| |
| |
| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| |
| <meta name="description" content="Hadoop Ozone Documentation"> |
| |
| <title>Documentation for Apache Hadoop Ozone</title> |
| |
| |
| <link href="../../css/bootstrap.min.css" rel="stylesheet"> |
| |
| |
| <link href="../../css/ozonedoc.css" rel="stylesheet"> |
| |
| </head> |
| |
| |
| <body> |
| |
| |
| <nav class="navbar navbar-inverse navbar-fixed-top"> |
| <div class="container-fluid"> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#sidebar" aria-expanded="false" aria-controls="navbar"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a href="#" class="navbar-left" style="height: 50px; padding: 5px 5px 5px 0;"> |
| <img src="../../ozone-logo-small.png" width="40"/> |
| </a> |
| <a class="navbar-brand hidden-xs" href="#"> |
| Apache Hadoop Ozone/HDDS documentation |
| </a> |
| <a class="navbar-brand visible-xs-inline" href="#">Hadoop Ozone</a> |
| </div> |
| <div id="navbar" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav navbar-right"> |
| <li><a href="https://github.com/apache/hadoop-ozone">Source</a></li> |
| <li><a href="https://hadoop.apache.org">Apache Hadoop</a></li> |
| <li><a href="https://apache.org">ASF</a></li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| |
| |
| <div class="container-fluid"> |
| <div class="row"> |
| |
| <div class="col-sm-2 col-md-2 sidebar" id="sidebar"> |
| <ul class="nav nav-sidebar"> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/"> |
| |
| |
| |
| <span>概述</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/start.html"> |
| |
| |
| |
| <span>快速入门</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/interface.html"> |
| |
| |
| |
| <span>编程接口</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/feature.html"> |
| |
| |
| |
| <span>GDPR</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/security.html"> |
| |
| |
| |
| <span>安全</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/concept.html"> |
| |
| |
| |
| <span>概念</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/tools.html"> |
| |
| |
| |
| <span>工具</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/recipe.html"> |
| |
| |
| |
| <span>使用配方</span> |
| </a> |
| </li> |
| |
| |
| <li><a href="../../design.html"><span><b>Design docs</b></span></a></li> |
| <li class="visible-xs"><a href="#">References</a> |
| <ul class="nav"> |
| <li><a href="https://github.com/apache/hadoop"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Source</a></li> |
| <li><a href="https://hadoop.apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Apache Hadoop</a></li> |
| <li><a href="https://apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> ASF</a></li> |
| </ul></li> |
| </ul> |
| |
| </div> |
| |
| <div class="col-sm-10 col-sm-offset-2 col-md-10 col-md-offset-2 main"> |
| |
| |
| |
| <div class="col-md-9"> |
| <nav aria-label="breadcrumb"> |
| <ol class="breadcrumb"> |
| <li class="breadcrumb-item"><a href="../../">Home</a></li> |
| <li class="breadcrumb-item" aria-current="page"><a href="../../zh/security.html">安全</a></li> |
| <li class="breadcrumb-item active" aria-current="page">Ozone 访问控制列表</li> |
| </ol> |
| </nav> |
| |
| |
| |
| <div class="pull-right"> |
| |
| |
| <a href="../../security/securityacls.html"><span class="label label-success">English</span></a> |
| |
| |
| |
| |
| </div> |
| |
| |
| <div class="col-md-9"> |
| <h1>Ozone 访问控制列表</h1> |
| |
| <!--- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <p>Ozone 既支持原生的 ACL,也支持类似 Ranger 这样的 ACL 插件,如果启用了 Ranger 插件,则以 Ranger 中的 ACL 为准。</p> |
| <p>Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。</p> |
| <p>ACL 的通用格式为 <em>对象</em>:<em>角色</em>:<em>权限</em>.</p> |
| <p><em>对象</em> 可选的值包括:</p> |
| <ol> |
| <li><strong>卷</strong> - 一个 Ozone 卷,比如 <em>/volume</em></li> |
| <li><strong>桶</strong> - 一个 Ozone 桶,比如 <em>/volume/bucket</em></li> |
| <li><strong>键</strong> - 一个对象键,比如 <em>/volume/bucket/key</em></li> |
| <li><strong>前缀</strong> - 某个键的路径前缀,比如 <em>/volume/bucket/prefix1/prefix2</em></li> |
| </ol> |
| <p><em>角色</em> 可选的值包括:</p> |
| <ol> |
| <li><strong>用户</strong> - 一个 Kerberos 用户,和 Posix 用户一样,用户可以是已创建的也可以是未创建的。</li> |
| <li><strong>组</strong> - 一个 Kerberos 组,和 Posix 组一样,组可以是已创建的也可以是未创建的。</li> |
| <li><strong>所有人</strong> - 所有通过 Kerberos 认证的用户,这对应 Posix 标准中的其它用户。</li> |
| <li><strong>匿名</strong> - 完全忽略用户字段,这是对 Posix 语义的扩展,使用 S3 协议时会用到,用于表达无法获取用户的身份或者不在乎用户的身份。</li> |
| </ol> |
| <div class="alert alert-success" role="alert"> |
| S3 用户通过 AWS v4 签名协议访问 Ozone 时,OM 会将其转化为对应的 Kerberos 用户。 |
| </div> |
| <p><em>权限</em> 可选的值包括::</p> |
| <ol> |
| <li><strong>创建</strong> – 此 ACL 为用户赋予在卷中创建桶,或者在桶中创建键的权限。请注意:在 Ozone 中,只有管理员可以创建卷。</li> |
| <li><strong>列举</strong> – 此 ACL 允许用户列举桶和键,因为列举的是子对象,所以这种 ACL 要绑定在卷和桶上。请注意:只有卷的属主和管理员可以对卷执行列举操作。</li> |
| <li><strong>删除</strong> – 允许用户删除卷、桶或键。</li> |
| <li><strong>读取</strong> – 允许用户读取卷和桶的元数据,以及读取键的数据流和元数据。</li> |
| <li><strong>写入</strong> - 允许用户修改卷和桶的元数据,以及重写一个已存在的键。</li> |
| <li><strong>读 ACL</strong> – 允许用户读取某个对象的 ACL。</li> |
| <li><strong>写 ACL</strong> – 允许用户修改某个对象的 ACL。</li> |
| </ol> |
| <h3>Ozone 原生 ACL API</h3> |
| <p>ACL 可以通过 Ozone 提供的一系列 API 进行操作,支持的 API 包括:</p> |
| <ol> |
| <li><strong>SetAcl</strong> – 此 API 的参数为用户主体、Ozone 对象名称、Ozone 对象的类型和 ACL 列表。</li> |
| <li><strong>GetAcl</strong> – 此 API 的参数为 Ozone 对象名称和 Ozone 对象类型,返回值为 ACL 列表。</li> |
| <li><strong>AddAcl</strong> - 此 API 的参数为 Ozone 对象名称、Ozone 对象类型和待添加的 ACL,新的 ACL 会被添加到该 Ozone 对象的 ACL 条目中。</li> |
| <li><strong>RemoveAcl</strong> - 此 API 的参数为 Ozone 对象名称、Ozone 对象类型和待删除的 ACL。</li> |
| </ol> |
| |
| |
| |
| </div> |
| |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| |
| |
| |
| <script src="../../js/jquery-3.5.1.min.js"></script> |
| <script src="../../js/ozonedoc.js"></script> |
| <script src="../../js/bootstrap.min.js"></script> |
| |
| |
| </body> |
| |
| </html> |