Google Git
Sign in
apache / ozone-site / c517593cc2104ba3c485fd697836c10e1f6a2ace / . / docs / edge / security / securityacls.html
blob: d65c0edea88ba06cfa2e0187ee63b24a197ff713 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Apache Ozone Documentation">
<title>Documentation for Apache Ozone</title>
<link href="../css/bootstrap.min.css" rel="stylesheet">
<link href="../css/ozonedoc.css" rel="stylesheet">
<link href="../swagger-resources/swagger-ui.css" rel="stylesheet">
<script>
var _paq = window._paq = window._paq || [];
_paq.push(['disableCookies']);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//analytics.apache.org/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '34']);
var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#sidebar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="../index.html" class="navbar-left ozone-logo">
<img src="../ozone-logo-small.png"/>
</a>
<a class="navbar-brand hidden-xs" href="../index.html">
Apache Ozone/HDDS Documentation
</a>
<a class="navbar-brand visible-xs-inline" href="#">Apache Ozone</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="https://github.com/apache/ozone">Source</a></li>
<li><a href="https://ozone.apache.org">Apache Ozone</a></li>
<li><a href="https://apache.org">ASF</a></li>
</ul>
</div>
</div>
</nav>
<div class="wrapper">
<div class="container-fluid">
<div class="row">
<div class="col-sm-2 col-md-2 sidebar" id="sidebar">
<ul class="nav nav-sidebar">
<li class="">
<a href="../index.html">
<span>Overview</span>
</a>
</li>
<li class="">
<a href="../start.html">
<span>Getting Started</span>
</a>
</li>
<li class="">
<a href="../concept.html">
<span>Architecture</span>
</a>
<ul class="nav">
<li class="">
<a href="../concept/overview.html">Overview</a>
</li>
<li class="">
<a href="../concept/ozonemanager.html">Ozone Manager</a>
</li>
<li class="">
<a href="../concept/storagecontainermanager.html">Storage Container Manager</a>
</li>
<li class="">
<a href="../concept/containers.html">Containers</a>
</li>
<li class="">
<a href="../concept/datanodes.html">Datanodes</a>
</li>
<li class="">
<a href="../concept/recon.html">Recon</a>
</li>
</ul>
</li>
<li class="">
<a href="../feature.html">
<span>Features</span>
</a>
<ul class="nav">
<li class="">
<a href="../feature/decommission.html">Decommissioning</a>
</li>
<li class="">
<a href="../feature/om-ha.html">OM High Availability</a>
</li>
<li class="">
<a href="../feature/erasurecoding.html">Ozone Erasure Coding</a>
</li>
<li class="">
<a href="../feature/snapshot.html">Ozone Snapshot</a>
</li>
<li class="">
<a href="../feature/scm-ha.html">SCM High Availability</a>
</li>
<li class="">
<a href="../feature/streaming-write-pipeline.html">Streaming Write Pipeline</a>
</li>
<li class="">
<a href="../feature/dn-merge-rocksdb.html">Merge Container RocksDB in DN</a>
</li>
<li class="">
<a href="../feature/prefixfso.html">Prefix based File System Optimization</a>
</li>
<li class="">
<a href="../feature/topology.html">Topology awareness</a>
</li>
<li class="">
<a href="../feature/quota.html">Quota in Ozone</a>
</li>
<li class="">
<a href="../feature/recon.html">Recon Server</a>
</li>
<li class="">
<a href="../feature/observability.html">Observability</a>
</li>
<li class="">
<a href="../feature/nonrolling-upgrade.html">Non-Rolling Upgrades and Downgrades</a>
</li>
<li class="">
<a href="../feature/s3-multi-tenancy.html">
<span>S3 Multi-Tenancy</span>
</a>
<ul class="nav">
<li class="">
<a href="../feature/s3-multi-tenancy-setup.html">Setup</a>
</li>
<li class="">
<a href="../feature/s3-tenant-commands.html">Tenant commands</a>
</li>
<li class="">
<a href="../feature/s3-multi-tenancy-access-control.html">Access Control</a>
</li>
</ul>
</li>
<li class="">
<a href="../feature/reconfigurability.html">Reconfigurability</a>
</li>
</ul>
</li>
<li class="">
<a href="../interface.html">
<span>Client Interfaces</span>
</a>
<ul class="nav">
<li class="">
<a href="../interface/ofs.html">Ofs (Hadoop compatible)</a>
</li>
<li class="">
<a href="../interface/o3fs.html">O3fs (Hadoop compatible)</a>
</li>
<li class="">
<a href="../interface/s3.html">S3 Protocol</a>
</li>
<li class="">
<a href="../interface/cli.html">Command Line Interface</a>
</li>
<li class="">
<a href="../interface/reconapi.html">Recon API</a>
</li>
<li class="">
<a href="../interface/javaapi.html">Java API</a>
</li>
<li class="">
<a href="../interface/csi.html">CSI Protocol</a>
</li>
<li class="">
<a href="../interface/httpfs.html">HttpFS Gateway</a>
</li>
</ul>
</li>
<li class="">
<a href="../security.html">
<span>Security</span>
</a>
<ul class="nav">
<li class="">
<a href="../security/secureozone.html">Securing Ozone</a>
</li>
<li class="">
<a href="../security/securingtde.html">Transparent Data Encryption</a>
</li>
<li class="">
<a href="../security/gdpr.html">GDPR in Ozone</a>
</li>
<li class="">
<a href="../security/securingdatanodes.html">Securing Datanodes</a>
</li>
<li class="">
<a href="../security/securingozonehttp.html">Securing HTTP</a>
</li>
<li class="">
<a href="../security/securings3.html">Securing S3</a>
</li>
<li class="active">
<a href="../security/securityacls.html">Ozone ACLs</a>
</li>
<li class="">
<a href="../security/securitywithranger.html">Apache Ranger</a>
</li>
</ul>
</li>
<li class="">
<a href="../tools.html">
<span>Tools</span>
</a>
</li>
<li class="">
<a href="../recipe.html">
<span>Recipes</span>
</a>
</li>
<li><a href="../design.html"><span><b>Design docs</b></span></a></li>
<li class="visible-xs"><a href="#">References</a>
<ul class="nav">
<li><a href="https://github.com/apache/ozone"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Source</a></li>
<li><a href="https://ozone.apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Apache Ozone</a></li>
<li><a href="https://apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> ASF</a></li>
</ul></li>
</ul>
</div>
<div class="col-sm-10 col-sm-offset-2 col-md-10 col-md-offset-2 main-content">
<div class="col-md-9">
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item"><a href="../index.html">Home</a></li>
<li class="breadcrumb-item" aria-current="page"><a href="../security.html">Security</a></li>
<li class="breadcrumb-item active" aria-current="page">Ozone ACLs</li>
</ol>
</nav>
<div class="pull-right">
<a href="../zh/security/securityacls.html"><span class="label label-success">中文</span></a>
</div>
<div class="col-md-9">
<h1>Ozone ACLs</h1>
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<p>Ozone supports a set of native ACLs. These ACLs can be used independently
of ozone ACL plugin such as Ranger.
Add the following properties to the ozone-site.xml to enable native ACLs.</p>
<table>
<thead>
<tr>
<th>Property</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>ozone.acl.enabled</td>
<td>true</td>
</tr>
<tr>
<td>ozone.acl.authorizer.class</td>
<td>org.apache.ranger.authorization.ozone.authorizer.OzoneNativeAuthorizer</td>
</tr>
</tbody>
</table>
<p>Ozone ACLs are a super set of Posix and S3 ACLs.</p>
<p>The general format of an ACL is <em>object</em>:<em>who</em>:<em>rights</em>:<em>scope</em>.</p>
<p>Where an <em>object</em> can be:</p>
<ol>
<li><strong>Volume</strong> - An Ozone volume. e.g. <em>/volume</em></li>
<li><strong>Bucket</strong> - An Ozone bucket. e.g. <em>/volume/bucket</em></li>
<li><strong>Key</strong> - An object key or an object. e.g. <em>/volume/bucket/key</em></li>
<li><strong>Prefix</strong> - A path prefix for a specific key. e.g. <em>/volume/bucket/prefix1/prefix2</em></li>
</ol>
<p>Where a <em>who</em> can be:</p>
<ol>
<li><strong>User</strong> - A user in the Kerberos domain. User like in Posix world can be
named or unnamed.</li>
<li><strong>Group</strong> - A group in the Kerberos domain. Group also like in Posix world
can
be named or unnamed.</li>
<li><strong>World</strong> - All authenticated users in the Kerberos domain. This maps to
others in the Posix domain.</li>
<li><strong>Anonymous</strong> - Ignore the user field completely. This is an extension to
the Posix semantics, This is needed for S3 protocol, where we express that
we have no way of knowing who the user is or we don&rsquo;t care.</li>
</ol>
<div class="alert alert-success" role="alert">
A S3 user accessing Ozone via AWS v4 signature protocol will be translated
to the appropriate Kerberos user by Ozone Manager.
</div>
<p>Where a <em>right</em> can be:</p>
<ol>
<li><strong>Create</strong> – This ACL provides a user the ability to create buckets in a
volume and keys in a bucket. Please note: Under Ozone, Only admins can create volumes.</li>
<li><strong>List</strong> – This ACL allows listing of buckets and keys. This ACL is attached
to the volume and buckets which allow listing of the child objects. Please note: The user and admins can list the volumes owned by the user.</li>
<li><strong>Delete</strong> – Allows the user to delete a volume, bucket or key.</li>
<li><strong>Read</strong> – Allows the user to read the metadata of a Volume and Bucket and
data stream and metadata of a key.</li>
<li><strong>Write</strong> - Allows the user to write the metadata of a Volume and Bucket and
allows the user to overwrite an existing ozone key.</li>
<li><strong>Read_ACL</strong> – Allows a user to read the ACL on a specific object.</li>
<li><strong>Write_ACL</strong> – Allows a user to write the ACL on a specific object.</li>
</ol>
<p>Where an <em>scope</em> can be:</p>
<ol>
<li><strong>ACCESS</strong> – Access ACL is applied only to the specific object and not inheritable. It controls the access to the object itself.</li>
<li><strong>DEFAULT</strong> - Default ACL is applied to the specific object and will be inherited by object&rsquo;s descendants. Default ACLs cannot be set on keys (as there can be no objects under a key). <br>
<em>Note</em>: ACLs inherited from parent&rsquo;s Default ACLs will follow the following rules based on different bucket layout:
<ul>
<li><strong>Legacy with EnableFileSystem or FSO</strong>: inherit the immediate parent&rsquo;s DEFAULT ACLs. If none, inherit the bucket DEFAULT ACLs.</li>
<li><strong>Legacy with DisableFileSystem or OBS</strong>: inherit the bucket DEFAULT ACLs.</li>
</ul>
</li>
</ol>
<h2 id="ozone-native-acl-apis">Ozone Native ACL APIs</h2>
<p>The ACLs can be manipulated by a set of APIs supported by Ozone. The APIs
supported are:</p>
<ol>
<li><strong>SetAcl</strong> – This API will take user principal, the name, type
of the ozone object and a list of ACLs.</li>
<li><strong>GetAcl</strong> – This API will take the name and type of the ozone object
and will return a list of ACLs.</li>
<li><strong>AddAcl</strong> - This API will take the name, type of the ozone object, the
ACL, and add it to existing ACL entries of the ozone object.</li>
<li><strong>RemoveAcl</strong> - This API will take the name, type of the
ozone object and the ACL that has to be removed.</li>
</ol>
<h2 id="acl-manipulation-using-ozone-cli">ACL Manipulation Using Ozone CLI</h2>
<p>The ACLs can also be manipulated by using the <code>ozone sh</code> commands.<br>
Usage: <code>ozone sh &lt;object&gt; &lt;action&gt; [-a=&lt;value&gt;[,&lt;value&gt;...]] &lt;object-uri&gt;</code> <br>
<code>-a</code> is for the comma separated list of ACLs. It is required for all subcommands except <code>getacl</code>. <br>
<code>&lt;value&gt;</code> is of the form <strong><code>type:name:rights[scope]</code></strong>.<br>
<strong><em>type</em></strong> can be user, group, world or anonymous.<br>
<strong><em>name</em></strong> is the name of the user/group. For world and anonymous type, name should either be left empty or be WORLD or ANONYMOUS respectively. <br>
<strong><em>rights</em></strong> can be (read=r, write=w, delete=d, list=l, all=a, none=n, create=c, read_acl=x, write_acl=y)<br>
<strong><em>scope</em></strong> can be <strong>ACCESS</strong> or <strong>DEFAULT</strong>. If not specified, default is <strong>ACCESS</strong>.<br></p>
<div class="alert alert-warning" role="alert">
When the object is a prefix, the path-to-object must contain the full path from volume till the directory or prefix of the key. i.e.,
<br>
/volume/bucket/some/key/prefix/
<br>
Note: the tail "/" is required.
</div>
<br>
Following are the supported ACL actions.
<h3>setacl</h3>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ ozone sh bucket setacl -a user:testuser2:a /vol1/bucket1
ACLs set successfully.
$ ozone sh bucket setacl -a user:om:a,group:om:a /vol1/bucket2
ACLs set successfully.
$ ozone sh bucket setacl -a<span style="color:#f92672">=</span>anonymous::lr /vol1/bucket3
ACLs set successfully.
$ ozone sh bucket setacl -a world::a /vol1/bucket4
ACLs set successfully.
</code></pre></div><h3>getacl</h3>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ ozone sh bucket getacl /vol1/bucket2
<span style="color:#f92672">[</span> <span style="color:#f92672">{</span>
<span style="color:#e6db74">&#34;type&#34;</span> : <span style="color:#e6db74">&#34;USER&#34;</span>,
<span style="color:#e6db74">&#34;name&#34;</span> : <span style="color:#e6db74">&#34;om/om@EXAMPLE.COM&#34;</span>,
<span style="color:#e6db74">&#34;aclScope&#34;</span> : <span style="color:#e6db74">&#34;ACCESS&#34;</span>,
<span style="color:#e6db74">&#34;aclList&#34;</span> : <span style="color:#f92672">[</span> <span style="color:#e6db74">&#34;ALL&#34;</span> <span style="color:#f92672">]</span>
<span style="color:#f92672">}</span>, <span style="color:#f92672">{</span>
<span style="color:#e6db74">&#34;type&#34;</span> : <span style="color:#e6db74">&#34;GROUP&#34;</span>,
<span style="color:#e6db74">&#34;name&#34;</span> : <span style="color:#e6db74">&#34;om&#34;</span>,
<span style="color:#e6db74">&#34;aclScope&#34;</span> : <span style="color:#e6db74">&#34;ACCESS&#34;</span>,
<span style="color:#e6db74">&#34;aclList&#34;</span> : <span style="color:#f92672">[</span> <span style="color:#e6db74">&#34;ALL&#34;</span> <span style="color:#f92672">]</span>
<span style="color:#f92672">}</span> <span style="color:#f92672">]</span>
</code></pre></div><h3>addacl</h3>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ ozone sh bucket addacl -a user:testuser2:a /vol1/bucket2
ACL user:testuser2:a<span style="color:#f92672">[</span>ACCESS<span style="color:#f92672">]</span> added successfully.
$ ozone sh bucket addacl -a user:testuser:rxy<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> /vol1/bucket2
ACL user:testuser:rxy<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> added successfully.
$ ozone sh prefix addacl -a user:testuser2:a<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> /vol1/buck3/dir1/
ACL user:testuser2:a<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> added successfully.
</code></pre></div><h3>removeacl</h3>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ ozone sh bucket removeacl -a user:testuser:r<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> /vol1/bucket2
ACL user:testuser:r<span style="color:#f92672">[</span>DEFAULT<span style="color:#f92672">]</span> removed successfully.
</code></pre></div>
<a class="btn btn-success btn-lg" href="../security/securitywithranger.html">Next >></a>
</div>
</div>
</div>
</div>
</div>
<div class="push"></div>
</div>
<footer class="footer">
<div class="container">
<span class="small text-muted">
Version: 1.5.0-SNAPSHOT, Last Modified: February 26, 2024 <a class="hide-child link primary-color" href="https://github.com/apache/ozone/commit/1b48186a0107711235abcd2636977ae0242f6be8">1b48186</a>
</span>
</div>
</footer>
<script src="../js/jquery-3.5.1.min.js"></script>
<script src="../js/ozonedoc.js"></script>
<script src="../js/bootstrap.min.js"></script>
</body>
</html>