whbing commented on PR #4738: URL: https://github.com/apache/ozone/pull/4738#issuecomment-1571509547
**Currently implemented logic**: all node(dir/file) has its owner acls as well as inherited acls. The logic of acl inheritance is as follows 1. `FSO`: subdir or leaf file inherit direct parent's DEFAULT acl, subdir keeps DEFAULT scope and file keeps ACCESS scope 2. `LEGACY`: subdir (endwith /) inherit direct parent's DEFAULT acl and keeps DEFAULT scope, leaf file inherit bucket DEFAULT acls (because can't get the parent info temporarily, maybe can optimize it in subsequent PR) 3. `OBS`: no dir, inherit from bucket DEFAULT acls. The benefits of the above changes are: 1. Unified inheritance rules for subdirs and files. For example, `READ_GROUP[DEFAULT]` acl is given to a bucket, which can be inherited to children for easy authentication. 2. `LEGACY` and `OBS` also try to be consistent with `FSO` to reduce the complexity of understanding. 3. It is good for recursion acl-checking (maybe there will be a new PR combined with prefix in the future for more optimized authentication). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
