Dear Ozone community developers and users,

During a recent use case support,  we found that when creating a new key,
the current ozone client will create the default ACLs for the login user
and all its groups, both with "ALL" privileges.  This default behavior has
lead to two problems,

(a). security unsafe. Say UserA is in the group “project A”, and “APAC
employee". If UserA creates a new file for project A, then all other users
in the “APAC employee" group will have full control of this file, which is
usually not expected.

(b). If a user is in hundreds of groups, then there will be hundreds of ACL
created, and saved as metadata of this key, which will consume unnecessary
network bandwidth, raft log, and rocksdb space.
This is an example, the groups of my account in macOS, only few groups are
valuable to end users.
"staff everyone localaccounts _appserverusr admin _appserveradm _lpadmin
com.apple.sharepoint.group.2 com.apple.sharepoint.group.3 _appstore
_lpoperator _developer _analyticsusers com.apple.access_ftp
com.apple.access_screensharing com.apple.access_ssh
com.apple.access_remote_ae com.apple.sharepoint.group.1"

With JIRA HDDS-11656 <https://issues.apache.org/jira/browse/HDDS-11656> ,
the default ACL behavior will change from currently creating an ACL with
"ALL" permission for each group of the user, to only creating one ACL with
"READ, LIST" permission for the user's primary group.  As for creating a
"ALL" permission ACL for the user, it's not changed, and remains the same.
Use above UserA case as an example, if "project A" group is the primary
group of this user, then when UserA created a new file, UserA will have the
full control of this file with ACL "ALL" permission, group "project A" will
have the read and list permission of this file, group “APAC employee" will
have no permission of this file.  Since UserA has the full control of this
file, if the group “APAC employee" really needs to access this file, UserA
can explicitly add an ACL for the group “APAC employee" later.

Native ACL is used by many community users.  Please let me know if there is
any concern about this behavior change.


Thanks,
Sammi

Reply via email to