hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Fabbri (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-15525) s3a: clarify / improve support for mixed ACL buckets
Date Fri, 08 Jun 2018 21:14:00 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-15525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Aaron Fabbri updated HADOOP-15525:
----------------------------------
    Description: 
Scenario: customer wants to only give a Hadoop cluster access to a subtree of an S3 bucket.

For example, assume Hadoop uses some IAM identity "hadoop", which they wish to grant full
permission to everything under the following path:

s3a://bucket/a/b/c/hadoop-dir

they don't want hadoop user to be able to read/list/delete anything outside of the hadoop-dir
"subdir"

Problems: 

To implement the "directory structure on flat key space" emulation logic we use to present
a Hadoop FS on top of a blob store, we need to create / delete / list ancestors of {{hadoop-dir}}.
(to maintain the invariants (1) zero-byte object with key ending in '/' exists iff empty directory
is there and (2) files cannot live beneath files, only directories.)

I'd like us to either (1) document a workaround (example IAM ACLs) that gets this basic functionality,
and/or (2) make improvements to make this less painful.

We've discussed some of these issues before but I didn't see a dedicated JIRA.

  was:
Scenario: customer wants to only give a Hadoop cluster access to a subtree of an S3 bucket.

For example, assume Hadoop uses some IAM identity "hadoop", which they wish to grant full
permission to everything under the following path:

s3a://bucket/a/b/c/hadoop-dir

they don't want hadoop user to be able to read/list/delete anything outside of the hadoop-dir
"subdir"

Problems: 

To implement the "directory structure on flat key space" emulation logic we use to present
a Hadoop FS on top of a blob store, we need to create / delete / list ancestors of {{hadoop-dir}}. 

I'd like us to either (1) document a workaround (example IAM ACLs) that gets this basic functionality,
and/or (2) make improvements to make this less painful.

We've discussed some of these issues before but I didn't see a dedicated JIRA.


> s3a: clarify / improve support for mixed ACL buckets
> ----------------------------------------------------
>
>                 Key: HADOOP-15525
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15525
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/s3
>    Affects Versions: 3.0.0
>            Reporter: Aaron Fabbri
>            Priority: Major
>
> Scenario: customer wants to only give a Hadoop cluster access to a subtree of an S3
bucket.
> For example, assume Hadoop uses some IAM identity "hadoop", which they wish to grant
full permission to everything under the following path:
> s3a://bucket/a/b/c/hadoop-dir
> they don't want hadoop user to be able to read/list/delete anything outside of the hadoop-dir
"subdir"
> Problems: 
> To implement the "directory structure on flat key space" emulation logic we use to present
a Hadoop FS on top of a blob store, we need to create / delete / list ancestors of {{hadoop-dir}}.
(to maintain the invariants (1) zero-byte object with key ending in '/' exists iff empty directory
is there and (2) files cannot live beneath files, only directories.)
> I'd like us to either (1) document a workaround (example IAM ACLs) that gets this basic
functionality, and/or (2) make improvements to make this less painful.
> We've discussed some of these issues before but I didn't see a dedicated JIRA.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message