xiaoyuyao edited a comment on pull request #918: URL: https://github.com/apache/hadoop-ozone/pull/918#issuecomment-628768210
bq. I found that the current ozone Administrators cannot access all keys. Administrators of ozone are also checked for permissions. In HDFS, dfs.cluster.administrators can able to access all files. Based on [HDDS-1303 design doc](https://issues.apache.org/jira/secure/attachment/12997587/Design%20Doc-%20Native%20ACL%20support%20for%20Ozone.pdf): "An admin can always take ownership of an object, which means that all Admins always have READ_ACP and WRITE_ACP privileges in the system. " If I remember correctly, ozone.administrators in native authorizer by default should have READ_ACL/WRITE_ACL permissions but may not have direct access to all the keys even though they can gain read/write access by modify the ACLs indirectly. If hdfs superuser bypass is desired, we can add this as an option to native ozone authorizer to honor it. We can easily add that after HDDS-3391 (I had the patch for HDDS-3391 last week but somehow the PR was not sent out due to other issues). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: ozone-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: ozone-issues-h...@hadoop.apache.org
