This is an automated email from the ASF dual-hosted git repository.
sumitagrawal pushed a commit to branch HDDS-9225-website-v2
in repository https://gitbox.apache.org/repos/asf/ozone-site.git
The following commit(s) were added to refs/heads/HDDS-9225-website-v2 by this
push:
new 04a7d2f04 HDDS-14539. update native and ranger acl operation mapping
(#310)
04a7d2f04 is described below
commit 04a7d2f046307bd586d3224453f204c4fbf1b76d
Author: Sumit Agrawal <[email protected]>
AuthorDate: Fri Feb 6 10:22:36 2026 -0800
HDDS-14539. update native and ranger acl operation mapping (#310)
---
.../04-security/02-acls/01-native-acls.md | 50 ++++++++++++++++++++++
.../04-security/02-acls/02-ranger-acls.md | 37 ++++++++++++----
2 files changed, 79 insertions(+), 8 deletions(-)
diff --git a/docs/03-core-concepts/04-security/02-acls/01-native-acls.md
b/docs/03-core-concepts/04-security/02-acls/01-native-acls.md
index ea4d0bb88..d6b18436c 100644
--- a/docs/03-core-concepts/04-security/02-acls/01-native-acls.md
+++ b/docs/03-core-concepts/04-security/02-acls/01-native-acls.md
@@ -175,3 +175,53 @@ Ozone ACLs and S3 ACLs differ primarily in their scope and
support.
- Similarly, HttpFS ACL-related APIs.
These limitations should be taken into account when integrating Ozone with
applications that rely on S3 or file system ACL operations.
+
+## Permission comparison table
+
+The table below shows the mapping between Ozone operations and the required
Native ACL permissions.
+
+`<admin>`: for native ACL, all access is granted for all operations
+
+`<owner>`: for native ACL, owner of volume / bucket have all access to further
hierarchy
+
+### Volume related operation
+
+| `Operation` | `Volume permission` |
+|--------------------------|---------------------|
+| `Create volume` | `<admin>` |
+| `List volume` | `<admin>, <configuration: listall>` |
+| `Get volume info` | `READ, <admin>, <owner>` |
+| `Delete volume` | `DELETE, <admin>, <owner>` |
+| `Set Quota` | `WRITE, <admin>, <owner>` |
+| `Set Owner` | `WRITE_ACL, <admin>, <owner>` |
+| `Create Tenant (and volume)` | `CREATE, <admin>, <owner>` |
+| `Delete Tenant` | `WRITE_ACL, <admin>, <owner>` |
+| `Read ACL` | `READ_ACL, <admin>, <owner>` |
+| `Write ACL` | `WRITE_ACL, <admin>, <owner>` |
+
+### Bucket related operation
+
+| `Operation` | `Volume permission` | `Bucket permission` |
+|--------------------------|---------------------|---------------------|
+| `Create bucket` | `WRITE, <admin>, <owner>` | |
+| `List bucket` | `LIST, <admin>, <owner>` | |
+| `Get bucket info` | `READ, <admin>, <owner>` | `READ, <admin>, <owner>` |
+| `Delete bucket` | `READ, <admin>, <owner>` | `DELETE, <admin>, <owner>` |
+| `Update bucket property (quota, replication, ...)` | `READ` | `<admin>,
<owner>` |
+| `List Snapshot` | `READ, <admin>, <owner>` | `LIST, <admin>, <owner>` |
+| `List Trash` | `READ, <admin>, <owner>` | `LIST, <admin>, <owner>` |
+| `Trash Recover` | `READ, <admin>, <owner>` | `WRITE, <admin>, <owner>` |
+| `Set Owner` | `READ, <admin>, <owner>` | `WRITE_ACL, <admin>, <owner>` |
+| `Read ACL` | `READ, <admin>, <owner>` | `READ_ACL, <admin>, <owner>` |
+| `Write ACL` | `READ, <admin>, <owner>` | `WRITE_ACL, <admin>, <owner>` |
+
+### FSO / OBS related operation for key and files
+
+| `Operation` | `Volume permission` | `Bucket permission` | `Key permission` |
+|--------------------------|---------------------|---------------------|------------------|
+| `List key` | `READ, <admin>, <owner>` | `LIST, READ, <admin>, <owner>` | |
+| `Write key` | `READ, <admin>, <owner>` | `WRITE, <admin>, <owner>` |
`CREATE, WRITE, <admin>` |
+| `Delete key` | `READ, <admin>, <owner>` | `READ, <admin>, <owner>` | `DELETE
(*recursive check all child), <admin>` |
+| `Read key` | `READ, <admin>, <owner>` | `READ, <admin>, <owner>` | `READ,
<admin>, <owner>` |
+| `Read ACL` | `READ, <admin>, <owner>` | `READ, <admin>, <owner>` |
`READ_ACL, <admin>, <owner>` |
+| `Write ACL` | `READ, <admin>, <owner>` | `READ, <admin>, <owner>` |
`WRITE_ACL, <admin>, <owner>` |
diff --git a/docs/03-core-concepts/04-security/02-acls/02-ranger-acls.md
b/docs/03-core-concepts/04-security/02-acls/02-ranger-acls.md
index 18ea8f824..c8bb0a29d 100644
--- a/docs/03-core-concepts/04-security/02-acls/02-ranger-acls.md
+++ b/docs/03-core-concepts/04-security/02-acls/02-ranger-acls.md
@@ -16,16 +16,37 @@ When Ranger is enabled, it becomes the sole authority for
access control, and na
The table below shows the mapping between Ozone operations and the required
Ranger permissions. An Ozone Manager plugin synchronizes these policies from
Ranger.
+### Volume related operation
+
+| `Operation` | `Volume permission` |
+|--------------------------|---------------------|
+| `Create volume` | `CREATE` |
+| `List volume` | `LIST` |
+| `Get volume info` | `READ` |
+| `Delete volume` | `DELETE` |
+| `Set Quota` | `WRITE` |
+| `Set Owner` | `WRITE_ACL` |
+| `Create Tenant (and volume)` | `CREATE` |
+| `Delete Tenant` | `WRITE_ACL` |
+
+### Bucket related operation
+
+| `Operation` | `Volume permission` | `Bucket permission` |
+|--------------------------|---------------------|---------------------|
+| `Create bucket` | `READ` | `CREATE` |
+| `List bucket` | `LIST, READ` | |
+| `Get bucket info` | `READ` | `READ` |
+| `Delete bucket` | `READ` | `DELETE` |
+| `Update bucket property (quota, replication, ...)` | `READ` | `WRITE` |
+| `List Snapshot` | `READ` | `LIST` |
+| `List Trash` | `READ` | `LIST` |
+| `Trash Recover` | `READ` | `WRITE` |
+| `Set Owner` | `READ` | `WRITE_ACL` |
+
+### FSO / OBS related operation for key and files
+
| `Operation` | `Volume permission` | `Bucket permission` | `Key permission` |
|--------------------------|---------------------|---------------------|------------------|
-| `Create volume` | `CREATE` | | |
-| `List volume` | `LIST` | | |
-| `Get volume info` | `READ` | | |
-| `Delete volume` | `DELETE` | | |
-| `Create bucket` | `READ` | `CREATE` | |
-| `List bucket` | `LIST, READ` | | |
-| `Get bucket info` | `READ` | `READ` | |
-| `Delete bucket` | `READ` | `DELETE` | |
| `List key` | `READ` | `LIST, READ` | |
| `Write key` | `READ` | `READ` | `CREATE, WRITE` |
| `Read key` | `READ` | `READ` | `READ` |
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
