Search in sources :

Example 1 with Tenant

use of org.apache.hadoop.ozone.om.multitenant.Tenant in project ozone by apache.

the class OMTenantDeleteRequest method preExecute.

@Override
@DisallowedUntilLayoutVersion(MULTITENANCY_SCHEMA)
public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
    final OMRequest omRequest = super.preExecute(ozoneManager);
    final OMMultiTenantManager multiTenantManager = ozoneManager.getMultiTenantManager();
    // Check Ozone cluster admin privilege
    multiTenantManager.checkAdmin();
    // First get tenant name
    final String tenantId = omRequest.getDeleteTenantRequest().getTenantId();
    Preconditions.checkNotNull(tenantId);
    // Get tenant object by tenant name
    final Tenant tenantObj = multiTenantManager.getTenantFromDBById(tenantId);
    // Acquire write lock to authorizer (Ranger)
    multiTenantManager.getAuthorizerLock().tryWriteLockInOMRequest();
    try {
        // Remove policies and roles from Ranger
        // TODO: Deactivate (disable) policies instead of delete?
        multiTenantManager.getAuthorizerOp().deleteTenant(tenantObj);
    } catch (Exception e) {
        multiTenantManager.getAuthorizerLock().unlockWriteInOMRequest();
        throw e;
    }
    return omRequest;
}
Also used : OMRequest(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest) OzoneTenant(org.apache.hadoop.ozone.om.multitenant.OzoneTenant) Tenant(org.apache.hadoop.ozone.om.multitenant.Tenant) OMMultiTenantManager(org.apache.hadoop.ozone.om.OMMultiTenantManager) IOException(java.io.IOException) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) DisallowedUntilLayoutVersion(org.apache.hadoop.ozone.om.upgrade.DisallowedUntilLayoutVersion)

Example 2 with Tenant

use of org.apache.hadoop.ozone.om.multitenant.Tenant in project ozone by apache.

the class TestS3GetSecretRequest method setUp.

@Before
public void setUp() throws Exception {
    KerberosName.setRuleMechanism(DEFAULT_MECHANISM);
    KerberosName.setRules("RULE:[2:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" + "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" + "DEFAULT");
    ugiAlice = UserGroupInformation.createRemoteUser(USER_ALICE);
    Assert.assertEquals("alice", ugiAlice.getShortUserName());
    ozoneManager = mock(OzoneManager.class);
    Call call = spy(new Call(1, 1, null, null, RPC.RpcKind.RPC_BUILTIN, new byte[] { 1, 2, 3 }));
    // Run as alice, so that Server.getRemoteUser() won't return null.
    when(call.getRemoteUser()).thenReturn(ugiAlice);
    Server.getCurCall().set(call);
    omMetrics = OMMetrics.create();
    OzoneConfiguration conf = new OzoneConfiguration();
    conf.set(OMConfigKeys.OZONE_OM_DB_DIRS, folder.newFolder().getAbsolutePath());
    // No need to conf.set(OzoneConfigKeys.OZONE_ADMINISTRATORS, ...) here
    // as we did the trick earlier with mockito.
    omMetadataManager = new OmMetadataManagerImpl(conf);
    when(ozoneManager.getMetrics()).thenReturn(omMetrics);
    when(ozoneManager.getMetadataManager()).thenReturn(omMetadataManager);
    when(ozoneManager.isRatisEnabled()).thenReturn(true);
    auditLogger = mock(AuditLogger.class);
    when(ozoneManager.getAuditLogger()).thenReturn(auditLogger);
    doNothing().when(auditLogger).logWrite(any(AuditMessage.class));
    // Multi-tenant related initializations
    omMultiTenantManager = mock(OMMultiTenantManager.class);
    tenant = mock(Tenant.class);
    when(ozoneManager.getMultiTenantManager()).thenReturn(omMultiTenantManager);
    when(tenant.getTenantAccessPolicies()).thenReturn(new ArrayList<>());
    when(omMultiTenantManager.getAuthorizerLock()).thenReturn(new AuthorizerLockImpl());
    TenantOp authorizerOp = mock(TenantOp.class);
    TenantOp cacheOp = mock(TenantOp.class);
    when(omMultiTenantManager.getAuthorizerOp()).thenReturn(authorizerOp);
    when(omMultiTenantManager.getCacheOp()).thenReturn(cacheOp);
}
Also used : OmMetadataManagerImpl(org.apache.hadoop.ozone.om.OmMetadataManagerImpl) Call(org.apache.hadoop.ipc.Server.Call) AuditMessage(org.apache.hadoop.ozone.audit.AuditMessage) AuditLogger(org.apache.hadoop.ozone.audit.AuditLogger) Tenant(org.apache.hadoop.ozone.om.multitenant.Tenant) OzoneManager(org.apache.hadoop.ozone.om.OzoneManager) OMMultiTenantManager(org.apache.hadoop.ozone.om.OMMultiTenantManager) AuthorizerLockImpl(org.apache.hadoop.ozone.om.multitenant.AuthorizerLockImpl) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) TenantOp(org.apache.hadoop.ozone.om.TenantOp) Before(org.junit.Before)

Example 3 with Tenant

use of org.apache.hadoop.ozone.om.multitenant.Tenant in project ozone by apache.

the class OMMultiTenantManagerImpl method getTenantFromDBById.

@Override
public Tenant getTenantFromDBById(String tenantId) throws IOException {
    // Policy names (not cached at the moment) have to retrieved from OM DB.
    // TODO: Store policy names in cache as well if needed.
    final OmDBTenantState tenantState = omMetadataManager.getTenantStateTable().get(tenantId);
    if (tenantState == null) {
        throw new OMException("Tenant '" + tenantId + "' does not exist", OMException.ResultCodes.TENANT_NOT_FOUND);
    }
    final Tenant tenantObj = new OzoneTenant(tenantState.getTenantId());
    tenantObj.addTenantAccessPolicy(new RangerAccessPolicy(tenantState.getBucketNamespacePolicyName()));
    tenantObj.addTenantAccessPolicy(new RangerAccessPolicy(tenantState.getBucketNamespaceName()));
    tenantObj.addTenantAccessRole(tenantState.getUserRoleName());
    tenantObj.addTenantAccessRole(tenantState.getAdminRoleName());
    return tenantObj;
}
Also used : OzoneTenant(org.apache.hadoop.ozone.om.multitenant.OzoneTenant) Tenant(org.apache.hadoop.ozone.om.multitenant.Tenant) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) OzoneTenant(org.apache.hadoop.ozone.om.multitenant.OzoneTenant) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) OmDBTenantState(org.apache.hadoop.ozone.om.helpers.OmDBTenantState)

Example 4 with Tenant

use of org.apache.hadoop.ozone.om.multitenant.Tenant in project ozone by apache.

the class OMMultiTenantManagerImpl method listUsersInTenant.

@Override
public TenantUserList listUsersInTenant(String tenantID, String prefix) throws IOException {
    List<UserAccessIdInfo> userAccessIds = new ArrayList<>();
    tenantCacheLock.readLock().lock();
    try {
        if (!omMetadataManager.getTenantStateTable().isExist(tenantID)) {
            throw new IOException("Tenant '" + tenantID + "' not found!");
        }
        CachedTenantState cachedTenantState = tenantCache.get(tenantID);
        if (cachedTenantState == null) {
            throw new IOException("Inconsistent in memory Tenant cache '" + tenantID + "' not found in cache, but present in OM DB!");
        }
        cachedTenantState.getAccessIdInfoMap().entrySet().stream().filter(// Include if user principal matches the prefix
        k -> StringUtils.isEmpty(prefix) || k.getValue().getUserPrincipal().startsWith(prefix)).forEach(k -> {
            final String accessId = k.getKey();
            final CachedAccessIdInfo cacheEntry = k.getValue();
            userAccessIds.add(UserAccessIdInfo.newBuilder().setUserPrincipal(cacheEntry.getUserPrincipal()).setAccessId(accessId).build());
        });
    } finally {
        tenantCacheLock.readLock().unlock();
    }
    return new TenantUserList(userAccessIds);
}
Also used : ALLOW(org.apache.hadoop.ozone.om.multitenant.AccessPolicy.AccessGrantType.ALLOW) OZONE_OM_MULTITENANCY_RANGER_SYNC_TIMEOUT_DEFAULT(org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_MULTITENANCY_RANGER_SYNC_TIMEOUT_DEFAULT) INTERNAL_ERROR(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INTERNAL_ERROR) ProtobufRpcEngine(org.apache.hadoop.ipc.ProtobufRpcEngine) AuthorizerLock(org.apache.hadoop.ozone.om.multitenant.AuthorizerLock) LoggerFactory(org.slf4j.LoggerFactory) LIST(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.LIST) READ(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.READ) MultiTenantAccessAuthorizer(org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessAuthorizer) StringUtils(org.apache.commons.lang3.StringUtils) VOLUME(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.VOLUME) AccessPolicy(org.apache.hadoop.ozone.om.multitenant.AccessPolicy) READ_ACL(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.READ_ACL) AuthorizerLockImpl(org.apache.hadoop.ozone.om.multitenant.AuthorizerLockImpl) Optional(com.google.common.base.Optional) Map(java.util.Map) ALL(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL) TenantUserList(org.apache.hadoop.ozone.om.helpers.TenantUserList) UserAccessIdInfo(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.UserAccessIdInfo) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) TENANT_NOT_FOUND(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TENANT_NOT_FOUND) List(java.util.List) OMRangerBGSyncService(org.apache.hadoop.ozone.om.multitenant.OMRangerBGSyncService) OmDBAccessIdInfo(org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo) OzoneObjInfo(org.apache.hadoop.ozone.security.acl.OzoneObjInfo) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) OzoneObj(org.apache.hadoop.ozone.security.acl.OzoneObj) MultiTenantAccessAuthorizerDummyPlugin(org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessAuthorizerDummyPlugin) OZONE_OM_MULTITENANCY_RANGER_SYNC_INTERVAL(org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_MULTITENANCY_RANGER_SYNC_INTERVAL) CREATE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.CREATE) KeyValue(org.apache.hadoop.hdds.utils.db.Table.KeyValue) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) MultiTenantAccessAuthorizerRangerPlugin(org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessAuthorizerRangerPlugin) OZONE(org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE) HashMap(java.util.HashMap) BucketNameSpace(org.apache.hadoop.ozone.om.multitenant.BucketNameSpace) ReentrantReadWriteLock(java.util.concurrent.locks.ReentrantReadWriteLock) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) TENANT_AUTHORIZER_ERROR(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TENANT_AUTHORIZER_ERROR) BUCKET(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) OmDBUserPrincipalInfo(org.apache.hadoop.ozone.om.helpers.OmDBUserPrincipalInfo) OZONE_OM_MULTITENANCY_RANGER_SYNC_INTERVAL_DEFAULT(org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_MULTITENANCY_RANGER_SYNC_INTERVAL_DEFAULT) OzoneTenant(org.apache.hadoop.ozone.om.multitenant.OzoneTenant) Tenant(org.apache.hadoop.ozone.om.multitenant.Tenant) INVALID_ACCESS_ID(org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_ACCESS_ID) OzoneOwnerPrincipal(org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal) Logger(org.slf4j.Logger) IOException(java.io.IOException) OmDBTenantState(org.apache.hadoop.ozone.om.helpers.OmDBTenantState) CachedTenantState(org.apache.hadoop.ozone.om.multitenant.CachedTenantState) KEY(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY) TimeUnit(java.util.concurrent.TimeUnit) OzoneTenantRolePrincipal(org.apache.hadoop.ozone.om.multitenant.OzoneTenantRolePrincipal) Table(org.apache.hadoop.hdds.utils.db.Table) OZONE_OM_MULTITENANCY_RANGER_SYNC_TIMEOUT(org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_MULTITENANCY_RANGER_SYNC_TIMEOUT) Preconditions(com.google.common.base.Preconditions) VisibleForTesting(com.google.common.annotations.VisibleForTesting) TableIterator(org.apache.hadoop.hdds.utils.db.TableIterator) CachedAccessIdInfo(org.apache.hadoop.ozone.om.multitenant.CachedTenantState.CachedAccessIdInfo) Collections(java.util.Collections) RangerAccessPolicy(org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy) ArrayList(java.util.ArrayList) TenantUserList(org.apache.hadoop.ozone.om.helpers.TenantUserList) IOException(java.io.IOException) CachedTenantState(org.apache.hadoop.ozone.om.multitenant.CachedTenantState) UserAccessIdInfo(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.UserAccessIdInfo) CachedAccessIdInfo(org.apache.hadoop.ozone.om.multitenant.CachedTenantState.CachedAccessIdInfo)

Aggregations

OMException (org.apache.hadoop.ozone.om.exceptions.OMException)3 Tenant (org.apache.hadoop.ozone.om.multitenant.Tenant)3 IOException (java.io.IOException)2 OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)2 OMMultiTenantManager (org.apache.hadoop.ozone.om.OMMultiTenantManager)2 OmDBTenantState (org.apache.hadoop.ozone.om.helpers.OmDBTenantState)2 AuthorizerLockImpl (org.apache.hadoop.ozone.om.multitenant.AuthorizerLockImpl)2 OzoneTenant (org.apache.hadoop.ozone.om.multitenant.OzoneTenant)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 Optional (com.google.common.base.Optional)1 Preconditions (com.google.common.base.Preconditions)1 ArrayList (java.util.ArrayList)1 Collections (java.util.Collections)1 HashMap (java.util.HashMap)1 HashSet (java.util.HashSet)1 List (java.util.List)1 Map (java.util.Map)1 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1 TimeUnit (java.util.concurrent.TimeUnit)1 ReentrantReadWriteLock (java.util.concurrent.locks.ReentrantReadWriteLock)1