Search in sources :

Example 1 with OzoneOwnerPrincipal

use of org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal in project ozone by apache.

the class OMMultiTenantManagerImpl method newDefaultKeyAccessPolicy.

// TODO: This policy doesn't seem necessary as the bucket-level policy has
// already granted the key-level access.
// Not sure if that is the intended behavior in Ranger though.
// Still, could add this KeyAccess policy as well in Ranger, doesn't hurt.
private AccessPolicy newDefaultKeyAccessPolicy(String volumeName, String bucketName) throws IOException {
    AccessPolicy policy = new RangerAccessPolicy(// principal already contains volume name
    volumeName + " - KeyAccess");
    // TODO: Double check the policy
    OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(KEY).setStoreType(OZONE).setVolumeName(volumeName).setBucketName("*").setKeyName("*").build();
    // Bucket owners should have ALL permission on their keys
    policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
    return policy;
}
Also used : RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneOwnerPrincipal(org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal) AccessPolicy(org.apache.hadoop.ozone.om.multitenant.AccessPolicy) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)

Example 2 with OzoneOwnerPrincipal

use of org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal in project ozone by apache.

the class OMMultiTenantManagerImpl method newDefaultBucketAccessPolicy.

public AccessPolicy newDefaultBucketAccessPolicy(String tenantId, OzoneTenantRolePrincipal userRole) throws IOException {
    final String bucketAccessPolicyName = OMMultiTenantManager.getDefaultBucketPolicyName(tenantId);
    AccessPolicy policy = new RangerAccessPolicy(bucketAccessPolicyName);
    OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(BUCKET).setStoreType(OZONE).setVolumeName(tenantId).setBucketName("*").setKeyName("").build();
    // Tenant users have permission to CREATE buckets
    policy.addAccessPolicyElem(obj, userRole, CREATE, ALLOW);
    // Bucket owner have ALL access on their own buckets
    policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
    return policy;
}
Also used : RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneOwnerPrincipal(org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal) AccessPolicy(org.apache.hadoop.ozone.om.multitenant.AccessPolicy) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)

Aggregations

AccessPolicy (org.apache.hadoop.ozone.om.multitenant.AccessPolicy)2 OzoneOwnerPrincipal (org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal)2 RangerAccessPolicy (org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy)2 OzoneObjInfo (org.apache.hadoop.ozone.security.acl.OzoneObjInfo)2