Should inherited ACL type be "DEFAULT" ?

[whbing]

I found that some inherited ACLs are not as expected. see: https://issues.apache.org/jira/browse/HDDS-8653
Assume that the following design followed:

• If ancestor is bucket, sub dir/file inherit bucket's DEFAULT ACLs

There are two issues to discuss:

1. If ancestor is dir(this dir's ACLs may inherit from bucket's DEFAULT ACLs), how to inherit ?
2. Should inherited ACL type be DEFAULT ? Now it is ACCESS, code as follows :

// org.apache.hadoop.ozone.om.helpers.OzoneAclUtil#inheritDefaultAcls
public static boolean inheritDefaultAcls(List<OzoneAcl> acls,
      List<OzoneAcl> parentAcls) {
    List<OzoneAcl> inheritedAcls = null;
    if (parentAcls != null && !parentAcls.isEmpty()) {
      inheritedAcls = parentAcls.stream()
          .filter(a -> a.getAclScope() == DEFAULT)
          .map(acl -> new OzoneAcl(acl.getType(), acl.getName(),
              acl.getAclBitSet(), ACCESS))
          .collect(Collectors.toList());
    }
    if (inheritedAcls != null && !inheritedAcls.isEmpty()) {
      inheritedAcls.stream().forEach(acl -> addAcl(acls, acl));
      return true;
    }
    return false;
  }

[ChenSammi]

IMO, for different bucket type, it can be different,

1. Legacy bucket & OBS bucket, the inherited ACL on key better to use ACCESS type.
2. FSO bucket, the inherited ACL on sub-directory better still keep the DEFAULT type. If it's a leaf file, then ACCESS type is more appropriate.

[whbing]

IMO, for different bucket type, it can be different,

1. Legacy bucket & OBS bucket, the inherited ACL on key better to use ACCESS type.
2. FSO bucket, the inherited ACL on sub-directory better still keep the DEFAULT type. If it's a leaf file, then ACCESS type is more appropriate.

@ChenSammi Thanks for advice !
I implemented the idea and tested various scenarios. I think that since both Legacy bucket and FSO have sub-dir, it may be better if they have the same logic (sub-dir keeps DEFAULT and leaf keeps ACCESS).

[ChenSammi]

@whbing, there is no direct way to tell if a key is a directory or not in legacy bucket, so I'm not sure whether it is easy to implement it for legacy bucket with all cases covered. But if you believe it's not that complex, then it's good if we can support sub-dir DEFAULT in legacy bucket too.