Any user can create bucket on /s3v volume. #7506

unixsrv · 2024-11-29T08:41:14Z

unixsrv
Nov 29, 2024

I faced an issue with limiting the ability to create buckets in S3. Any user can create a bucket on the volume s3v. Please advise how this can be restricted ?

Answered by unixsrv

Dec 2, 2024

Sorry resolve problem

Set permisions:
To s3v volume:

[ {
  "type" : "WORLD",
  "name" : "WORLD",
  "aclScope" : "ACCESS",
  "aclList" : [ "READ", "LIST" ]
} ]

To volume:

[ {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]

To volume bucket:

[ {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]

All works. Thank you !!

View full answer

ChenSammi · 2024-12-02T08:46:37Z

ChenSammi
Dec 2, 2024
Collaborator

Do you use native ACL or Ranger for user authorization? If native ACL is used, could you please share the native ACLs assigned to volume s3v? Command "ozone sh volume getacl $volumeName" can be used to fetch the ACLs.

2 replies

unixsrv Dec 2, 2024
Author

I use native ACL

Set in config:

<property>
        <name>ozone.acl.authorizer.class</name>
        <value>org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer</value>
    </property>

    <property>
        <name>ozone.acl.enabled</name>
        <value>true</value>
    </property>

ACL:

`[ozone@node1 ~]$ ozone sh volume getacl /s3v
[ {
  "type" : "USER",
  "name" : "root",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "root",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]`

unixsrv Dec 2, 2024
Author

I completely reinstalled it and now it seems to be working. The user cannot create, only Administrator s3g can, but when creating a bucket and granting permissions, the user receives an error:
ERROR: S3 error: 403 (AccessDenied): User doesn't have the right to access this resource. <Resource>listBuckets</Resource>

The sequence of commands that were executed:

`
ozone s3 getsecret -u=user1
ozone sh  volume create  /vol1
ozone sh  bucket  create  /vol1/bucket1
ozone sh bucket link /vol1/bucket1 /s3v/bucket1
ozone sh bucket addacl -a user:user1:a  /s3v/bucket1
`

Are there any additional actions needed to allow the user to see their bucket?

unixsrv · 2024-12-02T13:22:04Z

unixsrv
Dec 2, 2024
Author

Sorry resolve problem

Set permisions:
To s3v volume:

[ {
  "type" : "WORLD",
  "name" : "WORLD",
  "aclScope" : "ACCESS",
  "aclList" : [ "READ", "LIST" ]
} ]

To volume:

[ {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]

To volume bucket:

[ {
  "type" : "USER",
  "name" : "user1",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]

All works. Thank you !!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Any user can create bucket on /s3v volume. #7506

{{title}}

Replies: 2 comments 2 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Any user can create bucket on /s3v volume. #7506

unixsrv Nov 29, 2024

Replies: 2 comments · 2 replies

ChenSammi Dec 2, 2024 Collaborator

unixsrv Dec 2, 2024 Author

unixsrv Dec 2, 2024 Author

unixsrv Dec 2, 2024 Author

unixsrv
Nov 29, 2024

Replies: 2 comments 2 replies

ChenSammi
Dec 2, 2024
Collaborator

unixsrv Dec 2, 2024
Author

unixsrv Dec 2, 2024
Author

unixsrv
Dec 2, 2024
Author