You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2020/07/15 13:28:29 UTC
[GitHub] [hadoop-ozone] ChenSammi commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md
ChenSammi commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r455041823
##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表(ACL)支持。
+icon: transfer
+---
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL,这些 ACL 可以单独用,也可以和 Ranger 协同使用。如果启用了 Apache Ranger,会先检查 Ranger 中的 ACL,再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括:
+
+1. **卷** - 一个 Ozone 卷,比如 _/volume_
+2. **桶** - 一个 Ozone 桶,比如 _/volume/bucket_
+3. **键** - 一个对象键,比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀,比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户,和 Posix 用户一样,用户可以是已创建的也可以是未创建的。
+2. **组** - 一个 Kerberos 组,和 Posix 组一样,组可以是已创建的也可以是未创建的。
+3. **所有人** - 所有通过 Kerberos 认证的用户,这对应 Posix 标准中的其它用户。
+4. **匿名** - 完全忽略用户字段,这是对 Posix 语义的扩展,使用 S3 协议时会用到,用于表达无法获取用户的身份或者不在乎用户的身份。
+
+<div class="alert alert-success" role="alert">
+ S3 用户通过 AWS v4 签名协议访问 Ozone 时,OM 会将其转化为对应的用户。
Review comment:
“Kerberos” is missing.
##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表(ACL)支持。
+icon: transfer
+---
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL,这些 ACL 可以单独用,也可以和 Ranger 协同使用。如果启用了 Apache Ranger,会先检查 Ranger 中的 ACL,再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括:
+
+1. **卷** - 一个 Ozone 卷,比如 _/volume_
+2. **桶** - 一个 Ozone 桶,比如 _/volume/bucket_
+3. **键** - 一个对象键,比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀,比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户,和 Posix 用户一样,用户可以是已创建的也可以是未创建的。
Review comment:
“named and unnamed”-> "命名的和未命名的“
Same suggestion to group statement.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org