Permission models on Ozone
Ozone uses Access Control Lists (ACLs) to provide various access permissions to
users. To enable ACLs in ozone, you must set ozone.acl.enabled = true
.
Ozone supports two types of authorizers to set the access permissions: native authorizer and
Ranger authorizer.
Considerations for using the authorizers
You must be aware of specific considerations for using the different authorizers.
- You can configure Ozone to use any one of the authorizers, but not both at the same time.
- If using the Ranger authorizer for Ozone, the only way you can set or change policies is by using the Ranger user interface and the Ranger REST API. Ozone does not enable you to update ACLs using its CLI when managed by Ranger.
- Every volume has an owner, who has default permissions to all the entities within the volume. A volume can be created with another user as owner using a CLI flag. Ozone does not support bucket ownership.
- By default, the Ozone Manager service user om is the
cluster administrator, and the only user with global access to all the
volumes. The policy to provide the cluster administrator with the global
access to all the volumes is a part of the default policies available with
the Ozone-Ranger plug-in. Therefore, by default, only the
om user can list volumes at the root level of
ofs://
(== list all volumes
). You can add more users to this default Ozone policy in Ranger for admin access to Ozone.
Ranger authorizer
Cloudera recommends using the Ranger authorizer to manage access permissions for Ozone in CDP deployments. The Ozone-Ranger plug-in supports resources at the level of a volume or a bucket or a key, and the supported operations are similar to those of HDFS. You can use the Ozone-Ranger plug-in to configure policies at the level of a specific volume or a bucket or a key.