Working with Ozone ACLs

Ozone supports native Access Control Lists (ACLs) that can be used independently or with Apache Ranger. If Ranger authorisation is enabled, the native ACLs are not evaluated.

Format of an Ozone ACL

Ozone ACLs are a super set of POSIX and S3. The format of an ACL is object:who:rights.

object
In an ACL, an object can be the following:
  • Volume: An Ozone volume. For example, /volume1.
  • Bucket: An Ozone bucket. For example, /volume1/bucket1.
  • Key: An object key or an object. For example, /volume1/bucket1/key1.
  • Prefix: A path prefix for a specific key. For example, /volume1/bucket1/prefix1/prefix2.
who
In an ACL, a who can be the following:
  • User: A user in the Kerberos domain. The user can be named or unnamed.
  • Group: A group in the Kerberos domain. The group can be named or unnamed.
  • World: All authenticated users in the Kerberos domain. This maps to others in the POSIX domain.
  • Anonymous: Indicates that the user field should be completely ignored. This value is required for the S3 protocol to indicate anonymous users.
right
In an ACL, a right can be the following:
  • Create: Create buckets in a volume and keys in a bucket.
  • List: List buckets and keys. This ACL is attached to the volume and buckets which allow listing of the child objects.
  • Delete: Delete a volume, a bucket, or a key.
  • Read: Read the metadata of a volume or a bucket, and read the data stream and metadata of a key.
  • Write: Write the metadata of a volume or a bucket, and overwrite an existing key.
  • Read_ACL: Read the ACL on a specific object.
  • Write_ACL: Write the ACL on a specific object.
  • ALL
  • NONE

APIs for working with an Ozone ACL

Ozone supports a set of APIs for working with the ACLs. The APIs are as follows:
  • SetAcl: Accepts the user principal, the name and type of an Ozone object, and a list of ACLs.
  • GetAcl: Accepts the name and type of an Ozone object and returns the corresponding ACLs.
  • AddAcl: Accepts the name and type of the Ozone object, and the ACL to add.
  • RemoveAcl: Accepts the name and type of the Ozone object, and the ACL to remove.