Skip to content

HDDS-13040. Add user doc highlighting the difference between Ozone ACL and S3 ACL. #8457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jojochuang merged 2 commits into from
May 19, 2025
Merged

HDDS-13040. Add user doc highlighting the difference between Ozone ACL and S3 ACL. #8457

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1ae6680
HDDS-13040. Add user doc highlighting the difference between Ozone AC…
jojochuang May 14, 2025
d6f13d9
Address review comments
jojochuang May 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions hadoop-hdds/docs/content/security/SecurityAcls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,3 +172,16 @@ $ ozone sh bucket removeacl -a user:testuser:r[DEFAULT] /vol1/bucket2
ACL user:testuser:r[DEFAULT] removed successfully.
```

## Differences Between Ozone ACL and S3 ACL

Ozone ACLs and S3 ACLs differ primarily in their scope and support.

- **S3 ACLs**: Currently, only S3 Bucket ACL is implemented in Ozone (a beta feature). S3 Object ACL is not yet implemented. Any `PutObjectAcl` request will result in a `501: Not Implemented` response code.
- **Ozone ACLs**: Ozone ACLs provide a more comprehensive and flexible access control mechanism. They are designed to work seamlessly with Ozone's native architecture and support various rights and scopes as mentioned above.

## Ozone File System ACL API

- ACL-related APIs in Ozone file system implementation (`ofs` and `o3fs`), such as `getAclStatus`, `setAcl`, `modifyAclEntries`, `removeAclEntries`, `removeDefaultAcl`, and `removeAcl` are not supported. These operations will throw an UnsupportedOperationException.
Copy link
Contributor

@ChenSammi ChenSammi May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC, currently it will return some instantly created ACL, instead of UnsupportedOperationException.

Copy link
Contributor Author

@jojochuang jojochuang May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which one? https://github.com/apache/ozone/pull/8458/files
i added tests to confirm all throw UnsupportedOperationException.
the test doesn't include getAclStatus() but from a quick look at BasicRootedOzoneFileSystem, it doesn't look like it's implemented, and the default FileSystem.getAclStatus() throws UnsupportedOperationException

- Similarly, HttpFS ACL-related APIs.

These limitations should be taken into account when integrating Ozone with applications that rely on S3 or file system ACL operations.