You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2020/07/16 01:41:00 UTC

[GitHub] [hadoop-ozone] iamabug commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

iamabug commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r455459623



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表(ACL)支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL,这些 ACL 可以单独用,也可以和 Ranger 协同使用。如果启用了 Apache Ranger,会先检查 Ranger 中的 ACL,再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括:
+
+1. **卷** - 一个 Ozone 卷,比如 _/volume_
+2. **桶** - 一个 Ozone 桶,比如 _/volume/bucket_
+3. **键** - 一个对象键,比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀,比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户,和 Posix 用户一样,用户可以是已创建的也可以是未创建的。

Review comment:
       Thanks for the suggestion. But I am not sure what "命名" actually means in this context.
   I am guessing that "named" probably means the user or group is created. And ACL operation can be done before the roles are actually created




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org