[
https://issues.apache.org/jira/browse/HDDS-10417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ivan Andika updated HDDS-10417:
-------------------------------
Description:
Create a documentation regarding the Ozone Native ACL. This is also a good
avenue to consolidate and identify the gaps in the Ozone Native ACLs mechanism.
Things to cover include (not exhaustive):
* General Ozone ACL information
** Similar to the current Ozone documentation
* UserGroupInformation concept
* The Ozone Native Authorizer ACL model
** Authorization flow
** Volume and bucket ownership concept
** Admin & Readonly admins
** Table of different OM requests and what ACL are checked
** ACL is a resource-based access control mechanism (vs Ranger / AWS IAM
that's policy-based access control mechanism)
*** Pros: No need IAM infrastructure / separate component
*** Cons: OM metadata overhead, more complex to reason than policy-based
access control mechanism
** Parent object and child object relationship
*** DEFAULT ACL inheritance
*** Directory DEFAULT ACL inheritance
**** https://issues.apache.org/jira/browse/HDDS-8653
**** TODO: Although directory ACL is not really used in the native authorizer,
might need to be addressed
*** What is the derived parent access for each child access (can be put in a
table)
** Prefix ACL
*** Note that it is different than POSIX directory ACL since parent prefix ACL
does not need to be created before the child key can be created
** ACL for linked bucket
*** https://issues.apache.org/jira/browse/HDDS-4715
* Creating another authorizer strategy by implementing IAccessAuthorizer
* ACL Configuration
* Ozone S3 ACL Support
** Ozone native ACL mapping when using S3 ACL API
** See: https://issues.apache.org/jira/browse/HDDS-4550
** Currently only support S3 Bucket ACL
** Limitations
** TODO: Since there were some changes in the Ozone Native ACL model, there
might be inaccuracies in the mapping. This might need to be addressed.
** TODO: Since one S3 ACL will map to multiple Ozone ACLs, this might pose
some possible problems
* Also add a link for the Ranger permission model
** https://issues.apache.org/jira/browse/HDDS-7697
* Usage
** Java API
** Ozone shell
** S3G (Might not work properly anymore)
was:
Create a documentation regarding the Ozone Native ACLs. This is also a good
avenue to consolidate and identify the gaps in the Ozone Native ACLs mechanism.
Things to cover include (not exhaustive):
* General Ozone ACL information
** Similar to the current Ozone documentation
* UserGroupInformation concept
* The Ozone Native Authorizer ACL model
** Authorization flow
** Volume and bucket ownership concept
** Admin & Readonly admins
** Table of different OM requests and what ACL are checked
** ACL is a resource-based access control mechanism (vs Ranger / AWS IAM
that's policy-based access control mechanism)
*** Pros: No need IAM infrastructure / separate component
*** Cons: OM metadata overhead, more complex to reason than policy-based
access control mechanism
** Parent object and child object relationship
*** DEFAULT ACL inheritance
*** Directory DEFAULT ACL inheritance
**** https://issues.apache.org/jira/browse/HDDS-8653
**** TODO: Although directory ACL is not really used in the native authorizer,
might need to be addressed
*** What is the derived parent access for each child access (can be put in a
table)
** Prefix ACL
*** Note that it is different than POSIX directory ACL since parent prefix ACL
does not need to be created before the child key can be created
** ACL for linked bucket
*** https://issues.apache.org/jira/browse/HDDS-4715
* Creating another authorizer strategy by implementing IAccessAuthorizer
* ACL Configuration
* Ozone S3 ACL Support
** Ozone native ACL mapping when using S3 ACL API
** See: https://issues.apache.org/jira/browse/HDDS-4550
** Currently only support S3 Bucket ACL
** Limitations
** TODO: Since there were some changes in the Ozone Native ACL model, there
might be inaccuracies in the mapping. This might need to be addressed.
** TODO: Since one S3 ACL will map to multiple Ozone ACLs, this might pose
some possible problems
* Also add a link for the Ranger permission model
** https://issues.apache.org/jira/browse/HDDS-7697
* Usage
** Java API
** Ozone shell
** S3G (Might not work properly anymore)
> Ozone Native ACL Documentation
> ------------------------------
>
> Key: HDDS-10417
> URL: https://issues.apache.org/jira/browse/HDDS-10417
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Ivan Andika
> Assignee: Ivan Andika
> Priority: Major
>
> Create a documentation regarding the Ozone Native ACL. This is also a good
> avenue to consolidate and identify the gaps in the Ozone Native ACLs
> mechanism.
> Things to cover include (not exhaustive):
> * General Ozone ACL information
> ** Similar to the current Ozone documentation
> * UserGroupInformation concept
> * The Ozone Native Authorizer ACL model
> ** Authorization flow
> ** Volume and bucket ownership concept
> ** Admin & Readonly admins
> ** Table of different OM requests and what ACL are checked
> ** ACL is a resource-based access control mechanism (vs Ranger / AWS IAM
> that's policy-based access control mechanism)
> *** Pros: No need IAM infrastructure / separate component
> *** Cons: OM metadata overhead, more complex to reason than policy-based
> access control mechanism
> ** Parent object and child object relationship
> *** DEFAULT ACL inheritance
> *** Directory DEFAULT ACL inheritance
> **** https://issues.apache.org/jira/browse/HDDS-8653
> **** TODO: Although directory ACL is not really used in the native
> authorizer, might need to be addressed
> *** What is the derived parent access for each child access (can be put in a
> table)
> ** Prefix ACL
> *** Note that it is different than POSIX directory ACL since parent prefix
> ACL does not need to be created before the child key can be created
> ** ACL for linked bucket
> *** https://issues.apache.org/jira/browse/HDDS-4715
> * Creating another authorizer strategy by implementing IAccessAuthorizer
> * ACL Configuration
> * Ozone S3 ACL Support
> ** Ozone native ACL mapping when using S3 ACL API
> ** See: https://issues.apache.org/jira/browse/HDDS-4550
> ** Currently only support S3 Bucket ACL
> ** Limitations
> ** TODO: Since there were some changes in the Ozone Native ACL model, there
> might be inaccuracies in the mapping. This might need to be addressed.
> ** TODO: Since one S3 ACL will map to multiple Ozone ACLs, this might pose
> some possible problems
> * Also add a link for the Ranger permission model
> ** https://issues.apache.org/jira/browse/HDDS-7697
> * Usage
> ** Java API
> ** Ozone shell
> ** S3G (Might not work properly anymore)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
