You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2020/07/10 08:24:13 UTC

[GitHub] [hadoop-ozone] iamabug opened a new pull request #1190: HDDS-2770. security/SecurityAcls.md

iamabug opened a new pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190


   ## What changes were proposed in this pull request?
   
   translation to https://hadoop.apache.org/ozone/docs/0.5.0-beta/security/securityacls.html
   
   ## What is the link to the Apache JIRA
   
   https://issues.apache.org/jira/browse/HDDS-2770
   
   ## How was this patch tested?
   
   hugo server 
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] xiaoyuyao commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

xiaoyuyao commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r456156802



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括：
+
+1. **卷** - 一个 Ozone 卷，比如 _/volume_
+2. **桶** - 一个 Ozone 桶，比如 _/volume/bucket_
+3. **键** - 一个对象键，比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀，比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户，和 Posix 用户一样，用户可以是已创建的也可以是未创建的。

Review comment:
       I think it means user/group may or may not have been created in OS/LDAP at the time when you assign them to ozone acl. 




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] ChenSammi commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

ChenSammi commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r455041823



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括：
+
+1. **卷** - 一个 Ozone 卷，比如 _/volume_
+2. **桶** - 一个 Ozone 桶，比如 _/volume/bucket_
+3. **键** - 一个对象键，比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀，比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户，和 Posix 用户一样，用户可以是已创建的也可以是未创建的。
+2. **组** - 一个 Kerberos 组，和 Posix 组一样，组可以是已创建的也可以是未创建的。
+3. **所有人** - 所有通过 Kerberos 认证的用户，这对应 Posix 标准中的其它用户。
+4. **匿名** - 完全忽略用户字段，这是对 Posix 语义的扩展，使用 S3 协议时会用到，用于表达无法获取用户的身份或者不在乎用户的身份。
+
+<div class="alert alert-success" role="alert">
+  S3 用户通过 AWS v4 签名协议访问 Ozone 时，OM 会将其转化为对应的用户。

Review comment:
       “Kerberos” is missing.

##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括：
+
+1. **卷** - 一个 Ozone 卷，比如 _/volume_
+2. **桶** - 一个 Ozone 桶，比如 _/volume/bucket_
+3. **键** - 一个对象键，比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀，比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户，和 Posix 用户一样，用户可以是已创建的也可以是未创建的。

Review comment:
       “named and unnamed”-> "命名的和未命名的“
   
   Same suggestion to group statement.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] cxorm commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

cxorm commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r454834249



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括：
+
+1. **卷** - 一个 Ozone 卷，比如 _/volume_
+2. **桶** - 一个 Ozone 桶，比如 _/volume/bucket_
+3. **键** - 一个对象键，比如 _/volume/bucket/key_

Review comment:
       According the description in [official-site](https://hadoop.apache.org/ozone/docs/0.5.0-beta/security/securityacls.html) here we should use "一个对象键或一个对象" IMHO.
   
   But I think the translation is fine here.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] ChenSammi commented on pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

ChenSammi commented on pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#issuecomment-662433509


   Thanks @iamabug for the contribution.  Thanks @xiaoyuyao and @cxorm for the review.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] ChenSammi merged pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

ChenSammi merged pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] ChenSammi commented on pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

ChenSammi commented on pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#issuecomment-662261140


   Hi  @iamabug , would you help to upload a new patch to address Xiaoyu's comments? 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] iamabug commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

iamabug commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r455459623



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括：
+
+1. **卷** - 一个 Ozone 卷，比如 _/volume_
+2. **桶** - 一个 Ozone 桶，比如 _/volume/bucket_
+3. **键** - 一个对象键，比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀，比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户，和 Posix 用户一样，用户可以是已创建的也可以是未创建的。

Review comment:
       Thanks for the suggestion. But I am not sure what "命名" actually means in this context.
   I am guessing that "named" probably means the user or group is created. And ACL operation can be done before users and groups are actually created




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] iamabug commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

iamabug commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r455460136



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括：
+
+1. **卷** - 一个 Ozone 卷，比如 _/volume_
+2. **桶** - 一个 Ozone 桶，比如 _/volume/bucket_
+3. **键** - 一个对象键，比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀，比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户，和 Posix 用户一样，用户可以是已创建的也可以是未创建的。
+2. **组** - 一个 Kerberos 组，和 Posix 组一样，组可以是已创建的也可以是未创建的。
+3. **所有人** - 所有通过 Kerberos 认证的用户，这对应 Posix 标准中的其它用户。
+4. **匿名** - 完全忽略用户字段，这是对 Posix 语义的扩展，使用 S3 协议时会用到，用于表达无法获取用户的身份或者不在乎用户的身份。
+
+<div class="alert alert-success" role="alert">
+  S3 用户通过 AWS v4 签名协议访问 Ozone 时，OM 会将其转化为对应的用户。

Review comment:
       Fixed, thanks.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] cxorm commented on pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

cxorm commented on pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#issuecomment-662384975


   LGTM +1.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] iamabug commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

iamabug commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r455459623



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括：
+
+1. **卷** - 一个 Ozone 卷，比如 _/volume_
+2. **桶** - 一个 Ozone 桶，比如 _/volume/bucket_
+3. **键** - 一个对象键，比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀，比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户，和 Posix 用户一样，用户可以是已创建的也可以是未创建的。

Review comment:
       Thanks for the suggestion. But I am not sure what "命名" actually means in this context.
   I am guessing that "named" probably means the user or group is created. And ACL operation can be done before the roles are actually created




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] iamabug commented on pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

iamabug commented on pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#issuecomment-662306306


   > Hi @iamabug , would you help to upload a new patch to address Xiaoyu's comments?
   
   Sorry for taking so long, I just uploaded a new patch.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] ChenSammi commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

ChenSammi commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r455581216



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括：
+
+1. **卷** - 一个 Ozone 卷，比如 _/volume_
+2. **桶** - 一个 Ozone 桶，比如 _/volume/bucket_
+3. **键** - 一个对象键，比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀，比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户，和 Posix 用户一样，用户可以是已创建的也可以是未创建的。

Review comment:
       @xiaoyuyao ,  actually I'm curious about how this unnamed user/group are used in ACL. 




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] xiaoyuyao commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

xiaoyuyao commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r456156398



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。

Review comment:
       This is not correct in EN doc. "这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。"
   
   "These ACLs can be used independently or
   along with Ranger. If Apache Ranger is enabled, then ACL will be checked
   first with Ranger and then Ozone's internal ACLs will be evaluated."
   =>
   "These ACLs can be used independently of ozone ACL plugin such as Ranger. If Apache Ranger plugin for Ozone is enabled, then ACL will be checked with Ranger."




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] ChenSammi commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

ChenSammi commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r456203522



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。
+
+Ozone 的 ACL 是 Posix ACL 和 S3 ACL 的超集。
+
+ACL 的通用格式为 _对象_:_角色_:_权限_.
+
+_对象_ 可选的值包括：
+
+1. **卷** - 一个 Ozone 卷，比如 _/volume_
+2. **桶** - 一个 Ozone 桶，比如 _/volume/bucket_
+3. **键** - 一个对象键，比如 _/volume/bucket/key_
+4. **前缀** - 某个键的路径前缀，比如 _/volume/bucket/prefix1/prefix2_
+
+_角色_ 可选的值包括:
+
+1. **用户** - 一个 Kerberos 用户，和 Posix 用户一样，用户可以是已创建的也可以是未创建的。

Review comment:
       I see. Thanks @xiaoyuyao for the explanation.  Then Xiang's translation is more accurate. 




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org

[GitHub] [hadoop-ozone] cxorm commented on a change in pull request #1190: HDDS-2770. security/SecurityAcls.md

Posted by GitBox <gi...@apache.org>.

cxorm commented on a change in pull request #1190:
URL: https://github.com/apache/hadoop-ozone/pull/1190#discussion_r458704739



##########
File path: hadoop-hdds/docs/content/security/SecurityAcls.zh.md
##########
@@ -0,0 +1,66 @@
+---
+title: "Ozone 访问控制列表"
+date: "2019-April-03"
+weight: 6
+summary: Ozone 原生的授权模块提供了不需要集成 Ranger 的访问控制列表（ACL）支持。
+icon: transfer
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+Ozone 支持一系列原生 ACL，这些 ACL 可以单独用，也可以和 Ranger 协同使用。如果启用了 Apache Ranger，会先检查 Ranger 中的 ACL，再验证 Ozone 内部的 ACL。

Review comment:
       Thanks @xiaoyuyao for the correct.
   
   The EN doc is updated in this PR as well as the Chinese doc.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org