use of org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy in project ozone by apache.
the class OMMultiTenantManagerImpl method getTenantFromDBById.
@Override
public Tenant getTenantFromDBById(String tenantId) throws IOException {
// Policy names (not cached at the moment) have to retrieved from OM DB.
// TODO: Store policy names in cache as well if needed.
final OmDBTenantState tenantState = omMetadataManager.getTenantStateTable().get(tenantId);
if (tenantState == null) {
throw new OMException("Tenant '" + tenantId + "' does not exist", OMException.ResultCodes.TENANT_NOT_FOUND);
}
final Tenant tenantObj = new OzoneTenant(tenantState.getTenantId());
tenantObj.addTenantAccessPolicy(new RangerAccessPolicy(tenantState.getBucketNamespacePolicyName()));
tenantObj.addTenantAccessPolicy(new RangerAccessPolicy(tenantState.getBucketNamespaceName()));
tenantObj.addTenantAccessRole(tenantState.getUserRoleName());
tenantObj.addTenantAccessRole(tenantState.getAdminRoleName());
return tenantObj;
}
use of org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy in project ozone by apache.
the class OMMultiTenantManagerImpl method newDefaultKeyAccessPolicy.
// TODO: This policy doesn't seem necessary as the bucket-level policy has
// already granted the key-level access.
// Not sure if that is the intended behavior in Ranger though.
// Still, could add this KeyAccess policy as well in Ranger, doesn't hurt.
private AccessPolicy newDefaultKeyAccessPolicy(String volumeName, String bucketName) throws IOException {
AccessPolicy policy = new RangerAccessPolicy(// principal already contains volume name
volumeName + " - KeyAccess");
// TODO: Double check the policy
OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(KEY).setStoreType(OZONE).setVolumeName(volumeName).setBucketName("*").setKeyName("*").build();
// Bucket owners should have ALL permission on their keys
policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
return policy;
}
use of org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy in project ozone by apache.
the class OMMultiTenantManagerImpl method newDefaultBucketAccessPolicy.
public AccessPolicy newDefaultBucketAccessPolicy(String tenantId, OzoneTenantRolePrincipal userRole) throws IOException {
final String bucketAccessPolicyName = OMMultiTenantManager.getDefaultBucketPolicyName(tenantId);
AccessPolicy policy = new RangerAccessPolicy(bucketAccessPolicyName);
OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(BUCKET).setStoreType(OZONE).setVolumeName(tenantId).setBucketName("*").setKeyName("").build();
// Tenant users have permission to CREATE buckets
policy.addAccessPolicyElem(obj, userRole, CREATE, ALLOW);
// Bucket owner have ALL access on their own buckets
policy.addAccessPolicyElem(obj, new OzoneOwnerPrincipal(), ALL, ALLOW);
return policy;
}
use of org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy in project ozone by apache.
the class OMMultiTenantManagerImpl method newDefaultVolumeAccessPolicy.
public AccessPolicy newDefaultVolumeAccessPolicy(String tenantId, OzoneTenantRolePrincipal userRole, OzoneTenantRolePrincipal adminRole) throws IOException {
final String volumeAccessPolicyName = OMMultiTenantManager.getDefaultBucketNamespacePolicyName(tenantId);
AccessPolicy policy = new RangerAccessPolicy(volumeAccessPolicyName);
OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder().setResType(VOLUME).setStoreType(OZONE).setVolumeName(tenantId).setBucketName("").setKeyName("").build();
// Tenant users have READ, LIST and READ_ACL access on the volume
policy.addAccessPolicyElem(obj, userRole, READ, ALLOW);
policy.addAccessPolicyElem(obj, userRole, LIST, ALLOW);
policy.addAccessPolicyElem(obj, userRole, READ_ACL, ALLOW);
// Tenant admins have ALL access on the volume
policy.addAccessPolicyElem(obj, adminRole, ALL, ALLOW);
return policy;
}
Aggregations