[
https://issues.apache.org/jira/browse/HDDS-10417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ivan Andika updated HDDS-10417:
-------------------------------
Summary: [Website v2] Ozone Native ACL Documentation (was: Ozone Native
ACL Documentation)
> [Website v2] Ozone Native ACL Documentation
> -------------------------------------------
>
> Key: HDDS-10417
> URL: https://issues.apache.org/jira/browse/HDDS-10417
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Ivan Andika
> Assignee: Ivan Andika
> Priority: Major
> Labels: documentation, website
>
> Create a documentation regarding the Ozone Native ACL. This is also a good
> avenue to consolidate and identify the gaps in the Ozone Native ACLs
> mechanism.
> Things to cover include (not exhaustive):
> * General Ozone ACL information
> ** Similar to the current Ozone documentation
> * UserGroupInformation concept
> * User default ACL for current user during volume / bucket / key creation
> ** See RpcClient#getAclList
> ** Seems the idea is to allow the creator of the object to have ACL access
> to the object created
> *** This could be instead superseded by key owner concept (see
> https://issues.apache.org/jira/browse/HDDS-7791)
> * The Ozone Native Authorizer ACL model
> ** Authorization flow
> ** Volume and bucket ownership concept
> ** Admin & Readonly admins
> ** Table of different OM requests and what ACL are checked
> ** ACL is a resource-based access control mechanism (vs Ranger / AWS IAM
> that's policy-based access control mechanism)
> *** Pros: No need IAM infrastructure / separate component
> *** Cons: OM metadata overhead, more complex to reason than policy-based
> access control mechanism
> ** Parent object and child object relationship
> *** DEFAULT ACL inheritance
> *** Directory DEFAULT ACL inheritance
> **** https://issues.apache.org/jira/browse/HDDS-8653
> **** TODO: Although directory ACL is not really used in the native
> authorizer, might need to be addressed
> *** What is the derived parent access for each child access (can be put in a
> table)
> ** Prefix ACL
> *** Note that it is different than POSIX directory ACL since parent prefix
> ACL does not need to be created before the child key can be created
> ** ACL for linked bucket
> *** https://issues.apache.org/jira/browse/HDDS-4715
> * Creating another authorizer strategy by implementing IAccessAuthorizer
> * ACL Configuration
> * Ozone S3 ACL Support
> ** Ozone native ACL mapping when using S3 ACL API
> ** See: https://issues.apache.org/jira/browse/HDDS-4550
> ** Currently only support S3 Bucket ACL
> ** Limitations
> ** TODO: Since there were some changes in the Ozone Native ACL model, there
> might be inaccuracies in the mapping. This might need to be addressed.
> ** TODO: Since one S3 ACL will map to multiple Ozone ACLs, this might pose
> some possible problems
> * Also add a link for the Ranger permission model
> ** https://issues.apache.org/jira/browse/HDDS-7697
> * Usage
> ** Java API
> ** Ozone shell
> ** S3G (Might not work properly anymore)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
