buckets
> Either I've got my list wrong, or how S3Guard sets up its auth isn't right & somehow
falling back to the full role



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message