Search in sources :

Example 1 with AccessPolicy

use of org.apache.hadoop.ozone.om.multitenant.AccessPolicy in project ozone by apache.

the class OMMultiTenantManagerImpl method newDefaultKeyAccessPolicy.

// TODO: This policy doesn't seem necessary as the bucket-level policy has
// already granted the key-level access.
// Not sure if that is the intended behavior in Ranger though.
// Still, could add this KeyAccess policy as well in Ranger, doesn't hurt.
private AccessPolicy newDefaultKeyAccessPolicy(String volumeName, String bucketName) throws IOException {
    AccessPolicy policy = new RangerAccessPolicy(// principal already contains volume name
    volumeName + " - KeyAccess");
    // TODO: Double check the policy
    OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(KEY).setStoreType(OZONE).setVolumeName(volumeName).setBucketName("*").setKeyName("*").build();
    // Bucket owners should have ALL permission on their keys
    policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
    return policy;
}
Also used : RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneOwnerPrincipal(org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal) AccessPolicy(org.apache.hadoop.ozone.om.multitenant.AccessPolicy) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)

Example 2 with AccessPolicy

use of org.apache.hadoop.ozone.om.multitenant.AccessPolicy in project ozone by apache.

the class OMMultiTenantManagerImpl method newDefaultBucketAccessPolicy.

public AccessPolicy newDefaultBucketAccessPolicy(String tenantId, OzoneTenantRolePrincipal userRole) throws IOException {
    final String bucketAccessPolicyName = OMMultiTenantManager.getDefaultBucketPolicyName(tenantId);
    AccessPolicy policy = new RangerAccessPolicy(bucketAccessPolicyName);
    OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(BUCKET).setStoreType(OZONE).setVolumeName(tenantId).setBucketName("*").setKeyName("").build();
    // Tenant users have permission to CREATE buckets
    policy.addAccessPolicyElem(obj, userRole, CREATE, ALLOW);
    // Bucket owner have ALL access on their own buckets
    policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
    return policy;
}
Also used : RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneOwnerPrincipal(org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal) AccessPolicy(org.apache.hadoop.ozone.om.multitenant.AccessPolicy) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)

Example 3 with AccessPolicy

use of org.apache.hadoop.ozone.om.multitenant.AccessPolicy in project ozone by apache.

the class OMMultiTenantManagerImpl method newDefaultVolumeAccessPolicy.

public AccessPolicy newDefaultVolumeAccessPolicy(String tenantId, OzoneTenantRolePrincipal userRole, OzoneTenantRolePrincipal adminRole) throws IOException {
    final String volumeAccessPolicyName = OMMultiTenantManager.getDefaultBucketNamespacePolicyName(tenantId);
    AccessPolicy policy = new RangerAccessPolicy(volumeAccessPolicyName);
    OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(VOLUME).setStoreType(OZONE).setVolumeName(tenantId).setBucketName("").setKeyName("").build();
    // Tenant users have READ, LIST and READ_ACL access on the volume
    policy.addAccessPolicyElem(obj, userRole, READ, ALLOW);
    policy.addAccessPolicyElem(obj, userRole, LIST, ALLOW);
    policy.addAccessPolicyElem(obj, userRole, READ_ACL, ALLOW);
    // Tenant admins have ALL access on the volume
    policy.addAccessPolicyElem(obj, adminRole, ALL, ALLOW);
    return policy;
}
Also used : RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) AccessPolicy(org.apache.hadoop.ozone.om.multitenant.AccessPolicy) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)

Aggregations

AccessPolicy (org.apache.hadoop.ozone.om.multitenant.AccessPolicy)3 RangerAccessPolicy (org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy)3 OzoneObjInfo (org.apache.hadoop.ozone.security.acl.OzoneObjInfo)3 OzoneOwnerPrincipal (org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal)2