[
https://issues.apache.org/jira/browse/HDDS-7933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17727877#comment-17727877
]
Tejaskriya Madhan edited comment on HDDS-7933 at 6/5/23 5:48 AM:
-----------------------------------------------------------------
The expected behaviour of ACLs (including Prefix ACLs) is documented in this
design doc (from the Jira HDDS-1303):
[^Design Doc- Native ACL support for Ozone.pdf]
Only default ACLs are expected to be inherited. If we add an *access* ACL to a
prefix and create key matching with that prefix, it does not inherit the
permissions. So the output you saw was as expected. This is how default ACLs
are added:
{code:java}
ozone sh prefix addacl testbgj2/bucket1/dir2/ -a user:testuser2:a[DEFAULT]
{code}
So I believe this behaviour is as expected and is not erroneous.
[~georgeJahad] Could you confirm?
was (Author: JIRAUSER298878):
The expected behaviour of ACLs (including Prefix ACLs) is documented in this
design doc (from the Jira HDDS-1303):
[^Design Doc- Native ACL support for Ozone.pdf]
Only default ACLs are expected to be inherited. If we add an *access* ACL to a
prefix and create key matching with that prefix, it does not inherit the
permissions. So the output you saw was as expected. This is how default ACLs
are added:
{code:java}
ozone sh prefix addacl testbgj2/bucket1/dir2/ -a user:testuser2:a[DEFAULT]
{code}
> Prefix ACL's are undocumented, (and don't seem to work.)
> --------------------------------------------------------
>
> Key: HDDS-7933
> URL: https://issues.apache.org/jira/browse/HDDS-7933
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: George Jahad
> Assignee: Tejaskriya Madhan
> Priority: Minor
> Attachments: Design Doc- Native ACL support for Ozone.pdf
>
>
> I have been unable to get prefix ACL's to work. (They are listed as an object
> type here: https://ozone.apache.org/docs/1.3.0/security/securityacls.html )
> Because they are undocumented I'm not sure if I'm doing something wrong or if
> they are just broken.
> It doesn't seem like anybody uses them, so it is fine with me if we just
> deprecate them.
> The only reason they came up is because I was adding support for native ACL's
> to snapshotting. I noticed them in the code and thought I should make sure
> they work for snapshots as well. But if no one is using them I won't bother.
> FYI: Here is how I tried to get them to work:
> https://gist.github.com/GeorgeJahad/7601d00278060264dc57b13e368c46f4
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
