github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions.
This issue is part of issue 11276.
Like HDFS, Alluxio supports Unix privilege model and POSIX ACL privilege model, which are designed for FS managed by an OS running on a computer. They are managing the privilege for each file in the FS, it's not useful for the distributed FS mainly used in big data scenario. While in the big data scenario, user only cares about a-batch-of-files' privilege. As I covered in the article, the current two privilege models are both inefficient significantly.
As the fore-mentioned article covered, an IACL(inheritable ACL) privilege model is a better solution for big data scenario. IACL defines three types of permissions: READ, WRITE, and MANAGE. The executable permissions in the Unix permissions model are merged into read (READ) permissions. An IACL authorization record for a file/path can be referred to as follows:
Each
USER: uname_n READ/WRITE/MANAGErule in the authorization record defines whether a user can read, write, or manage the file or directory. Unlike the current privilege model where authentication only occurs at the last level of the path to be accessed, IACL authorizes the access as long as there is a record that satisfies the condition in the authorization record of each level path from the last level of the path to either the root or any node whose inherit is false. With IACL, the files' permission under a folder can be updated only by granting or revoking privilege to the folder.This solution has implemented by product Pingo and used widely in Baidu and other enterprise users of Pingo. I want to contribute the feature to Alluxio.