3.7 KiB
title | date | weight | summary |
---|---|---|---|
Ozone ACLs | 2019-April-03 | 6 | Native ACL support provides ACL functionality without Ranger integration. |
Ozone supports a set of native ACLs. These ACLs cane be used independently or along with Ranger. If Apache Ranger is enabled, then ACL will be checked first with Ranger and then Ozone's internal ACLs will be evaluated.
Ozone ACLs are a super set of Posix and S3 ACLs.
The general format of an ACL is object:who:rights.
Where an object can be:
- Volume - An Ozone volume. e.g. /volume
- Bucket - An Ozone bucket. e.g. /volume/bucket
- Key - An object key or an object. e.g. /volume/bucket/key
- Prefix - A path prefix for a specific key. e.g. /volume/bucket/prefix1/prefix2
Where a who can be:
- User - A user in the Kerberos domain. User like in Posix world can be named or unnamed.
- Group - A group in the Kerberos domain. Group also like in Posix world can be named or unnamed.
- World - All authenticated users in the Kerberos domain. This maps to others in the Posix domain.
- Anonymous - Ignore the user field completely. This is an extension to the Posix semantics, This is needed for S3 protocol, where we express that we have no way of knowing who the user is or we don't care.
Where a right can be:
- Create – This ACL provides a user the ability to create buckets in a volume and keys in a bucket. Please note: Under Ozone, Only admins can create volumes.
- List – This ACL allows listing of buckets and keys. This ACL is attached to the volume and buckets which allow listing of the child objects. Please note: The user and admins can list the volumes owned by the user.
- Delete – Allows the user to delete a volume, bucket or key.
- Read – Allows the user to read the metadata of a Volume and Bucket and data stream and metadata of a key(object).
- Write - Allows the user to write the metadata of a Volume and Bucket and allows the user to overwrite an existing ozone key(object).
- Read_ACL – Allows a user to read the ACL on a specific object.
- Write_ACL – Allows a user to write the ACL on a specific object.
Ozone Native ACL APIs Work in progress
The ACLs can be manipulated by a set of APIs supported by Ozone. The APIs supported are:
-
SetAcl – This API will take user principal, the name of the object, type of the object and a list of ACLs.
-
GetAcl – This API will take the name of an ozone object and type of the object and will return a list of ACLs.
-
RemoveAcl - It is possible that we might support an API called RemoveACL as a convenience API, but in reality it is just a GetACL followed by SetACL with an etag to avoid conflicts.