Search in sources :

Example 1 with RangerAccessPolicy

use of org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy in project ozone by apache.

the class OMMultiTenantManagerImpl method getTenantFromDBById.

@Override
public Tenant getTenantFromDBById(String tenantId) throws IOException {
    // Policy names (not cached at the moment) have to retrieved from OM DB.
    // TODO: Store policy names in cache as well if needed.
    final OmDBTenantState tenantState = omMetadataManager.getTenantStateTable().get(tenantId);
    if (tenantState == null) {
        throw new OMException("Tenant '" + tenantId + "' does not exist", OMException.ResultCodes.TENANT_NOT_FOUND);
    }
    final Tenant tenantObj = new OzoneTenant(tenantState.getTenantId());
    tenantObj.addTenantAccessPolicy(new RangerAccessPolicy(tenantState.getBucketNamespacePolicyName()));
    tenantObj.addTenantAccessPolicy(new RangerAccessPolicy(tenantState.getBucketNamespaceName()));
    tenantObj.addTenantAccessRole(tenantState.getUserRoleName());
    tenantObj.addTenantAccessRole(tenantState.getAdminRoleName());
    return tenantObj;
}
Also used : OzoneTenant(org.apache.hadoop.ozone.om.multitenant.OzoneTenant) Tenant(org.apache.hadoop.ozone.om.multitenant.Tenant) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneTenant(org.apache.hadoop.ozone.om.multitenant.OzoneTenant) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) OmDBTenantState(org.apache.hadoop.ozone.om.helpers.OmDBTenantState)

Example 2 with RangerAccessPolicy

use of org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy in project ozone by apache.

the class OMMultiTenantManagerImpl method newDefaultKeyAccessPolicy.

// TODO: This policy doesn't seem necessary as the bucket-level policy has
// already granted the key-level access.
// Not sure if that is the intended behavior in Ranger though.
// Still, could add this KeyAccess policy as well in Ranger, doesn't hurt.
private AccessPolicy newDefaultKeyAccessPolicy(String volumeName, String bucketName) throws IOException {
    AccessPolicy policy = new RangerAccessPolicy(// principal already contains volume name
    volumeName + " - KeyAccess");
    // TODO: Double check the policy
    OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(KEY).setStoreType(OZONE).setVolumeName(volumeName).setBucketName("*").setKeyName("*").build();
    // Bucket owners should have ALL permission on their keys
    policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
    return policy;
}
Also used : RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneOwnerPrincipal(org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal) AccessPolicy(org.apache.hadoop.ozone.om.multitenant.AccessPolicy) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)

Example 3 with RangerAccessPolicy

use of org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy in project ozone by apache.

the class OMMultiTenantManagerImpl method newDefaultBucketAccessPolicy.

public AccessPolicy newDefaultBucketAccessPolicy(String tenantId, OzoneTenantRolePrincipal userRole) throws IOException {
    final String bucketAccessPolicyName = OMMultiTenantManager.getDefaultBucketPolicyName(tenantId);
    AccessPolicy policy = new RangerAccessPolicy(bucketAccessPolicyName);
    OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(BUCKET).setStoreType(OZONE).setVolumeName(tenantId).setBucketName("*").setKeyName("").build();
    // Tenant users have permission to CREATE buckets
    policy.addAccessPolicyElem(obj, userRole, CREATE, ALLOW);
    // Bucket owner have ALL access on their own buckets
    policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
    return policy;
}
Also used : RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneOwnerPrincipal(org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal) AccessPolicy(org.apache.hadoop.ozone.om.multitenant.AccessPolicy) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)

Example 4 with RangerAccessPolicy

use of org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy in project ozone by apache.

the class OMMultiTenantManagerImpl method newDefaultVolumeAccessPolicy.

public AccessPolicy newDefaultVolumeAccessPolicy(String tenantId, OzoneTenantRolePrincipal userRole, OzoneTenantRolePrincipal adminRole) throws IOException {
    final String volumeAccessPolicyName = OMMultiTenantManager.getDefaultBucketNamespacePolicyName(tenantId);
    AccessPolicy policy = new RangerAccessPolicy(volumeAccessPolicyName);
    OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(VOLUME).setStoreType(OZONE).setVolumeName(tenantId).setBucketName("").setKeyName("").build();
    // Tenant users have READ, LIST and READ_ACL access on the volume
    policy.addAccessPolicyElem(obj, userRole, READ, ALLOW);
    policy.addAccessPolicyElem(obj, userRole, LIST, ALLOW);
    policy.addAccessPolicyElem(obj, userRole, READ_ACL, ALLOW);
    // Tenant admins have ALL access on the volume
    policy.addAccessPolicyElem(obj, adminRole, ALL, ALLOW);
    return policy;
}
Also used : RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) AccessPolicy(org.apache.hadoop.ozone.om.multitenant.AccessPolicy) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo)

Aggregations

RangerAccessPolicy (org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy)4 AccessPolicy (org.apache.hadoop.ozone.om.multitenant.AccessPolicy)3 OzoneObjInfo (org.apache.hadoop.ozone.security.acl.OzoneObjInfo)3 OzoneOwnerPrincipal (org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal)2 OMException (org.apache.hadoop.ozone.om.exceptions.OMException)1 OmDBTenantState (org.apache.hadoop.ozone.om.helpers.OmDBTenantState)1 OzoneTenant (org.apache.hadoop.ozone.om.multitenant.OzoneTenant)1 Tenant (org.apache.hadoop.ozone.om.multitenant.Tenant)1