[
https://issues.apache.org/jira/browse/HDDS-8021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17697091#comment-17697091
]
George Jahad commented on HDDS-8021:
------------------------------------
Based on our discussions with the ranger team, the behaviour for
RangerOzoneAuthorizer, for the first Ozone snapshot release, will be to just
check the regular path, not the path with the snapshot prefix appended.
The Ranger team will subsequently add the dual check described above.
> [Snapshot] Document snapshot access ACL behavior
> ------------------------------------------------
>
> Key: HDDS-8021
> URL: https://issues.apache.org/jira/browse/HDDS-8021
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Siyao Meng
> Priority: Major
>
> (Current design, not final unless resolved)
> For OzoneNativeAuthorizer, Ozone directly checks against the native ACL
> inside the snapshot checkpoint DB. This implies the captured native ACL is
> immutable because currently Ozone supports read-only snapshots only.
> For RangerOzoneAuthorizer, Ozone first checks against the path inside the
> snapshot. If the explicit policy on the snapshot path doesn't exist, Ozone
> Manager checks access against the policy on the regular path instead.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
