This is an automated email from the ASF dual-hosted git repository.
siyao pushed a commit to branch HDDS-4944
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/HDDS-4944 by this push:
new bb67e13 HDDS-6004. Use changes from HDDS-5881 for volume chroot.
(#2924)
bb67e13 is described below
commit bb67e13048914d90a37469d9cff5952045a8c454
Author: Ethan Rose <[email protected]>
AuthorDate: Wed Jan 19 18:38:10 2022 -0800
HDDS-6004. Use changes from HDDS-5881 for volume chroot. (#2924)
---
.../apache/hadoop/ozone/client/ObjectStore.java | 15 +--
.../apache/hadoop/ozone/client/OzoneClient.java | 7 +-
.../hadoop/ozone/client/OzoneClientFactory.java | 51 +++------
.../ozone/client/protocol/ClientProtocol.java | 3 +-
.../apache/hadoop/ozone/client/rpc/RpcClient.java | 4 +-
.../hadoop/ozone/om/helpers/OmDBAccessIdInfo.java | 75 ++++---------
.../ozone/om/protocol/OzoneManagerProtocol.java | 2 +-
...OzoneManagerProtocolClientSideTranslatorPB.java | 3 +-
.../ozone/security/OzoneTokenIdentifier.java | 37 +------
.../om/multitenant/TestMultiTenantVolume.java | 7 +-
.../src/main/proto/OmClientProtocol.proto | 9 +-
.../ozone/om/codec/OmDBAccessIdInfoCodec.java | 6 +-
.../hadoop/ozone/om/OMMultiTenantManager.java | 3 +-
.../hadoop/ozone/om/OMMultiTenantManagerImpl.java | 20 ++--
.../org/apache/hadoop/ozone/om/OzoneAclUtils.java | 21 ++++
.../org/apache/hadoop/ozone/om/OzoneManager.java | 118 ++++++++++++---------
.../hadoop/ozone/om/S3SecretManagerImpl.java | 14 +--
.../hadoop/ozone/om/request/OMClientRequest.java | 12 +--
.../om/request/file/OMDirectoryCreateRequest.java | 2 +-
.../om/request/s3/security/OMSetSecretRequest.java | 48 +--------
.../om/request/s3/security/S3GetSecretRequest.java | 43 +++-----
.../s3/tenant/OMAssignUserToTenantRequest.java | 8 +-
.../s3/tenant/OMTenantAssignAdminRequest.java | 1 -
.../s3/tenant/OMTenantRevokeAdminRequest.java | 1 -
.../response/s3/security/OMSetSecretResponse.java | 13 +--
.../tenant/OMTenantAssignUserAccessIdResponse.java | 6 +-
.../protocolPB/OzoneManagerRequestHandler.java | 8 +-
.../OzoneDelegationTokenSecretManager.java | 18 +---
.../ozone/om/TestOMMultiTenantManagerImpl.java | 12 +--
.../s3/security/TestS3GetSecretRequest.java | 9 +-
.../ozone/security/TestOzoneTokenIdentifier.java | 18 ----
.../hadoop/ozone/s3/OzoneClientProducer.java | 18 +---
32 files changed, 229 insertions(+), 383 deletions(-)
diff --git
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java
index 5b5b664..6819718 100644
---
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java
+++
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java
@@ -64,8 +64,6 @@ public class ObjectStore {
*/
private int listCacheSize;
private final String defaultS3Volume;
- // TODO: Using for now for multitenancy but remove when HDDS-4440 is merged.
- private final String accessID;
/**
* Creates an instance of ObjectStore.
@@ -73,15 +71,9 @@ public class ObjectStore {
* @param proxy ClientProtocol proxy.
*/
public ObjectStore(ConfigurationSource conf, ClientProtocol proxy) {
- this(conf, proxy, null);
- }
-
- public ObjectStore(ConfigurationSource conf, ClientProtocol proxy,
- String accessID) {
this.proxy = TracingUtil.createProxy(proxy, ClientProtocol.class, conf);
this.listCacheSize = HddsClientUtils.getListCacheSize(conf);
defaultS3Volume = HddsClientUtils.getDefaultS3VolumeName(conf);
- this.accessID = accessID;
}
@VisibleForTesting
@@ -90,7 +82,6 @@ public class ObjectStore {
OzoneConfiguration conf = new OzoneConfiguration();
proxy = null;
defaultS3Volume = HddsClientUtils.getDefaultS3VolumeName(conf);
- this.accessID = null;
}
@VisibleForTesting
@@ -163,11 +154,7 @@ public class ObjectStore {
}
public OzoneVolume getS3Volume() throws IOException {
- if (accessID == null) {
- return proxy.getVolumeDetails(defaultS3Volume);
- } else {
- return proxy.getS3VolumeDetails(accessID);
- }
+ return proxy.getS3VolumeDetails();
}
public S3SecretValue getS3Secret(String kerberosID) throws IOException {
diff --git
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneClient.java
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneClient.java
index bb97ebc..493315e 100644
---
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneClient.java
+++
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneClient.java
@@ -84,13 +84,8 @@ public class OzoneClient implements Closeable {
* @param proxy ClientProtocol proxy instance
*/
public OzoneClient(ConfigurationSource conf, ClientProtocol proxy) {
- this(conf, proxy, null);
- }
-
- public OzoneClient(ConfigurationSource conf, ClientProtocol proxy,
- String accessID) {
this.proxy = proxy;
- this.objectStore = new ObjectStore(conf, this.proxy, accessID);
+ this.objectStore = new ObjectStore(conf, this.proxy);
this.conf = conf;
}
diff --git
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneClientFactory.java
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneClientFactory.java
index a0cddc3..9bf3973 100644
---
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneClientFactory.java
+++
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneClientFactory.java
@@ -107,16 +107,10 @@ public final class OzoneClientFactory {
*/
public static OzoneClient getRpcClient(String omServiceId,
ConfigurationSource config) throws IOException {
- return getRpcClient(getClientProtocol(config, omServiceId), config, null);
- }
-
- public static OzoneClient getRpcClient(String omServiceId,
- ConfigurationSource config, String accessID) throws IOException {
Preconditions.checkNotNull(omServiceId);
Preconditions.checkNotNull(config);
if (OmUtils.isOmHAServiceId(config, omServiceId)) {
- return getRpcClient(getClientProtocol(config, omServiceId), config,
- accessID);
+ return getRpcClient(getClientProtocol(config, omServiceId), config);
} else {
throw new IOException("Service ID specified " +
"does not match with " + OZONE_OM_SERVICE_IDS_KEY + " defined in " +
@@ -125,8 +119,18 @@ public final class OzoneClientFactory {
}
}
- public static OzoneClient getRpcClient(ConfigurationSource config,
- String accessID) throws IOException {
+ /**
+ * Returns an OzoneClient which will use RPC protocol.
+ *
+ * @param config
+ * used for OzoneClient creation
+ *
+ * @return OzoneClient
+ *
+ * @throws IOException
+ */
+ public static OzoneClient getRpcClient(ConfigurationSource config)
+ throws IOException {
Preconditions.checkNotNull(config);
// Doing this explicitly so that when service ids are defined in the
@@ -140,29 +144,13 @@ public final class OzoneClientFactory {
" defined in the configuration. Use the method getRpcClient which " +
"takes serviceID and configuration as param");
} else if (serviceIds.length == 1) {
- return getRpcClient(getClientProtocol(config, serviceIds[0]), config,
- accessID);
+ return getRpcClient(getClientProtocol(config, serviceIds[0]), config);
} else {
- return getRpcClient(getClientProtocol(config), config, accessID);
+ return getRpcClient(getClientProtocol(config), config);
}
}
/**
- * Returns an OzoneClient which will use RPC protocol.
- *
- * @param config
- * used for OzoneClient creation
- *
- * @return OzoneClient
- *
- * @throws IOException
- */
- public static OzoneClient getRpcClient(ConfigurationSource config)
- throws IOException {
- return getRpcClient(config, null);
- }
-
- /**
* Creates OzoneClient with the given ClientProtocol and Configuration.
*
* @param clientProtocol
@@ -172,13 +160,8 @@ public final class OzoneClientFactory {
* Configuration to be used for OzoneClient creation
*/
private static OzoneClient getRpcClient(ClientProtocol clientProtocol,
- ConfigurationSource config) {
- return new OzoneClient(config, clientProtocol, null);
- }
-
- private static OzoneClient getRpcClient(ClientProtocol clientProtocol,
- ConfigurationSource config, String accessID) {
- return new OzoneClient(config, clientProtocol, accessID);
+ ConfigurationSource config) {
+ return new OzoneClient(config, clientProtocol);
}
/**
diff --git
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
index ab1c52e..1bb410e 100644
---
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
+++
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
@@ -124,12 +124,11 @@ public interface ClientProtocol {
throws IOException;
/**
- * @param accessID
* @return The {@link OzoneVolume} that should be used to for this S3
* request based on its access ID.
* @throws IOException
*/
- OzoneVolume getS3VolumeDetails(String accessID) throws IOException;
+ OzoneVolume getS3VolumeDetails() throws IOException;
/**
* Checks if a Volume exists and the user with a role specified has access
diff --git
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
index ad0c13f..98c19ae 100644
---
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
+++
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
@@ -433,8 +433,8 @@ public class RpcClient implements ClientProtocol {
}
@Override
- public OzoneVolume getS3VolumeDetails(String accessID) throws IOException {
- OmVolumeArgs volume = ozoneManagerClient.getS3Volume(accessID);
+ public OzoneVolume getS3VolumeDetails() throws IOException {
+ OmVolumeArgs volume = ozoneManagerClient.getS3Volume();
return buildOzoneVolume(volume);
}
diff --git
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmDBAccessIdInfo.java
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmDBAccessIdInfo.java
index 7488603..fcc6d8c 100644
---
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmDBAccessIdInfo.java
+++
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmDBAccessIdInfo.java
@@ -17,8 +17,9 @@
*/
package org.apache.hadoop.ozone.om.helpers;
-import com.google.common.base.Preconditions;
-import org.apache.hadoop.hdds.StringUtils;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
+
+import java.io.IOException;
/**
* This class is used for storing Ozone tenant accessId info.
@@ -33,10 +34,6 @@ public final class OmDBAccessIdInfo {
*/
private final String userPrincipal;
/**
- * Corresponding secret key for the accessId.
- */
- private final String secretKey;
- /**
* Whether this accessId is an administrator of the tenant.
*/
private final boolean isAdmin;
@@ -49,71 +46,47 @@ public final class OmDBAccessIdInfo {
// This implies above String fields should NOT contain the split key.
public static final String SERIALIZATION_SPLIT_KEY = ";";
- public OmDBAccessIdInfo(String tenantId,
- String userPrincipal, String secretKey,
+ public OmDBAccessIdInfo(String tenantId, String userPrincipal,
boolean isAdmin, boolean isDelegatedAdmin) {
this.tenantId = tenantId;
this.userPrincipal = userPrincipal;
- this.secretKey = secretKey;
this.isAdmin = isAdmin;
this.isDelegatedAdmin = isDelegatedAdmin;
}
- private OmDBAccessIdInfo(String accessIdInfoString) {
- String[] tInfo = accessIdInfoString.split(SERIALIZATION_SPLIT_KEY);
- Preconditions.checkState(tInfo.length == 3 || tInfo.length == 5,
- "Incorrect accessIdInfoString");
-
- tenantId = tInfo[0];
- userPrincipal = tInfo[1];
- secretKey = tInfo[2];
- if (tInfo.length == 5) {
- isAdmin = Boolean.parseBoolean(tInfo[3]);
- isDelegatedAdmin = Boolean.parseBoolean(tInfo[4]);
- } else {
- isAdmin = false;
- isDelegatedAdmin = false;
- }
- }
-
public String getTenantId() {
return tenantId;
}
- private String serialize() {
- final StringBuilder sb = new StringBuilder();
- sb.append(tenantId);
- sb.append(SERIALIZATION_SPLIT_KEY).append(userPrincipal);
- sb.append(SERIALIZATION_SPLIT_KEY).append(secretKey);
- sb.append(SERIALIZATION_SPLIT_KEY).append(isAdmin);
- sb.append(SERIALIZATION_SPLIT_KEY).append(isDelegatedAdmin);
- return sb.toString();
- }
-
/**
- * Convert OmDBAccessIdInfo to byteArray to be persisted to DB.
- * @return byte[]
+ * Convert OmDBAccessIdInfo to protobuf to be persisted to DB.
*/
- public byte[] convertToByteArray() {
- return StringUtils.string2Bytes(serialize());
+ public OzoneManagerProtocolProtos.OmDBAccessInfo getProtobuf() {
+ return OzoneManagerProtocolProtos.OmDBAccessInfo.newBuilder()
+ .setUserPrincipal(userPrincipal)
+ .setIsAdmin(isAdmin)
+ .setIsDelegatedAdmin(isDelegatedAdmin)
+ .setTenantId(tenantId)
+ .build();
}
/**
* Convert byte array to OmDBAccessIdInfo.
*/
- public static OmDBAccessIdInfo getFromByteArray(byte[] bytes) {
- String tInfo = StringUtils.bytes2String(bytes);
- return new OmDBAccessIdInfo(tInfo);
+ public static OmDBAccessIdInfo getFromProtobuf(
+ OzoneManagerProtocolProtos.OmDBAccessInfo infoProto) throws IOException {
+ return new Builder()
+ .setKerberosPrincipal(infoProto.getUserPrincipal())
+ .setIsAdmin(infoProto.getIsAdmin())
+ .setIsDelegatedAdmin(infoProto.getIsDelegatedAdmin())
+ .setTenantId(infoProto.getTenantId())
+ .build();
}
public String getUserPrincipal() {
return userPrincipal;
}
- public String getSecretKey() {
- return secretKey;
- }
-
public boolean getIsAdmin() {
return isAdmin;
}
@@ -129,7 +102,6 @@ public final class OmDBAccessIdInfo {
public static final class Builder {
private String tenantId;
private String kerberosPrincipal;
- private String sharedSecret;
private boolean isAdmin;
private boolean isDelegatedAdmin;
@@ -143,11 +115,6 @@ public final class OmDBAccessIdInfo {
return this;
}
- public Builder setSharedSecret(String sharedSecret) {
- this.sharedSecret = sharedSecret;
- return this;
- }
-
public Builder setIsAdmin(boolean isAdmin) {
this.isAdmin = isAdmin;
return this;
@@ -159,7 +126,7 @@ public final class OmDBAccessIdInfo {
}
public OmDBAccessIdInfo build() {
- return new OmDBAccessIdInfo(tenantId, kerberosPrincipal, sharedSecret,
+ return new OmDBAccessIdInfo(tenantId, kerberosPrincipal,
isAdmin, isDelegatedAdmin);
}
}
diff --git
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
index b9bf572..e18d57f 100644
---
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
+++
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
@@ -605,7 +605,7 @@ public interface OzoneManagerProtocol
"this to be implemented, as write requests use a new approach");
}
- OmVolumeArgs getS3Volume(String accessID) throws IOException;
+ OmVolumeArgs getS3Volume() throws IOException;
/**
* Revoke user accessId to a tenant.
diff --git
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
index 9e0f789..2051a97 100644
---
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
+++
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
@@ -1102,9 +1102,8 @@ public final class
OzoneManagerProtocolClientSideTranslatorPB
}
@Override
- public OmVolumeArgs getS3Volume(String accessID) throws IOException {
+ public OmVolumeArgs getS3Volume() throws IOException {
final GetS3VolumeRequest request = GetS3VolumeRequest.newBuilder()
- .setAccessID(accessID)
.build();
final OMRequest omRequest = createOMRequest(Type.GetS3Volume)
.setGetS3VolumeRequest(request)
diff --git
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java
index a62dd15..01fcaf8 100644
---
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java
+++
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java
@@ -23,7 +23,6 @@ import java.io.DataOutput;
import java.io.IOException;
import java.time.Instant;
import java.util.Arrays;
-import java.util.function.UnaryOperator;
import org.apache.commons.lang3.builder.EqualsBuilder;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
@@ -34,10 +33,7 @@ import org.apache.hadoop.io.Text;
import org.apache.hadoop.io.WritableUtils;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type;
-import org.apache.hadoop.security.UserGroupInformation;
import
org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import static
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO;
@@ -50,9 +46,6 @@ import static
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.
public class OzoneTokenIdentifier extends
AbstractDelegationTokenIdentifier {
- private static final Logger LOG =
- LoggerFactory.getLogger(OzoneTokenIdentifier.class);
-
public static final Text KIND_NAME = new Text("OzoneToken");
private String omCertSerialId;
private Type tokenType;
@@ -61,10 +54,6 @@ public class OzoneTokenIdentifier extends
private String strToSign;
private String omServiceId;
- // Function to convert an arbitrary accessId to the kerberos user that owns
- // the accessId.
- private UnaryOperator<String> getUserForAccessId;
-
/**
* Create an empty delegation token identifier.
*/
@@ -118,24 +107,10 @@ public class OzoneTokenIdentifier extends
return buf.getData();
}
- @Override
- public UserGroupInformation getUser() {
- if (getUserForAccessId != null && tokenType.equals(S3AUTHINFO)) {
- // Should have been passed as accessId
- String tokenUser = getOwner().toString();
- String actualUserName = getUserForAccessId.apply(tokenUser);
- if (actualUserName != null) {
- LOG.debug("S3 Token user for {} : {}", tokenUser, actualUserName);
- return UserGroupInformation.createRemoteUser(actualUserName);
- }
- }
- return super.getUser();
- }
-
- /** Instead of relying on proto deserialization, this
- * provides explicit deserialization for OzoneTokenIdentifier.
- * @return byte[]
- */
+ /** Instead of relying on proto deserialization, this
+ * provides explicit deserialization for OzoneTokenIdentifier.
+ * @return byte[]
+ */
public OzoneTokenIdentifier fromUniqueSerializedKey(byte[] rawData)
throws IOException {
DataInputBuffer in = new DataInputBuffer();
@@ -393,10 +368,6 @@ public class OzoneTokenIdentifier extends
this.strToSign = strToSign;
}
- public void setGetUserForAccessId(UnaryOperator<String> func) {
- this.getUserForAccessId = func;
- }
-
@Override
public String toString() {
StringBuilder buffer = new StringBuilder();
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
index 2415285..cd7a58a 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
@@ -27,6 +27,7 @@ import org.apache.hadoop.ozone.client.OzoneVolume;
import org.apache.hadoop.ozone.client.rpc.RpcClient;
import org.apache.hadoop.ozone.om.OMMultiTenantManagerImpl;
import org.apache.hadoop.ozone.om.exceptions.OMException;
+import org.apache.hadoop.ozone.om.protocol.S3Auth;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
@@ -150,8 +151,8 @@ public class TestMultiTenantVolume {
OzoneConfiguration conf = cluster.getOzoneManager().getConfiguration();
// Manually construct an object store instead of using the cluster
// provided one so we can specify the access ID.
- // TODO: Update after HDDS-4440 is merged and this is not necessary.
- return new ObjectStore(conf, new RpcClient(conf, null),
- accessID);
+ RpcClient client = new RpcClient(conf, null);
+ client.setTheadLocalS3Auth(new S3Auth("unused1", "unused2", accessID));
+ return new ObjectStore(conf, client);
}
}
diff --git
a/hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto
b/hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto
index 5cfb56c..fdc5765 100644
--- a/hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto
+++ b/hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto
@@ -1503,7 +1503,7 @@ message TenantRevokeAdminRequest {
}
message GetS3VolumeRequest {
- optional string accessID = 1;
+
}
message CreateTenantResponse {
@@ -1532,6 +1532,13 @@ message TenantRevokeAdminResponse {
optional bool success = 1; // TODO: Remove this field
}
+message OmDBAccessInfo {
+ optional string tenantId = 1;
+ optional string userPrincipal = 2;
+ optional bool isAdmin = 3;
+ optional bool isDelegatedAdmin = 4;
+}
+
message GetS3VolumeResponse {
optional VolumeInfo volumeInfo = 1;
}
diff --git
a/hadoop-ozone/interface-storage/src/main/java/org/apache/hadoop/ozone/om/codec/OmDBAccessIdInfoCodec.java
b/hadoop-ozone/interface-storage/src/main/java/org/apache/hadoop/ozone/om/codec/OmDBAccessIdInfoCodec.java
index fa8ad73..b3926fc 100644
---
a/hadoop-ozone/interface-storage/src/main/java/org/apache/hadoop/ozone/om/codec/OmDBAccessIdInfoCodec.java
+++
b/hadoop-ozone/interface-storage/src/main/java/org/apache/hadoop/ozone/om/codec/OmDBAccessIdInfoCodec.java
@@ -19,6 +19,7 @@ package org.apache.hadoop.ozone.om.codec;
import org.apache.hadoop.hdds.utils.db.Codec;
import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -36,7 +37,7 @@ public class OmDBAccessIdInfoCodec implements
Codec<OmDBAccessIdInfo> {
@Override
public byte[] toPersistedFormat(OmDBAccessIdInfo object) throws IOException {
checkNotNull(object, "Null object can't be converted to byte array.");
- return object.convertToByteArray();
+ return object.getProtobuf().toByteArray();
}
@Override
@@ -44,7 +45,8 @@ public class OmDBAccessIdInfoCodec implements
Codec<OmDBAccessIdInfo> {
throws IOException {
checkNotNull(rawData, "Null byte array can't be converted to " +
"real object.");
- return OmDBAccessIdInfo.getFromByteArray(rawData);
+ return OmDBAccessIdInfo.getFromProtobuf(
+ OzoneManagerProtocolProtos.OmDBAccessInfo.parseFrom(rawData));
}
@Override
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
index f44dafc..558f9be 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
@@ -19,6 +19,7 @@ package org.apache.hadoop.ozone.om;
import java.io.IOException;
import java.util.List;
+import com.google.common.base.Optional;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.hadoop.ozone.om.helpers.TenantUserList;
import org.apache.hadoop.ozone.om.multitenant.AccessPolicy;
@@ -196,7 +197,7 @@ public interface OMMultiTenantManager {
* @param accessID
* @return String tenant name
*/
- String getTenantForAccessID(String accessID) throws IOException;
+ Optional<String> getTenantForAccessID(String accessID) throws IOException;
/**
* Given a user, make him an admin of the corresponding Tenant.
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
index b073936..5bdc12e 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
@@ -35,6 +35,8 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
+
+import com.google.common.base.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.locks.ReentrantReadWriteLock;
@@ -354,8 +356,7 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
}
@Override
- public String getUserSecret(String accessID)
- throws IOException {
+ public String getUserSecret(String accessID) throws IOException {
return "";
}
@@ -405,13 +406,14 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
}
@Override
- public String getTenantForAccessID(String accessID) throws IOException {
+ public Optional<String> getTenantForAccessID(String accessID)
+ throws IOException {
OmDBAccessIdInfo omDBAccessIdInfo =
omMetadataManager.getTenantAccessIdTable().get(accessID);
if (omDBAccessIdInfo == null) {
- throw new OMException(INVALID_ACCESSID);
+ return Optional.absent();
}
- return omDBAccessIdInfo.getTenantId();
+ return Optional.of(omDBAccessIdInfo.getTenantId());
}
public List<String> listAllAccessIDs(String tenantID)
@@ -426,8 +428,12 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
try {
controlPathLock.writeLock().lock();
// tenantId (tenant name) is necessary to retrieve role name
- final String tenantId = getTenantForAccessID(accessID);
- assert(tenantId != null);
+ Optional<String> optionalTenant = getTenantForAccessID(accessID);
+ if (!optionalTenant.isPresent()) {
+ throw new OMException("No tenant found for access ID " + accessID,
+ INVALID_ACCESSID);
+ }
+ final String tenantId = optionalTenant.get();
final OzoneTenantRolePrincipal existingAdminRole =
OzoneTenantRolePrincipal.getAdminRole(tenantId);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneAclUtils.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneAclUtils.java
index e7834db..91eeaeb 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneAclUtils.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneAclUtils.java
@@ -32,9 +32,30 @@ import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVA
*/
public final class OzoneAclUtils {
+ private static OMMultiTenantManager multiTenantManager;
+
private OzoneAclUtils() {
}
+ public static void setOMMultiTenantManager(
+ OMMultiTenantManager tenantManager) {
+ multiTenantManager = tenantManager;
+ }
+
+ /**
+ * Converts the given access ID to a kerberos principal.
+ * If the access ID does not belong to a tenant, the access ID is returned
+ * as is to be used as the principal.
+ */
+ public static String principalToAccessID(String accessID) throws IOException
{
+ String principal = multiTenantManager.getUserNameGivenAccessId(accessID);
+ if (principal == null) {
+ principal = accessID;
+ }
+
+ return principal;
+ }
+
/**
* Check Acls of ozone object with volume owner and bucket owner.
* @param ozoneManager
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 0e07b64..3d7473d 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -251,7 +251,6 @@ import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_DEFAULT_BUCKET_LAYOU
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.DETECTED_LOOP_IN_BUCKET_LINKS;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_AUTH_METHOD;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_REQUEST;
-import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_ACCESSID;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.PERMISSION_DENIED;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_ERROR_OTHER;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.BUCKET_LOCK;
@@ -303,7 +302,7 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
private String omId;
private OMMetadataManager metadataManager;
- private OMMultiTenantManager multiTenantManagr;
+ private OMMultiTenantManager multiTenantManager;
private VolumeManager volumeManager;
private BucketManager bucketManager;
private KeyManager keyManager;
@@ -648,8 +647,9 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
private void instantiateServices(boolean withNewSnapshot) throws IOException
{
metadataManager = new OmMetadataManagerImpl(configuration);
- multiTenantManagr = new OMMultiTenantManagerImpl(metadataManager,
+ multiTenantManager = new OMMultiTenantManagerImpl(metadataManager,
configuration);
+ OzoneAclUtils.setOMMultiTenantManager(multiTenantManager);
volumeManager = new VolumeManagerImpl(metadataManager, configuration);
bucketManager = new BucketManagerImpl(metadataManager, getKmsProvider(),
isRatisEnabled);
@@ -887,7 +887,6 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
.setS3SecretManager(s3SecretManager)
.setCertificateClient(certClient)
.setOmServiceId(omNodeDetails.getServiceId())
- .setOMMultiTenantManager(multiTenantManagr)
.build();
}
@@ -1356,7 +1355,7 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
* @return metadata manager.
*/
public OMMultiTenantManager getMultiTenantManager() {
- return multiTenantManagr;
+ return multiTenantManager;
}
public OzoneBlockTokenSecretManager getBlockTokenMgr() {
@@ -2169,8 +2168,9 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
throws IOException {
UserGroupInformation user;
if (getS3Auth() != null) {
- user = UserGroupInformation.createRemoteUser(
- getS3Auth().getAccessId());
+ String principal =
+ OzoneAclUtils.principalToAccessID(getS3Auth().getAccessId());
+ user = UserGroupInformation.createRemoteUser(principal);
} else {
user = ProtobufRpcEngine.Server.getRemoteUser();
}
@@ -2994,14 +2994,14 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
auditMap.put(OzoneConsts.USER_PREFIX, prefix);
try {
String userName = getRemoteUser().getUserName();
- if (!multiTenantManagr.isTenantAdmin(userName, tenantId)
+ if (!multiTenantManager.isTenantAdmin(userName, tenantId)
&& !omAdminUsernames.contains(userName)) {
throw new IOException("Only tenant and ozone admins can access this " +
"API. '" + userName + "' is not an admin.");
}
final TenantUserList userList =
- multiTenantManagr.listUsersInTenant(tenantId, prefix);
+ multiTenantManager.listUsersInTenant(tenantId, prefix);
AUDIT.logReadSuccess(buildAuditMessageForSuccess(
OMAction.TENANT_LIST_USER, auditMap));
return userList;
@@ -3013,38 +3013,54 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
}
@Override
- public OmVolumeArgs getS3Volume(String accessID) throws IOException {
-
- final String tenantId;
- try {
- tenantId = multiTenantManagr.getTenantForAccessID(accessID);
- // TODO: Get volume name from DB. Do not assume the same. e.g.
- //metadataManager.getTenantStateTable().get(tenantId)
- // .getBucketNamespaceName();
- final String volumeName = tenantId;
- if (LOG.isDebugEnabled()) {
- LOG.debug("Get S3 volume request for access ID {} belonging to tenant"
+
- " {} is directed to the volume {}.", accessID, tenantId,
- volumeName);
- }
- // This call performs acl checks and checks volume existence.
- return getVolumeInfo(volumeName);
-
- } catch (OMException ex) {
- if (ex.getResult().equals(INVALID_ACCESSID)) {
- // If the user is not associated with a tenant, they will use the
- // default s3 volume.
- String defaultS3volume =
- HddsClientUtils.getDefaultS3VolumeName(configuration);
-
+ public OmVolumeArgs getS3Volume() throws IOException {
+ // Unless the OM request contains S3 authentication info with an access
+ // ID that corresponds to a tenant volume, the request will be directed
+ // to the default S3 volume.
+ String s3Volume = HddsClientUtils.getDefaultS3VolumeName(configuration);
+ S3Authentication s3Auth = getS3Auth();
+
+ if (s3Auth != null) {
+ String accessID = s3Auth.getAccessId();
+ // TODO HDDS-6063: Volume lock is needed here along with the other
+ // multi-tenant read requests.
+ Optional<String> optionalTenantId =
+ multiTenantManager.getTenantForAccessID(accessID);
+
+ if (optionalTenantId.isPresent()) {
+ String tenantId = optionalTenantId.get();
+ OmDBTenantInfo tenantInfo =
+ metadataManager.getTenantStateTable().get(tenantId);
+ if (tenantInfo != null) {
+ s3Volume = metadataManager.getTenantStateTable().get(tenantId)
+ .getBucketNamespaceName();
+ } else {
+ String message = "Expected to find a tenant for access ID " +
+ accessID +
+ " but no tenant was found. Possibly inconsistent OM DB!";
+ LOG.error(message);
+ throw new OMException(message, ResultCodes.TENANT_NOT_FOUND);
+ }
if (LOG.isDebugEnabled()) {
- LOG.debug("No tenant found for access ID {}. Directing " +
- "requests to default s3 volume {}.", accessID, defaultS3volume);
+ LOG.debug("Get S3 volume request for access ID {} belonging to " +
+ "tenant {} is directed to the volume {}.", accessID,
tenantId,
+ s3Volume);
}
- return getVolumeInfo(defaultS3volume);
+ } else if (LOG.isDebugEnabled()) {
+ LOG.debug("No tenant found for access ID {}. Directing " +
+ "requests to default s3 volume {}.", accessID, s3Volume);
}
- throw ex;
+ } else if (LOG.isDebugEnabled()) {
+ // An old S3 gateway talking to a new OM may not attach the auth info.
+ // This old version of s3g will also not have a client that supports
+ // multi-tenancy, so we can direct requests to the default S3 volume.
+ LOG.debug("S3 authentication was not attached to the OM request. " +
+ "Directing requests to the default S3 volume {}.",
+ s3Volume);
}
+
+ // This call performs acl checks and checks volume existence.
+ return getVolumeInfo(s3Volume);
}
@Override
@@ -3769,20 +3785,22 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
throws IOException {
Pair<String, String> resolved;
- try {
- if (isAclEnabled) {
- InetAddress remoteIp = Server.getRemoteIp();
- resolved = resolveBucketLink(requested, new HashSet<>(),
- Server.getRemoteUser(),
- remoteIp,
- remoteIp != null ? remoteIp.getHostName() :
- omRpcAddress.getHostName());
- } else {
- resolved = resolveBucketLink(requested, new HashSet<>(),
- null, null, null);
+ if (isAclEnabled) {
+ UserGroupInformation ugi = Server.getRemoteUser();
+ if (getS3Auth() != null) {
+ ugi = UserGroupInformation
+ .createRemoteUser(
+ OzoneAclUtils.principalToAccessID(getS3Auth().getAccessId()));
}
- } catch (Throwable t) {
- throw t;
+ InetAddress remoteIp = Server.getRemoteIp();
+ resolved = resolveBucketLink(requested, new HashSet<>(),
+ ugi,
+ remoteIp,
+ remoteIp != null ? remoteIp.getHostName() :
+ omRpcAddress.getHostName());
+ } else {
+ resolved = resolveBucketLink(requested, new HashSet<>(),
+ null, null, null);
}
return new ResolvedBucket(requested, resolved);
}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3SecretManagerImpl.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3SecretManagerImpl.java
index 57d17cd..b3d4503 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3SecretManagerImpl.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3SecretManagerImpl.java
@@ -82,22 +82,22 @@ public class S3SecretManagerImpl implements S3SecretManager
{
}
@Override
- public String getS3UserSecretString(String kerberosID)
+ public String getS3UserSecretString(String awsAccessKey)
throws IOException {
- Preconditions.checkArgument(Strings.isNotBlank(kerberosID),
+ Preconditions.checkArgument(Strings.isNotBlank(awsAccessKey),
"awsAccessKeyId cannot be null or empty.");
- LOG.trace("Get secret for awsAccessKey:{}", kerberosID);
+ LOG.trace("Get secret for awsAccessKey:{}", awsAccessKey);
S3SecretValue s3Secret;
- omMetadataManager.getLock().acquireReadLock(S3_SECRET_LOCK, kerberosID);
+ omMetadataManager.getLock().acquireReadLock(S3_SECRET_LOCK, awsAccessKey);
try {
- s3Secret = omMetadataManager.getS3SecretTable().get(kerberosID);
+ s3Secret = omMetadataManager.getS3SecretTable().get(awsAccessKey);
if (s3Secret == null) {
throw new OzoneSecurityException("S3 secret not found for " +
- "awsAccessKeyId " + kerberosID, S3_SECRET_NOT_FOUND);
+ "awsAccessKeyId " + awsAccessKey, S3_SECRET_NOT_FOUND);
}
} finally {
- omMetadataManager.getLock().releaseReadLock(S3_SECRET_LOCK, kerberosID);
+ omMetadataManager.getLock().releaseReadLock(S3_SECRET_LOCK,
awsAccessKey);
}
return s3Secret.getAwsSecret();
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java
index 08eb966..e430665 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/OMClientRequest.java
@@ -133,17 +133,17 @@ public abstract class OMClientRequest implements
RequestAuditor {
* Get User information which needs to be set in the OMRequest object.
* @return User Info.
*/
- public OzoneManagerProtocolProtos.UserInfo getUserInfo() {
+ public OzoneManagerProtocolProtos.UserInfo getUserInfo() throws IOException {
UserGroupInformation user = ProtobufRpcEngine.Server.getRemoteUser();
InetAddress remoteAddress = ProtobufRpcEngine.Server.getRemoteIp();
OzoneManagerProtocolProtos.UserInfo.Builder userInfo =
OzoneManagerProtocolProtos.UserInfo.newBuilder();
- // If S3 Authentication is set, use AccessId as user.
+ // If S3 Authentication is set, determine user based on access ID.
if (omRequest.hasS3Authentication()) {
- // TODO: For tenant users, translate accessId to (short) username
- // with multiTenantManager.getUserNameGivenAccessId(accessId)
- userInfo.setUserName(omRequest.getS3Authentication().getAccessId());
+ String principal = OzoneAclUtils.principalToAccessID(
+ omRequest.getS3Authentication().getAccessId());
+ userInfo.setUserName(principal);
} else if (user != null) {
// Added not null checks, as in UT's these values might be null.
userInfo.setUserName(user.getUserName());
@@ -164,7 +164,7 @@ public abstract class OMClientRequest implements
RequestAuditor {
* @return User Info.
*/
public OzoneManagerProtocolProtos.UserInfo getUserIfNotExists(
- OzoneManager ozoneManager) {
+ OzoneManager ozoneManager) throws IOException {
OzoneManagerProtocolProtos.UserInfo userInfo = getUserInfo();
if (!userInfo.hasRemoteAddress() || !userInfo.hasUserName()){
OzoneManagerProtocolProtos.UserInfo.Builder newuserInfo =
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java
index 6c2a862..f90b4c4 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/file/OMDirectoryCreateRequest.java
@@ -113,7 +113,7 @@ public class OMDirectoryCreateRequest extends OMKeyRequest {
}
@Override
- public OMRequest preExecute(OzoneManager ozoneManager) {
+ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
CreateDirectoryRequest createDirectoryRequest =
getOmRequest().getCreateDirectoryRequest();
Preconditions.checkNotNull(createDirectoryRequest);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
index 423e18d..9c8ddb7 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
@@ -144,16 +144,9 @@ public class OMSetSecretRequest extends OMClientRequest {
// Intentionally set to final so they can only be set once.
final S3SecretValue newS3SecretValue;
- final OmDBAccessIdInfo newDBAccessIdInfo;
// Update legacy S3SecretTable, if the accessId entry exists
- if (omMetadataManager.getS3SecretTable().get(accessId) == null) {
- // S3SecretTable will be deprecated.
- // It is acceptable to not have an accessId entry in it.
- LOG.debug("accessId '{}' not found in S3SecretTable", accessId);
- newS3SecretValue = null;
-
- } else {
+ if (omMetadataManager.getS3SecretTable().get(accessId) != null) {
// accessId found in S3SecretTable. Update S3SecretTable
LOG.debug("Updating S3SecretTable cache entry");
// Update S3SecretTable cache entry in this case
@@ -163,42 +156,8 @@ public class OMSetSecretRequest extends OMClientRequest {
new CacheKey<>(accessId),
new CacheValue<>(Optional.of(newS3SecretValue),
transactionLogIndex));
- }
-
- // Get accessId entry from multi-tenant TenantAccessIdTable
- final OmDBAccessIdInfo omDBAccessIdInfo =
- omMetadataManager.getTenantAccessIdTable().get(accessId);
-
- // Check accessId existence in TenantAccessIdTable
- if (omDBAccessIdInfo == null) {
- // At some point we need to migrate entries from S3SecretTable
- // to TenantAccessIdTable, and S3SecretTable should eventually become
- // empty.
- LOG.warn("accessId '{}' not found in TenantAccessIdTable", accessId);
- newDBAccessIdInfo = null;
-
} else {
- // Update TenantAccessIdTable
- // Build new OmDBAccessIdInfo with updated secret
- LOG.debug("Updating TenantAccessIdTable cache entry");
- newDBAccessIdInfo = new OmDBAccessIdInfo.Builder()
- .setTenantId(omDBAccessIdInfo.getTenantId())
- .setKerberosPrincipal(omDBAccessIdInfo.getUserPrincipal())
- .setSharedSecret(secretKey)
- .setIsAdmin(omDBAccessIdInfo.getIsAdmin())
- .setIsDelegatedAdmin(omDBAccessIdInfo.getIsDelegatedAdmin())
- .build();
-
- // Update TenantAccessIdTable cache entry
- omMetadataManager.getTenantAccessIdTable().addCacheEntry(
- new CacheKey<>(accessId),
- new CacheValue<>(Optional.of(newDBAccessIdInfo),
- transactionLogIndex));
- }
-
- // If neither S3SecretTable nor TenantAccessIdTable is updated, throw
- // ACCESSID_NOT_FOUND exception.
- if (newS3SecretValue == null && newDBAccessIdInfo == null) {
+ // If S3SecretTable is not updated, throw ACCESSID_NOT_FOUND exception.
throw new OMException("accessId '" + accessId + "' not found.",
OMException.ResultCodes.ACCESSID_NOT_FOUND);
}
@@ -209,8 +168,7 @@ public class OMSetSecretRequest extends OMClientRequest {
.setAccessId(accessId)
.setSecretKey(secretKey);
- omClientResponse = new OMSetSecretResponse(accessId,
- newDBAccessIdInfo, newS3SecretValue,
+ omClientResponse = new OMSetSecretResponse(accessId, newS3SecretValue,
omResponse.setSetS3SecretResponse(setSecretResponse).build());
} catch (IOException ex) {
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3GetSecretRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3GetSecretRequest.java
index 9e737c4..8b57757 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3GetSecretRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3GetSecretRequest.java
@@ -24,7 +24,6 @@ import java.util.Map;
import com.google.common.base.Optional;
import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
import org.apache.hadoop.ozone.om.request.util.OmResponseUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -159,41 +158,29 @@ public class S3GetSecretRequest extends OMClientRequest {
}
try {
- // Note: We use the same S3_SECRET_LOCK for TenantAccessIdTable.
acquiredLock = omMetadataManager.getLock()
.acquireWriteLock(S3_SECRET_LOCK, accessId);
- // Check multi-tenant table first: tenantAccessIdTable
final S3SecretValue assignS3SecretValue;
- final OmDBAccessIdInfo omDBAccessIdInfo =
- omMetadataManager.getTenantAccessIdTable().get(accessId);
- if (omDBAccessIdInfo == null) {
- // Not found in TenantAccessIdTable. Fallback to S3SecretTable.
- final S3SecretValue s3SecretValue =
- omMetadataManager.getS3SecretTable().get(accessId);
-
- if (s3SecretValue == null) {
- if (createIfNotExist) {
- // Still not found in S3SecretTable. Add new entry in this case
- assignS3SecretValue = new S3SecretValue(accessId, awsSecret);
- // Add cache entry first.
- omMetadataManager.getS3SecretTable().addCacheEntry(
- new CacheKey<>(accessId),
- new CacheValue<>(Optional.of(assignS3SecretValue),
- transactionLogIndex));
- // TODO: Put accessId entry straight to TenantAccessIdTable
- // later when we deprecate the S3SecretTable.
- } else {
- assignS3SecretValue = null;
- }
+ final S3SecretValue s3SecretValue =
+ omMetadataManager.getS3SecretTable().get(accessId);
+
+ if (s3SecretValue == null) {
+ // Not found in S3SecretTable.
+ if (createIfNotExist) {
+ // Add new entry in this case
+ assignS3SecretValue = new S3SecretValue(accessId, awsSecret);
+ // Add cache entry first.
+ omMetadataManager.getS3SecretTable().addCacheEntry(
+ new CacheKey<>(accessId),
+ new CacheValue<>(Optional.of(assignS3SecretValue),
+ transactionLogIndex));
} else {
- // Found in S3SecretTable.
- awsSecret = s3SecretValue.getAwsSecret();
assignS3SecretValue = null;
}
} else {
- // Found in TenantAccessIdTable.
- awsSecret = omDBAccessIdInfo.getSecretKey();
+ // Found in S3SecretTable.
+ awsSecret = s3SecretValue.getAwsSecret();
assignS3SecretValue = null;
}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMAssignUserToTenantRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMAssignUserToTenantRequest.java
index ff74225..8d796e1 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMAssignUserToTenantRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMAssignUserToTenantRequest.java
@@ -289,7 +289,6 @@ public class OMAssignUserToTenantRequest extends
OMClientRequest {
final OmDBAccessIdInfo omDBAccessIdInfo = new OmDBAccessIdInfo.Builder()
.setTenantId(tenantId)
.setKerberosPrincipal(principal)
- .setSharedSecret(s3SecretValue.getAwsSecret())
.setIsAdmin(false)
.setIsDelegatedAdmin(false)
.build();
@@ -325,21 +324,18 @@ public class OMAssignUserToTenantRequest extends
OMClientRequest {
new CacheKey<>(accessId),
new CacheValue<>(Optional.of(roleName), transactionLogIndex));
- // Add to S3SecretTable.
- // Note: S3SecretTable will be deprecated in the future.
+ // Add S3SecretTable cache entry
acquiredS3SecretLock = omMetadataManager.getLock()
.acquireWriteLock(S3_SECRET_LOCK, accessId);
// Expect accessId absence from S3SecretTable
- // TODO: This table might be merged with tenantAccessIdTable later.
if (omMetadataManager.getS3SecretTable().isExist(accessId)) {
LOG.error("accessId '{}' already exists in S3SecretTable", accessId);
throw new OMException("accessId '" + accessId +
"' already exists in S3SecretTable",
- OMException.ResultCodes.INVALID_REQUEST);
+ OMException.ResultCodes.TENANT_USER_ACCESSID_ALREADY_EXISTS);
}
- // Add S3SecretTable cache entry
omMetadataManager.getS3SecretTable().addCacheEntry(
new CacheKey<>(accessId),
new CacheValue<>(Optional.of(s3SecretValue), transactionLogIndex));
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
index aebd924..4c021d2 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
@@ -189,7 +189,6 @@ public class OMTenantAssignAdminRequest extends
OMClientRequest {
new OmDBAccessIdInfo.Builder()
.setTenantId(oldAccessIdInfo.getTenantId())
.setKerberosPrincipal(oldAccessIdInfo.getUserPrincipal())
- .setSharedSecret(oldAccessIdInfo.getSecretKey())
.setIsAdmin(true)
.setIsDelegatedAdmin(delegated)
.build();
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
index 06f7c72..0987ab0 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
@@ -169,7 +169,6 @@ public class OMTenantRevokeAdminRequest extends
OMClientRequest {
new OmDBAccessIdInfo.Builder()
.setTenantId(oldAccessIdInfo.getTenantId())
.setKerberosPrincipal(oldAccessIdInfo.getUserPrincipal())
- .setSharedSecret(oldAccessIdInfo.getSecretKey())
.setIsAdmin(false)
.setIsDelegatedAdmin(false)
.build();
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/security/OMSetSecretResponse.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/security/OMSetSecretResponse.java
index 7d60f26..694ba9f 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/security/OMSetSecretResponse.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/security/OMSetSecretResponse.java
@@ -20,7 +20,6 @@ package org.apache.hadoop.ozone.om.response.s3.security;
import org.apache.hadoop.hdds.utils.db.BatchOperation;
import org.apache.hadoop.ozone.om.OMMetadataManager;
-import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.apache.hadoop.ozone.om.response.CleanupTableInfo;
import org.apache.hadoop.ozone.om.response.OMClientResponse;
@@ -34,28 +33,24 @@ import javax.annotation.Nullable;
import java.io.IOException;
import static org.apache.hadoop.ozone.om.OmMetadataManagerImpl.S3_SECRET_TABLE;
-import static
org.apache.hadoop.ozone.om.OmMetadataManagerImpl.TENANT_ACCESS_ID_TABLE;
/**
* Response for SetSecret request.
*/
-@CleanupTableInfo(cleanupTables = {S3_SECRET_TABLE, TENANT_ACCESS_ID_TABLE})
+@CleanupTableInfo(cleanupTables = {S3_SECRET_TABLE})
public class OMSetSecretResponse extends OMClientResponse {
private static final Logger LOG =
LoggerFactory.getLogger(OMSetSecretResponse.class);
private String accessId;
- private OmDBAccessIdInfo dbAccessIdInfo;
private S3SecretValue s3SecretValue;
public OMSetSecretResponse(@Nullable String accessId,
- @Nullable OmDBAccessIdInfo dbAccessIdInfo,
@Nullable S3SecretValue s3SecretValue,
@Nonnull OMResponse omResponse) {
super(omResponse);
this.accessId = accessId;
- this.dbAccessIdInfo = dbAccessIdInfo;
this.s3SecretValue = s3SecretValue;
}
@@ -74,12 +69,6 @@ public class OMSetSecretResponse extends OMClientResponse {
assert(getOMResponse().getStatus() ==
OzoneManagerProtocolProtos.Status.OK);
- if (dbAccessIdInfo != null) {
- LOG.debug("Updating TenantAccessIdTable");
- omMetadataManager.getTenantAccessIdTable().putWithBatch(batchOperation,
- accessId, dbAccessIdInfo);
- }
-
if (s3SecretValue != null) {
LOG.debug("Updating TenantAccessIdTable");
omMetadataManager.getS3SecretTable().putWithBatch(batchOperation,
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/tenant/OMTenantAssignUserAccessIdResponse.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/tenant/OMTenantAssignUserAccessIdResponse.java
index eb9ec84..50c5aa1 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/tenant/OMTenantAssignUserAccessIdResponse.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/s3/tenant/OMTenantAssignUserAccessIdResponse.java
@@ -90,7 +90,6 @@ public class OMTenantAssignUserAccessIdResponse extends
OMClientResponse {
if (s3SecretValue != null &&
getOMResponse().getStatus() == OzoneManagerProtocolProtos.Status.OK) {
- assert(accessId.equals(s3SecretValue.getKerberosID()));
// Add S3SecretTable entry
omMetadataManager.getS3SecretTable().putWithBatch(batchOperation,
accessId, s3SecretValue);
@@ -110,4 +109,9 @@ public class OMTenantAssignUserAccessIdResponse extends
OMClientResponse {
public OmDBAccessIdInfo getOmDBAccessIdInfo() {
return omDBAccessIdInfo;
}
+
+ @VisibleForTesting
+ public S3SecretValue getS3Secret() {
+ return s3SecretValue;
+ }
}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
index c09d26a..9f0ac29 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
@@ -80,7 +80,6 @@ import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRespo
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.PrepareStatusResponse;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.ServiceListRequest;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.ServiceListResponse;
-import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetS3VolumeRequest;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetS3VolumeResponse;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Status;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.TenantGetUserInfoRequest;
@@ -229,8 +228,7 @@ public class OzoneManagerRequestHandler implements
RequestHandler {
responseBuilder.setPrepareStatusResponse(prepareStatusResponse);
break;
case GetS3Volume:
- GetS3VolumeResponse s3VolumeResponse =
- getS3Volume(request.getGetS3VolumeRequest());
+ GetS3VolumeResponse s3VolumeResponse = getS3Volume();
responseBuilder.setGetS3VolumeResponse(s3VolumeResponse);
break;
case TenantGetUserInfo:
@@ -709,9 +707,9 @@ public class OzoneManagerRequestHandler implements
RequestHandler {
.setCurrentTxnIndex(prepareState.getIndex()).build();
}
- private GetS3VolumeResponse getS3Volume(GetS3VolumeRequest request)
+ private GetS3VolumeResponse getS3Volume()
throws IOException {
- OmVolumeArgs s3VolArgs = impl.getS3Volume(request.getAccessID());
+ OmVolumeArgs s3VolArgs = impl.getS3Volume();
return GetS3VolumeResponse.newBuilder()
.setVolumeInfo(s3VolArgs.getProtobuf())
.build();
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
index a433e10..5d34f6a 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
@@ -36,7 +36,6 @@ import
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient
import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ozone.om.OMConfigKeys;
-import org.apache.hadoop.ozone.om.OMMultiTenantManager;
import org.apache.hadoop.ozone.om.S3SecretManager;
import org.apache.hadoop.ozone.om.S3SecretManagerImpl;
import org.apache.hadoop.ozone.om.exceptions.OMException;
@@ -72,7 +71,6 @@ public class OzoneDelegationTokenSecretManager
private final long tokenRemoverScanInterval;
private String omCertificateSerialId;
private String omServiceId;
- private OMMultiTenantManager multiTenantManager;
/**
* If the delegation token update thread holds this lock, it will not get
@@ -99,7 +97,6 @@ public class OzoneDelegationTokenSecretManager
isRatisEnabled = b.ozoneConf.getBoolean(
OMConfigKeys.OZONE_OM_RATIS_ENABLE_KEY,
OMConfigKeys.OZONE_OM_RATIS_ENABLE_DEFAULT);
- this.multiTenantManager = b.omMultiTenantManager;
loadTokenSecretState(store.loadState());
}
@@ -114,7 +111,6 @@ public class OzoneDelegationTokenSecretManager
private long tokenRemoverScanInterval;
private Text service;
private S3SecretManager s3SecretManager;
- private OMMultiTenantManager omMultiTenantManager;
private CertificateClient certClient;
private String omServiceId;
@@ -161,23 +157,11 @@ public class OzoneDelegationTokenSecretManager
this.omServiceId = serviceId;
return this;
}
-
- public Builder setOMMultiTenantManager(OMMultiTenantManager
- multiTenantManager) {
- this.omMultiTenantManager = multiTenantManager;
- return this;
- }
-
}
@Override
public OzoneTokenIdentifier createIdentifier() {
- OzoneTokenIdentifier tokenId = OzoneTokenIdentifier.newInstance();
- if (multiTenantManager != null) {
- tokenId.setGetUserForAccessId(
- multiTenantManager::getUserNameGivenAccessId);
- }
- return tokenId;
+ return OzoneTokenIdentifier.newInstance();
}
/**
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMultiTenantManagerImpl.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMultiTenantManagerImpl.java
index de87581..7c07ac8 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMultiTenantManagerImpl.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMultiTenantManagerImpl.java
@@ -25,6 +25,7 @@ import static org.junit.Assert.assertTrue;
import java.io.IOException;
import java.util.List;
+import com.google.common.base.Optional;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ozone.OzoneConsts;
@@ -74,7 +75,7 @@ public class TestOMMultiTenantManagerImpl {
omMetadataManager.getTenantAccessIdTable().put("seed-accessId1",
new OmDBAccessIdInfo(tenantName, "seed-user1",
- "sharedsecret1", false, false));
+ false, false));
tenantManager = new OMMultiTenantManagerImpl(omMetadataManager, conf);
assertEquals(1, tenantManager.getTenantCache().size());
@@ -129,10 +130,9 @@ public class TestOMMultiTenantManagerImpl {
@Test
public void testGetTenantForAccessID() throws Exception {
- assertEquals(tenantName, tenantManager.getTenantForAccessID("seed" +
- "-accessId1"));
- LambdaTestUtils.intercept(OMException.class, () -> {
- tenantManager.getTenantForAccessID("invalid-accessId1");
- });
+ Optional<String> optionalTenant = tenantManager.getTenantForAccessID(
+ "seed-accessId1");
+ assertTrue(optionalTenant.isPresent());
+ assertEquals(tenantName, optionalTenant.get());
}
}
\ No newline at end of file
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
index a2b9587..3ebb14c 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
@@ -382,6 +382,9 @@ public class TestS3GetSecretRequest {
final OmDBAccessIdInfo omDBAccessIdInfo =
omTenantAssignUserAccessIdResponse.getOmDBAccessIdInfo();
Assert.assertNotNull(omDBAccessIdInfo);
+ final S3SecretValue originalS3Secret =
+ omTenantAssignUserAccessIdResponse.getS3Secret();
+ Assert.assertNotNull(originalS3Secret);
// 3. S3GetSecretRequest: Get secret of "[email protected]" (as an admin).
@@ -419,7 +422,9 @@ public class TestS3GetSecretRequest {
s3GetSecretResponse.getOMResponse().getGetS3SecretResponse();
final S3Secret s3Secret = getS3SecretResponse.getS3Secret();
Assert.assertEquals(ACCESS_ID_BOB, s3Secret.getKerberosID());
- Assert.assertEquals(
- omDBAccessIdInfo.getSecretKey(), s3Secret.getAwsSecret());
+ Assert.assertEquals(originalS3Secret.getAwsSecret(),
+ s3Secret.getAwsSecret());
+ Assert.assertEquals(originalS3Secret.getKerberosID(),
+ s3Secret.getKerberosID());
}
}
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneTokenIdentifier.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneTokenIdentifier.java
index 2ac8d4c..48ed205 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneTokenIdentifier.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneTokenIdentifier.java
@@ -17,8 +17,6 @@
*/
package org.apache.hadoop.ozone.security;
-import static
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO;
-
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
@@ -348,20 +346,4 @@ public class TestOzoneTokenIdentifier {
Assert.assertEquals("Deserialize Serialized Token should equal.",
idWrite, idRead);
}
-
- @Test
- public void testGetUserFromAccessIdInToken() {
- OzoneTokenIdentifier id = getIdentifierInst();
- Assert.assertEquals("User1", id.getUser().getUserName());
-
- id.setTokenType(S3AUTHINFO);
- Assert.assertEquals("User1", id.getUser().getUserName());
-
- id.setGetUserForAccessId(s -> "modified-" + s);
- Assert.assertEquals("modified-User1", id.getUser().getUserName());
-
- id.setGetUserForAccessId(s -> null);
- Assert.assertEquals("User1", id.getUser().getUserName());
-
- }
}
\ No newline at end of file
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
index 3f5c5f7..1ac5f2e 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
@@ -97,8 +97,6 @@ public class OzoneClientProducer {
String awsAccessId = signatureInfo.getAwsAccessId();
validateAccessId(awsAccessId);
- // TODO: Once HDDS-4440 is merged, access ID should be passed
- // through the OM transport. Double check @erose
return new S3Auth(stringToSign,
signatureInfo.getSignature(),
awsAccessId);
@@ -122,28 +120,18 @@ public class OzoneClientProducer {
ozoneConfiguration.setIfUnset(OZONE_OM_CLIENT_PROTOCOL_VERSION_KEY,
OZONE_OM_CLIENT_PROTOCOL_VERSION);
- // TODO: Added this snippet for a quick fix due to a conflict with
HDDS-5883
- // Double check / optimize.
- String accessId = null;
- try {
- accessId = signatureProcessor.parseSignature().getAwsAccessId();
- } catch (OS3Exception e) {
- LOG.error("Unable to parse signature to get accessId");
- }
-
if (omServiceID == null) {
- return OzoneClientFactory.getRpcClient(ozoneConfiguration, accessId);
+ return OzoneClientFactory.getRpcClient(ozoneConfiguration);
} else {
// As in HA case, we need to pass om service ID.
- return OzoneClientFactory.getRpcClient(omServiceID,
- ozoneConfiguration, accessId);
+ return OzoneClientFactory.getRpcClient(omServiceID, ozoneConfiguration);
}
}
// ONLY validate aws access id when needed.
private void validateAccessId(String awsAccessId) throws Exception {
if (awsAccessId == null || awsAccessId.equals("")) {
- LOG.error("Malformed s3 header. awsAccessID: ", awsAccessId);
+ LOG.error("Malformed s3 header. awsAccessID: {}", awsAccessId);
throw wrapOS3Exception(MALFORMED_HEADER);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
