Ivan Andika created HDDS-10417:
----------------------------------
Summary: Ozone Native ACL Documentation
Key: HDDS-10417
URL: https://issues.apache.org/jira/browse/HDDS-10417
Project: Apache Ozone
Issue Type: Sub-task
Reporter: Ivan Andika
Assignee: Ivan Andika
Create a documentation regarding the Ozone Native ACLs. This is also a good
avenue to consolidate and identify the gaps in the Ozone Native ACLs mechanism.
Things to cover include (not exhaustive):
* General Ozone ACL information
** Similar to the current Ozone documentation
* UserGroupInformation concept
* The Ozone Native Authorizer ACL model
** Authorization flow
** Volume and bucket ownership concept
** Admin & Readonly admins
** Table of different OM requests and what ACL are checked
** ACL is a resource-based access control mechanism (vs Ranger / AWS IAM
that's policy-based access control mechanism)
*** Pros: No need IAM infrastructure / separate component
*** Cons: OM metadata overhead, more complex to reason than policy-based
access control mechanism
** Parent object and child object relationship
*** DEFAULT ACL inheritance
*** Directory DEFAULT ACL inheritance
**** https://issues.apache.org/jira/browse/HDDS-8653
**** TODO: Although directory ACL is not really used in the native authorizer,
might need to be addressed
*** What is the derived parent access for each child access (can be put in a
table)
** Prefix ACL
*** Note that it is different than POSIX directory ACL since parent prefix ACL
does not need to be created before the child key can be created
** ACL for linked bucket
*** https://issues.apache.org/jira/browse/HDDS-4715
* Creating another authorizer strategy by implementing IAccessAuthorizer
* ACL Configuration
* Ozone S3 ACL Support
** Ozone native ACL mapping when using S3 ACL API
** See: https://issues.apache.org/jira/browse/HDDS-4550
** Currently only support S3 Bucket ACL
** Limitations
** TODO: Since there were some changes in the Ozone Native ACL model, there
might be inaccuracies in the mapping. This might need to be addressed.
** TODO: Since one S3 ACL will map to multiple Ozone ACLs, this might pose
some possible problems
* Also add a link for the Ranger permission model
** https://issues.apache.org/jira/browse/HDDS-7697
* Usage
** Java API
** Ozone shell
** S3G (Might not work properly anymore)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
