Examples with S3Authentication - org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.S3Authentication

Example 1 with S3Authentication

use of org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.S3Authentication in project ozone by apache.

the class S3SecurityUtil method constructS3Token.

/**
 * Construct and return {@link OzoneTokenIdentifier} from {@link OMRequest}.
 */
private static OzoneTokenIdentifier constructS3Token(OMRequest omRequest) {
    S3Authentication auth = omRequest.getS3Authentication();
    OzoneTokenIdentifier s3Token = new OzoneTokenIdentifier();
    s3Token.setTokenType(S3AUTHINFO);
    s3Token.setStrToSign(auth.getStringToSign());
    s3Token.setSignature(auth.getSignature());
    s3Token.setAwsAccessId(auth.getAccessId());
    s3Token.setOwner(new Text(auth.getAccessId()));
    return s3Token;
}

Also used : S3Authentication(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.S3Authentication) Text(org.apache.hadoop.io.Text)

Example 2 with S3Authentication

use of org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.S3Authentication in project ozone by apache.

the class OzoneManager method getS3VolumeContext.

@Override
public S3VolumeContext getS3VolumeContext() throws IOException {
    // Unless the OM request contains S3 authentication info with an access
    // ID that corresponds to a tenant volume, the request will be directed
    // to the default S3 volume.
    String s3Volume = HddsClientUtils.getDefaultS3VolumeName(configuration);
    S3Authentication s3Auth = getS3Auth();
    final String userPrincipal;
    if (s3Auth == null) {
        // This is the default user principal if request does not have S3Auth set
        userPrincipal = Server.getRemoteUser().getShortUserName();
        if (LOG.isDebugEnabled()) {
            // An old S3 gateway talking to a new OM may not attach the auth info.
            // This old version of s3g will also not have a client that supports
            // multi-tenancy, so we can direct requests to the default S3 volume.
            LOG.debug("S3 authentication was not attached to the OM request. " + "Directing requests to the default S3 volume {}.", s3Volume);
        }
    } else {
        String accessId = s3Auth.getAccessId();
        // If S3 Multi-Tenancy is not enabled, all S3 requests will be redirected
        // to the default s3v for compatibility
        final Optional<String> optionalTenantId = isS3MultiTenancyEnabled() ? multiTenantManager.getTenantForAccessID(accessId) : Optional.absent();
        if (!optionalTenantId.isPresent()) {
            final UserGroupInformation s3gUGI = UserGroupInformation.createRemoteUser(accessId);
            // When the accessId belongs to the default s3v (i.e. when the accessId
            // key pair is generated using the regular `ozone s3 getsecret`), the
            // user principal returned here should simply be the accessId's short
            // user name (processed by the auth_to_local rule)
            userPrincipal = s3gUGI.getShortUserName();
            if (LOG.isDebugEnabled()) {
                LOG.debug("No tenant found for access ID {}. Directing " + "requests to default s3 volume {}.", accessId, s3Volume);
            }
        } else {
            // S3 Multi-Tenancy is enabled, and the accessId is assigned to a tenant
            final String tenantId = optionalTenantId.get();
            OmDBTenantState tenantState = metadataManager.getTenantStateTable().get(tenantId);
            if (tenantState != null) {
                s3Volume = tenantState.getBucketNamespaceName();
            } else {
                String message = "Unable to find tenant '" + tenantId + "' details for access ID " + accessId + ". The tenant might have been removed during this operation, " + "or the OM DB is inconsistent";
                LOG.warn(message);
                throw new OMException(message, ResultCodes.TENANT_NOT_FOUND);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Get S3 volume request for access ID {} belonging to " + "tenant {} is directed to the volume {}.", accessId, tenantId, s3Volume);
            }
            boolean acquiredVolumeLock = getMetadataManager().getLock().acquireReadLock(VOLUME_LOCK, s3Volume);
            try {
                // Inject user name to the response to be used for KMS on the client
                userPrincipal = OzoneAclUtils.accessIdToUserPrincipal(accessId);
            } finally {
                if (acquiredVolumeLock) {
                    getMetadataManager().getLock().releaseReadLock(VOLUME_LOCK, s3Volume);
                }
            }
        }
    }
    // getVolumeInfo() performs acl checks and checks volume existence.
    final S3VolumeContext.Builder s3VolumeContext = S3VolumeContext.newBuilder().setOmVolumeArgs(getVolumeInfo(s3Volume)).setUserPrincipal(userPrincipal);
    return s3VolumeContext.build();
}

Also used : S3VolumeContext(org.apache.hadoop.ozone.om.helpers.S3VolumeContext) S3Authentication(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.S3Authentication) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) OmDBTenantState(org.apache.hadoop.ozone.om.helpers.OmDBTenantState)

Aggregations

S3Authentication (org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.S3Authentication)2 CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)1 Text (org.apache.hadoop.io.Text)1 OMException (org.apache.hadoop.ozone.om.exceptions.OMException)1 OmDBTenantState (org.apache.hadoop.ozone.om.helpers.OmDBTenantState)1 S3VolumeContext (org.apache.hadoop.ozone.om.helpers.S3VolumeContext)1 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1