Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HDDS-11656. Default native ACL limits to user and user's primary group #7455

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

HDDS-11656. Default native ACL limits to user and user's primary group #7455

wants to merge 1 commit into from
+108 −62

Conversation

ChenSammi
Copy link
Contributor

What changes were proposed in this pull request?

  1. Only create ACL for user's primary group, instead of create ACL for user's each group.
  2. change the default group ACL from "ALL" to "READ, LIST"
  3. use getShortUserName() instead of getUserName as ACL user name. getShortUserName() is used in OM to verify ACLs long time ago.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-11656

How was this patch tested?

Existing unit tests and new tests.

@ChenSammi ChenSammi requested review from jojochuang and xichen01 and removed request for jojochuang November 20, 2024 02:49
@xichen01
Copy link
Contributor

Some suggestions for this feature.

  • Should we implement this on the server side too? In some scenarios, to update client side code is hard. To implement filter out the group ACL on the server side can easier to process some scenarios.

  • Maybe we also need to disable the key inherit ACL, including the group ACL from the parent Object (Bucket, Prefix), which may also have a lot of group ACLs.

  • If we disable the inheriting form Object ACL, then we need to implement to grant the user permissions on the key via bucket and/or prefix. thus we can control the key permissions on the bucket and prefix. But this should need a new Ozone Authorization Model implementation.

@ChenSammi
Copy link
Contributor Author

Some suggestions for this feature.

* Should we implement this on the server side too? In some scenarios, to update client side code is hard. To implement filter out the group ACL on the server side can easier to process some scenarios.

* Maybe we also need to disable the key inherit ACL, including the group ACL from the parent Object (Bucket, Prefix), which may also have a lot of group ACLs.

* If we disable the inheriting form Object ACL, then we need to implement to grant the user permissions on the key via bucket and/or prefix. thus we can control the key permissions on the bucket and prefix. But this should need a new Ozone Authorization Model implementation.

It's a good point to move it to server side. The default ACLs of volume/bucket/keys are all ACCESS type, which will be not inherited. So we don't need to worry about that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xichen01 xichen01 Awaiting requested review from xichen01

@jojochuang jojochuang Awaiting requested review from jojochuang

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ChenSammi @xichen01