Permission models on Ozone

Ozone uses Access Control Lists (ACLs) to provide various access permissions to users. To enable ACLs in ozone, you must set ozone.acl.enabled = true. Ozone supports two types of authorizers to set the access permissions: native authorizer and Ranger authorizer.

Considerations for using the authorizers

You must be aware of specific considerations for using the different authorizers.
  • You can configure Ozone to use any one of the authorizers, but not both at the same time.
  • If using the Ranger authorizer for Ozone, the only way you can set or change policies is by using the Ranger user interface and the Ranger REST API. Ozone does not enable you to update ACLs using its CLI when managed by Ranger.
  • Every volume has an owner, who has default permissions to all the entities within the volume. A volume can be created with another user as owner using a CLI flag. Ozone does not support bucket ownership.
  • By default, the Ozone Manager service user om is the cluster administrator, and the only user with global access to all the volumes. The policy to provide the cluster administrator with the global access to all the volumes is a part of the default policies available with the Ozone-Ranger plug-in. Therefore, by default, only the om user can list volumes at the root level of ofs:// ( == list all volumes). You can add more users to this default Ozone policy in Ranger for admin access to Ozone.

Ranger authorizer

Cloudera recommends using the Ranger authorizer to manage access permissions for Ozone in CDP deployments. The Ozone-Ranger plug-in supports resources at the level of a volume or a bucket or a key, and the supported operations are similar to those of HDFS. You can use the Ozone-Ranger plug-in to configure policies at the level of a specific volume or a bucket or a key.