| |
| |
| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| |
| <meta name="description" content="Apache Ozone Documentation"> |
| |
| <title>Documentation for Apache Ozone</title> |
| |
| |
| <link href="../css/bootstrap.min.css" rel="stylesheet"> |
| |
| |
| <link href="../css/ozonedoc.css" rel="stylesheet"> |
| |
| |
| |
| <link href="../swagger-resources/swagger-ui.css" rel="stylesheet"> |
| |
| |
| <script> |
| var _paq = window._paq = window._paq || []; |
| |
| |
| |
| _paq.push(['disableCookies']); |
| |
| |
| _paq.push(['trackPageView']); |
| _paq.push(['enableLinkTracking']); |
| (function() { |
| var u="//analytics.apache.org/"; |
| _paq.push(['setTrackerUrl', u+'matomo.php']); |
| _paq.push(['setSiteId', '34']); |
| var d=document, g=d.createElement('script'), |
| s=d.getElementsByTagName('script')[0]; |
| g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); |
| })(); |
| </script> |
| |
| |
| </head> |
| |
| |
| <body> |
| |
| |
| <nav class="navbar navbar-inverse navbar-fixed-top"> |
| <div class="container-fluid"> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#sidebar" aria-expanded="false" aria-controls="navbar"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a href="../index.html" class="navbar-left ozone-logo"> |
| <img src="../ozone-logo-small.png"/> |
| </a> |
| <a class="navbar-brand hidden-xs" href="../index.html"> |
| Apache Ozone/HDDS Documentation |
| </a> |
| <a class="navbar-brand visible-xs-inline" href="#">Apache Ozone</a> |
| </div> |
| <div id="navbar" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav navbar-right"> |
| <li><a href="https://github.com/apache/ozone">Source</a></li> |
| <li><a href="https://ozone.apache.org">Apache Ozone</a></li> |
| <li><a href="https://apache.org">ASF</a></li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| |
| |
| <div class="wrapper"> |
| <div class="container-fluid"> |
| <div class="row"> |
| |
| <div class="col-sm-2 col-md-2 sidebar" id="sidebar"> |
| <ul class="nav nav-sidebar"> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../index.html"> |
| |
| |
| |
| <span>Overview</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../start.html"> |
| |
| |
| |
| <span>Getting Started</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| <a href="../concept.html"> |
| |
| <span>Architecture</span> |
| </a> |
| <ul class="nav"> |
| |
| <li class=""> |
| |
| <a href="../concept/overview.html">Overview</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../concept/ozonemanager.html">Ozone Manager</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../concept/storagecontainermanager.html">Storage Container Manager</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../concept/containers.html">Containers</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../concept/datanodes.html">Datanodes</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../concept/recon.html">Recon</a> |
| |
| </li> |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class=""> |
| <a href="../feature.html"> |
| |
| <span>Features</span> |
| </a> |
| <ul class="nav"> |
| |
| <li class=""> |
| |
| <a href="../feature/decommission.html">Decommissioning</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/om-ha.html">OM High Availability</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/erasurecoding.html">Ozone Erasure Coding</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/snapshot.html">Ozone Snapshot</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/scm-ha.html">SCM High Availability</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/streaming-write-pipeline.html">Streaming Write Pipeline</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/dn-merge-rocksdb.html">Merge Container RocksDB in DN</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/prefixfso.html">Prefix based File System Optimization</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/topology.html">Topology awareness</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/quota.html">Quota in Ozone</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/recon.html">Recon Server</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/observability.html">Observability</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/nonrolling-upgrade.html">Non-Rolling Upgrades and Downgrades</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/s3-multi-tenancy.html"> |
| |
| <span>S3 Multi-Tenancy</span> |
| </a> |
| <ul class="nav"> |
| |
| <li class=""> |
| <a href="../feature/s3-multi-tenancy-setup.html">Setup</a> |
| </li> |
| |
| <li class=""> |
| <a href="../feature/s3-tenant-commands.html">Tenant commands</a> |
| </li> |
| |
| <li class=""> |
| <a href="../feature/s3-multi-tenancy-access-control.html">Access Control</a> |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../feature/reconfigurability.html">Reconfigurability</a> |
| |
| </li> |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class=""> |
| <a href="../interface.html"> |
| |
| <span>Client Interfaces</span> |
| </a> |
| <ul class="nav"> |
| |
| <li class=""> |
| |
| <a href="../interface/ofs.html">Ofs (Hadoop compatible)</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../interface/o3fs.html">O3fs (Hadoop compatible)</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../interface/s3.html">S3 Protocol</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../interface/cli.html">Command Line Interface</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../interface/reconapi.html">Recon API</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../interface/javaapi.html">Java API</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../interface/csi.html">CSI Protocol</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../interface/httpfs.html">HttpFS Gateway</a> |
| |
| </li> |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class=""> |
| <a href="../security.html"> |
| |
| <span>Security</span> |
| </a> |
| <ul class="nav"> |
| |
| <li class=""> |
| |
| <a href="../security/secureozone.html">Securing Ozone</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../security/securingtde.html">Transparent Data Encryption</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../security/gdpr.html">GDPR in Ozone</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../security/securingdatanodes.html">Securing Datanodes</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../security/securingozonehttp.html">Securing HTTP</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../security/securings3.html">Securing S3</a> |
| |
| </li> |
| |
| <li class="active"> |
| |
| <a href="../security/securityacls.html">Ozone ACLs</a> |
| |
| </li> |
| |
| <li class=""> |
| |
| <a href="../security/securitywithranger.html">Apache Ranger</a> |
| |
| </li> |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../tools.html"> |
| |
| |
| |
| <span>Tools</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../recipe.html"> |
| |
| |
| |
| <span>Recipes</span> |
| </a> |
| </li> |
| |
| |
| <li><a href="../design.html"><span><b>Design docs</b></span></a></li> |
| <li class="visible-xs"><a href="#">References</a> |
| <ul class="nav"> |
| <li><a href="https://github.com/apache/ozone"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Source</a></li> |
| <li><a href="https://ozone.apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Apache Ozone</a></li> |
| <li><a href="https://apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> ASF</a></li> |
| </ul></li> |
| </ul> |
| |
| </div> |
| |
| <div class="col-sm-10 col-sm-offset-2 col-md-10 col-md-offset-2 main-content"> |
| |
| |
| |
| <div class="col-md-9"> |
| <nav aria-label="breadcrumb"> |
| <ol class="breadcrumb"> |
| <li class="breadcrumb-item"><a href="../index.html">Home</a></li> |
| <li class="breadcrumb-item" aria-current="page"><a href="../security.html">Security</a></li> |
| <li class="breadcrumb-item active" aria-current="page">Ozone ACLs</li> |
| </ol> |
| </nav> |
| |
| |
| |
| <div class="pull-right"> |
| |
| |
| |
| |
| |
| <a href="../zh/security/securityacls.html"><span class="label label-success">中文</span></a> |
| |
| |
| </div> |
| |
| |
| <div class="col-md-9"> |
| <h1>Ozone ACLs</h1> |
| |
| <!--- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <p>Ozone supports a set of native ACLs. These ACLs can be used independently |
| of ozone ACL plugin such as Ranger. |
| Add the following properties to the ozone-site.xml to enable native ACLs.</p> |
| <table> |
| <thead> |
| <tr> |
| <th>Property</th> |
| <th>Value</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td>ozone.acl.enabled</td> |
| <td>true</td> |
| </tr> |
| <tr> |
| <td>ozone.acl.authorizer.class</td> |
| <td>org.apache.ranger.authorization.ozone.authorizer.OzoneNativeAuthorizer</td> |
| </tr> |
| </tbody> |
| </table> |
| <p>Ozone ACLs are a super set of Posix and S3 ACLs.</p> |
| <p>The general format of an ACL is <em>object</em>:<em>who</em>:<em>rights</em>:<em>scope</em>.</p> |
| <p>Where an <em>object</em> can be:</p> |
| <ol> |
| <li><strong>Volume</strong> - An Ozone volume. e.g. <em>/volume</em></li> |
| <li><strong>Bucket</strong> - An Ozone bucket. e.g. <em>/volume/bucket</em></li> |
| <li><strong>Key</strong> - An object key or an object. e.g. <em>/volume/bucket/key</em></li> |
| <li><strong>Prefix</strong> - A path prefix for a specific key. e.g. <em>/volume/bucket/prefix1/prefix2</em></li> |
| </ol> |
| <p>Where a <em>who</em> can be:</p> |
| <ol> |
| <li><strong>User</strong> - A user in the Kerberos domain. User like in Posix world can be |
| named or unnamed.</li> |
| <li><strong>Group</strong> - A group in the Kerberos domain. Group also like in Posix world |
| can |
| be named or unnamed.</li> |
| <li><strong>World</strong> - All authenticated users in the Kerberos domain. This maps to |
| others in the Posix domain.</li> |
| <li><strong>Anonymous</strong> - Ignore the user field completely. This is an extension to |
| the Posix semantics, This is needed for S3 protocol, where we express that |
| we have no way of knowing who the user is or we don’t care.</li> |
| </ol> |
| <div class="alert alert-success" role="alert"> |
| A S3 user accessing Ozone via AWS v4 signature protocol will be translated |
| to the appropriate Kerberos user by Ozone Manager. |
| </div> |
| <p>Where a <em>right</em> can be:</p> |
| <ol> |
| <li><strong>Create</strong> – This ACL provides a user the ability to create buckets in a |
| volume and keys in a bucket. Please note: Under Ozone, Only admins can create volumes.</li> |
| <li><strong>List</strong> – This ACL allows listing of buckets and keys. This ACL is attached |
| to the volume and buckets which allow listing of the child objects. Please note: The user and admins can list the volumes owned by the user.</li> |
| <li><strong>Delete</strong> – Allows the user to delete a volume, bucket or key.</li> |
| <li><strong>Read</strong> – Allows the user to read the metadata of a Volume and Bucket and |
| data stream and metadata of a key.</li> |
| <li><strong>Write</strong> - Allows the user to write the metadata of a Volume and Bucket and |
| allows the user to overwrite an existing ozone key.</li> |
| <li><strong>Read_ACL</strong> – Allows a user to read the ACL on a specific object.</li> |
| <li><strong>Write_ACL</strong> – Allows a user to write the ACL on a specific object.</li> |
| </ol> |
| <p>Where an <em>scope</em> can be:</p> |
| <ol> |
| <li><strong>ACCESS</strong> – Access ACL is applied only to the specific object and not inheritable. It controls the access to the object itself.</li> |
| <li><strong>DEFAULT</strong> - Default ACL is applied to the specific object and will be inherited by object’s descendants. Default ACLs cannot be set on keys (as there can be no objects under a key). <br> |
| <em>Note</em>: ACLs inherited from parent’s Default ACLs will follow the following rules based on different bucket layout: |
| <ul> |
| <li><strong>Legacy with EnableFileSystem or FSO</strong>: inherit the immediate parent’s DEFAULT ACLs. If none, inherit the bucket DEFAULT ACLs.</li> |
| <li><strong>Legacy with DisableFileSystem or OBS</strong>: inherit the bucket DEFAULT ACLs.</li> |
| </ul> |
| </li> |
| </ol> |
| <h2 id="ozone-native-acl-apis">Ozone Native ACL APIs</h2> |
| <p>The ACLs can be manipulated by a set of APIs supported by Ozone. The APIs |
| supported are:</p> |
| <ol> |
| <li><strong>SetAcl</strong> – This API will take user principal, the name, type |
| of the ozone object and a list of ACLs.</li> |
| <li><strong>GetAcl</strong> – This API will take the name and type of the ozone object |
| and will return a list of ACLs.</li> |
| <li><strong>AddAcl</strong> - This API will take the name, type of the ozone object, the |
| ACL, and add it to existing ACL entries of the ozone object.</li> |
| <li><strong>RemoveAcl</strong> - This API will take the name, type of the |
| ozone object and the ACL that has to be removed.</li> |
| </ol> |
| <h2 id="acl-manipulation-using-ozone-cli">ACL Manipulation Using Ozone CLI</h2> |
| <p>The ACLs can also be manipulated by using the <code>ozone sh</code> commands.<br> |
| Usage: <code>ozone sh <object> <action> [-a=<value>[,<value>...]] <object-uri></code> <br> |
| <code>-a</code> is for the comma separated list of ACLs. It is required for all subcommands except <code>getacl</code>. <br> |
| <code><value></code> is of the form <strong><code>type:name:rights[scope]</code></strong>.<br> |
| <strong><em>type</em></strong> can be user, group, world or anonymous.<br> |
| <strong><em>name</em></strong> is the name of the user/group. For world and anonymous type, name should either be left empty or be WORLD or ANONYMOUS respectively. <br> |
| <strong><em>rights</em></strong> can be (read=r, write=w, delete=d, list=l, all=a, none=n, create=c, read_acl=x, write_acl=y)<br> |
| <strong><em>scope</em></strong> can be <strong>ACCESS</strong> or <strong>DEFAULT</strong>. If not specified, default is <strong>ACCESS</strong>.<br></p> |
| <div class="alert alert-warning" role="alert"> |
| When the object is a prefix, the path-to-object must contain the full path from volume till the directory or prefix of the key. i.e., |
| <br> |
| /volume/bucket/some/key/prefix/ |
| <br> |
| Note: the tail "/" is required. |
| </div> |
| <br> |
| Following are the supported ACL actions. |
| <h3>setacl</h3> |
| <div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ ozone sh bucket setacl -a user:testuser2:a /vol1/bucket1 |
| ACLs set successfully. |
| $ ozone sh bucket setacl -a user:om:a,group:om:a /vol1/bucket2 |
| ACLs set successfully. |
| $ ozone sh bucket setacl -a<span style="color:#f92672">=</span>anonymous::lr /vol1/bucket3 |
| ACLs set successfully. |
| $ ozone sh bucket setacl -a world::a /vol1/bucket4 |
| ACLs set successfully. |
| </code></pre></div><h3>getacl</h3> |
| <div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ ozone sh bucket getacl /vol1/bucket2 |
| <span style="color:#f92672">[</span> <span style="color:#f92672">{</span> |
| <span style="color:#e6db74">"type"</span> : <span style="color:#e6db74">"USER"</span>, |
| <span style="color:#e6db74">"name"</span> : <span style="color:#e6db74">"om/om@EXAMPLE.COM"</span>, |
| <span style="color:#e6db74">"aclScope"</span> : <span style="color:#e6db74">"ACCESS"</span>, |
| <span style="color:#e6db74">"aclList"</span> : <span style="color:#f92672">[</span> <span style="color:#e6db74">"ALL"</span> <span style="color:#f92672">]</span> |
| <span style="color:#f92672">}</span>, <span style="color:#f92672">{</span> |
| <span style="color:#e6db74">"type"</span> : <span style="color:#e6db74">"GROUP"</span>, |
| <span style="color:#e6db74">"name"</span> : <span style="color:#e6db74">"om"</span>, |
| <span style="color:#e6db74">"aclScope"</span> : <span style="color:#e6db74">"ACCESS"</span>, |
| <span style="color:#e6db74">"aclList"</span> : <span style="color:#f92672">[</span> <span style="color:#e6db74">"ALL"</span> <span style="color:#f92672">]</span> |
| <span style="color:#f92672">}</span> <span style="color:#f92672">]</span> |
| </code></pre></div><h3>addacl</h3> |
| <div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ ozone sh bucket addacl -a user:testuser2:a /vol1/bucket2 |
| ACL user:testuser2:a<span style="color:#f92672">[</span>ACCESS<span style="color:#f92672">]</span> added successfully. |
| |
| $ ozone sh bucket addacl -a user:testuser:rxy<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> /vol1/bucket2 |
| ACL user:testuser:rxy<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> added successfully. |
| |
| $ ozone sh prefix addacl -a user:testuser2:a<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> /vol1/buck3/dir1/ |
| ACL user:testuser2:a<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> added successfully. |
| </code></pre></div><h3>removeacl</h3> |
| <div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ ozone sh bucket removeacl -a user:testuser:r<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> /vol1/bucket2 |
| ACL user:testuser:r<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> removed successfully. |
| </code></pre></div> |
| |
| |
| <a class="btn btn-success btn-lg" href="../security/securitywithranger.html">Next >></a> |
| |
| </div> |
| |
| </div> |
| </div> |
| </div> |
| </div> |
| <div class="push"></div> |
| </div> |
| |
| |
| |
| <footer class="footer"> |
| <div class="container"> |
| <span class="small text-muted"> |
| Version: 1.5.0-SNAPSHOT, Last Modified: February 26, 2024 <a class="hide-child link primary-color" href="https://github.com/apache/ozone/commit/1b48186a0107711235abcd2636977ae0242f6be8">1b48186</a> |
| </span> |
| </div> |
| </footer> |
| |
| |
| |
| <script src="../js/jquery-3.5.1.min.js"></script> |
| <script src="../js/ozonedoc.js"></script> |
| <script src="../js/bootstrap.min.js"></script> |
| |
| |
| </body> |
| |
| </html> |