use of org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal in project ozone by apache.
the class OMMultiTenantManagerImpl method newDefaultKeyAccessPolicy.
// TODO: This policy doesn't seem necessary as the bucket-level policy has
// already granted the key-level access.
// Not sure if that is the intended behavior in Ranger though.
// Still, could add this KeyAccess policy as well in Ranger, doesn't hurt.
private AccessPolicy newDefaultKeyAccessPolicy(String volumeName, String bucketName) throws IOException {
AccessPolicy policy = new RangerAccessPolicy(// principal already contains volume name
volumeName + " - KeyAccess");
// TODO: Double check the policy
OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(KEY).setStoreType(OZONE).setVolumeName(volumeName).setBucketName("*").setKeyName("*").build();
// Bucket owners should have ALL permission on their keys
policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
return policy;
}
use of org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal in project ozone by apache.
the class OMMultiTenantManagerImpl method newDefaultBucketAccessPolicy.
public AccessPolicy newDefaultBucketAccessPolicy(String tenantId, OzoneTenantRolePrincipal userRole) throws IOException {
final String bucketAccessPolicyName = OMMultiTenantManager.getDefaultBucketPolicyName(tenantId);
AccessPolicy policy = new RangerAccessPolicy(bucketAccessPolicyName);
OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(BUCKET).setStoreType(OZONE).setVolumeName(tenantId).setBucketName("*").setKeyName("").build();
// Tenant users have permission to CREATE buckets
policy.addAccessPolicyElem(obj, userRole, CREATE, ALLOW);
// Bucket owner have ALL access on their own buckets
policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
return policy;
}
Aggregations