This is an automated email from the ASF dual-hosted git repository.
erose pushed a commit to branch HDDS-4944
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/HDDS-4944 by this push:
new d621c8231c HDDS-6387. [Multi-Tenant] Refactor OMMultiTenantManager and
OMTenantRequestHelper (#3264)
d621c8231c is described below
commit d621c8231cc8f56cfd79e8c8432855e802dc4f90
Author: Aswin Shakil Balasubramanian <[email protected]>
AuthorDate: Wed Apr 13 09:37:58 2022 -0700
HDDS-6387. [Multi-Tenant] Refactor OMMultiTenantManager and
OMTenantRequestHelper (#3264)
---
.../hadoop/ozone/shell/TestOzoneTenantShell.java | 2 +-
.../hadoop/ozone/om/OMMultiTenantManager.java | 171 ++------------
.../hadoop/ozone/om/OMMultiTenantManagerImpl.java | 262 ++++++++++-----------
.../org/apache/hadoop/ozone/om/OzoneManager.java | 14 +-
.../ozone/om/multitenant/CachedTenantState.java | 4 +
.../om/request/s3/security/OMSetSecretRequest.java | 4 +-
.../s3/tenant/OMTenantAssignAdminRequest.java | 24 +-
.../tenant/OMTenantAssignUserAccessIdRequest.java | 10 +-
.../request/s3/tenant/OMTenantCreateRequest.java | 2 +-
.../request/s3/tenant/OMTenantDeleteRequest.java | 4 +-
.../request/s3/tenant/OMTenantRequestHelper.java | 248 -------------------
.../s3/tenant/OMTenantRevokeAdminRequest.java | 24 +-
.../tenant/OMTenantRevokeUserAccessIdRequest.java | 24 +-
.../s3/security/TestS3GetSecretRequest.java | 2 +
14 files changed, 212 insertions(+), 583 deletions(-)
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
index 56798bb6fe..93e4fedba3 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
@@ -685,7 +685,7 @@ public class TestOzoneTenantShell {
executeHA(tenantShell, new String[] {
"user", "list", "--tenant=unknown"});
checkOutput(err, "Failed to Get Users in tenant 'unknown': " +
- "Tenant 'unknown' not found\n", true);
+ "Tenant 'unknown' doesn't exist.\n", true);
// Clean up
executeHA(tenantShell, new String[] {
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
index 270e32607d..f576ed073f 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
@@ -17,15 +17,11 @@
package org.apache.hadoop.ozone.om;
import java.io.IOException;
-import java.util.List;
import com.google.common.base.Optional;
-import org.apache.commons.lang3.tuple.Pair;
+import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.om.helpers.TenantUserList;
-import org.apache.hadoop.ozone.om.multitenant.AccessPolicy;
-import org.apache.hadoop.ozone.om.multitenant.AccountNameSpace;
-import org.apache.hadoop.ozone.om.multitenant.BucketNameSpace;
import org.apache.hadoop.ozone.om.multitenant.Tenant;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.http.auth.BasicUserPrincipal;
@@ -71,37 +67,6 @@ public interface OMMultiTenantManager {
*/
Tenant createTenantAccessInAuthorizer(String tenantID) throws IOException;
-
- /**
- * Given a TenantID String, Return Tenant Interface. If the Tenant doesn't
- * exist in the system already, throw Exception.
- *
- * @param tenantID
- * @return Tenant interface.
- * @throws IOException
- */
- Tenant getTenant(String tenantID) throws IOException;
-
- /**
- * Given a TenantID String, deactivate the Tenant. If the Tenant has active
- * users and volumes, tenant gets dectivated. This means
- * * No new write/modify operations allowed under that tenant.
- * * No new users can be added.
- * * All the users of that tenant will not be able to create new
- * bucket/keys and carry out any new type of write/update opertations in
- * Tenant bucketNamespace or accountNamespace.
- * * If Tenant has users they will be able to do read and delete operations.
- * * If the Tenant doesn't have any user or buckets, Tenant will be removed
- * from the system.
- *
- * * If the Tenant doesn't exist in the system already, throw Exception.
- *
- * @param tenantID
- * @return Tenant interface.
- * @throws IOException
- */
- void deactivateTenant(String tenantID) throws IOException;
-
/**
* Given a TenantID, destroys all state associated with that tenant.
* This is different from deactivateTenant() above.
@@ -154,30 +119,6 @@ public interface OMMultiTenantManager {
*/
String getDefaultAccessId(String tenantId, String userPrincipal);
- /**
- * Given a user, return their S3-Secret Key.
- * @param accessID
- * @return S3 secret Key
- */
- String getUserSecret(String accessID) throws IOException;
-
- /**
- * Modify the groups that a user belongs to.
- * @param accessID
- * @param groupsAdded
- * @param groupsRemoved
- * @throws IOException
- */
- void modifyUser(String accessID, List<String> groupsAdded,
- List<String> groupsRemoved) throws IOException;
-
- /**
- * Given a user, deactivate them. We will need a recon command/job to cleanup
- * any data owned by this user (ReconMultiTenantManager).
- * @param accessID
- */
- void deactivateUser(String accessID) throws IOException;
-
/**
* Returns true if user is the tenant's admin or Ozone admin, false
otherwise.
* @param callerUgi caller's UserGroupInformation
@@ -189,14 +130,6 @@ public interface OMMultiTenantManager {
boolean isTenantAdmin(UserGroupInformation callerUgi, String tenantId,
boolean delegated);
- /**
- * Check if a tenant exists.
- * @param tenantId tenant name.
- * @return true if tenant exists, false otherwise.
- * @throws IOException
- */
- boolean tenantExists(String tenantId) throws IOException;
-
/**
* List all the user & accessIDs of all users that belong to this Tenant.
* Note this read is unprotected. See OzoneManager#listUserInTenant
@@ -205,15 +138,6 @@ public interface OMMultiTenantManager {
*/
TenantUserList listUsersInTenant(String tenantID, String prefix)
throws IOException;
-
- /**
- * List all the access IDs of all users that belong to this Tenant.
- * @param tenantID
- * @return List of users
- */
- List<String> listAllAccessIDs(String tenantID)
- throws IOException;
-
/**
* Given an access ID return its corresponding tenant.
* @param accessID
@@ -270,89 +194,40 @@ public interface OMMultiTenantManager {
void revokeTenantAdmin(String accessID) throws IOException;
/**
- * List all the Admin users that belong to this Tenant.
- * @param tenantID
- * @return List of users
+ * Passes check only when caller is an Ozone (cluster) admin, throws
+ * OMException otherwise.
+ * @throws OMException PERMISSION_DENIED
*/
- List<String> listAllTenantAdmin(String tenantID)
- throws IOException;
+ void checkAdmin() throws OMException;
/**
- * grant given user access to the given BucketNameSpace.
- * @param accessID
- * @param bucketNameSpace
+ * Check if caller is an Ozone cluster admin or tenant (delegated) admin.
+ * Throws PERMISSION_DENIED if the check failed.
+ * @throws OMException PERMISSION_DENIED
*/
- void grantAccess(String accessID,
- BucketNameSpace bucketNameSpace) throws IOException;
+ void checkTenantAdmin(String tenantId) throws OMException;
/**
- * grant given user access to the given Bucket.
- * @param accessID
- * @param bucketNameSpace
+ * Check if the tenantId exists in the table, throws TENANT_NOT_FOUND if not.
*/
- void grantBucketAccess(String accessID,
- BucketNameSpace bucketNameSpace, String bucketName)
- throws IOException;
+ void checkTenantExistence(String tenantId) throws OMException;
/**
- * revoke user access from the given BucketNameSpace.
- * @param accessID
- * @param bucketNameSpace
- */
- void revokeAccess(String accessID,
- BucketNameSpace bucketNameSpace) throws IOException;
-
- /**
- * grant given user access to the given AccountNameSpace.
- * @param accessID
- * @param accountNameSpace
- */
- void grantAccess(String accessID,
- AccountNameSpace accountNameSpace) throws IOException;
-
- /**
- * revoke user access from the given AccountNameSpace.
- * @param accessID
- * @param accountNameSpace
- */
- void revokeAccess(String accessID,
- AccountNameSpace accountNameSpace) throws IOException;
-
- /**
- * Create given policy for the tenant.
- * @param tenant
- * @param policy
- * @return ID of the policy
- */
- String createTenantDefaultPolicy(Tenant tenant, AccessPolicy policy)
- throws IOException;
-
- /**
- * Returns default Access policies for a Tenant. Default access policies
- * are system defined and can not be changed by anyone.
- * @param tenant
- * @return list of Default Access policies for a Tenant
+ * Retrieve volume name of the tenant.
+ *
+ * Throws OMException TENANT_NOT_FOUND if tenantId doesn't exist.
*/
- List<Pair<String, AccessPolicy>> listDefaultTenantPolicies(Tenant tenant)
- throws IOException;
+ String getTenantVolumeName(String tenantId) throws IOException;
- /**
- * Returns All Access policies for a Tenant. In future we may support
- * bucket-policies/user-policies to provide cross-tenant accesses.
- * @param tenant
- * @return list of Default Access policies for a Tenant
- */
- List<Pair<String, AccessPolicy>> listAllTenantPolicies(Tenant tenant)
- throws IOException;
+ boolean isUserAccessIdPrincipalOrTenantAdmin(String accessId,
+ UserGroupInformation ugi) throws IOException;
/**
- * Update given policy identified by policyID for the tenant.
- * @param tenant
- * @param policyID
- * @param policy
- * @return ID of the policy
+ * Returns true if the tenant doesn't have any accessIds assigned to it
+ * Returns false otherwise.
+ *
+ * @param tenantId
+ * @throws IOException
*/
- void updateTenantPolicy(Tenant tenant, String policyID,
- AccessPolicy policy) throws IOException;
-
+ boolean isTenantEmpty(String tenantId) throws IOException;
}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
index 51987a13b9..8bbd98be2e 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
@@ -20,11 +20,11 @@ package org.apache.hadoop.ozone.om;
import static org.apache.hadoop.ozone.OzoneConsts.TENANT_ID_USERNAME_DELIMITER;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_ACCESS_ID;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TENANT_AUTHORIZER_ERROR;
+import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TENANT_NOT_FOUND;
import static
org.apache.hadoop.ozone.om.multitenant.AccessPolicy.AccessGrantType.ALLOW;
import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL;
import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.CREATE;
import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.LIST;
-import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.NONE;
import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.READ;
import static
org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.READ_ACL;
import static
org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET;
@@ -44,17 +44,17 @@ import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.ImmutablePair;
-import org.apache.commons.lang3.tuple.Pair;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.utils.db.Table;
import org.apache.hadoop.hdds.utils.db.Table.KeyValue;
import org.apache.hadoop.hdds.utils.db.TableIterator;
+import org.apache.hadoop.ipc.ProtobufRpcEngine;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
+import org.apache.hadoop.ozone.om.helpers.OmDBTenantState;
import org.apache.hadoop.ozone.om.helpers.OmDBUserPrincipalInfo;
import org.apache.hadoop.ozone.om.helpers.TenantUserList;
import org.apache.hadoop.ozone.om.multitenant.AccessPolicy;
-import org.apache.hadoop.ozone.om.multitenant.AccountNameSpace;
import org.apache.hadoop.ozone.om.multitenant.BucketNameSpace;
import org.apache.hadoop.ozone.om.multitenant.CachedTenantState;
import org.apache.hadoop.ozone.om.multitenant.OzoneTenant;
@@ -66,7 +66,6 @@ import
org.apache.hadoop.ozone.om.multitenant.OzoneTenantRolePrincipal;
import org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy;
import org.apache.hadoop.ozone.om.multitenant.Tenant;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.UserAccessIdInfo;
-import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.security.UserGroupInformation;
@@ -115,6 +114,7 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
loadUsersFromDB();
}
+
// start() and stop() lifeycle methods can be added when there is a background
// work going on.
// @Override
@@ -218,17 +218,6 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
return tenant;
}
- @Override
- public Tenant getTenant(String tenantID) throws IOException {
- // Todo : fix this.
- return null;
- }
-
- @Override
- public void deactivateTenant(String tenantID) throws IOException {
-
- }
-
@Override
public void removeTenantAccessFromAuthorizer(Tenant tenant) throws Exception
{
try {
@@ -364,24 +353,6 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
return tenantId + TENANT_ID_USERNAME_DELIMITER + userPrincipal;
}
- @Override
- public String getUserSecret(String accessID) throws IOException {
- return "";
- }
-
- @Override
- public void modifyUser(String accessID,
- List<String> groupsAdded,
- List<String> groupsRemoved) throws IOException {
-
- }
-
- @Override
- public void deactivateUser(String accessID)
- throws IOException {
-
- }
-
/**
* {@inheritDoc}
*/
@@ -442,11 +413,6 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
return false;
}
- @Override
- public boolean tenantExists(String tenantId) throws IOException {
- return omMetadataManager.getTenantStateTable().isExist(tenantId);
- }
-
@Override
public TenantUserList listUsersInTenant(String tenantID, String prefix)
throws IOException {
@@ -486,11 +452,6 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
return Optional.of(omDBAccessIdInfo.getTenantId());
}
- public List<String> listAllAccessIDs(String tenantID)
- throws IOException {
- return null;
- }
-
@Override
public void assignTenantAdmin(String accessID, boolean delegated)
throws IOException {
@@ -528,66 +489,6 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
}
- @Override
- public List<String> listAllTenantAdmin(String tenantID)
- throws IOException {
- return null;
- }
-
- @Override
- public void grantAccess(String accessID,
- BucketNameSpace bucketNameSpace) throws IOException {
-
- }
-
- @Override
- public void grantBucketAccess(String accessID,
- BucketNameSpace bucketNameSpace, String bucketName) throws IOException {
-
- }
-
- @Override
- public void revokeAccess(String accessID,
- BucketNameSpace bucketNameSpace) throws IOException {
-
- }
-
- @Override
- public void grantAccess(String accessID,
- AccountNameSpace accountNameSpace) throws IOException {
-
- }
-
- @Override
- public void revokeAccess(String accessID,
- AccountNameSpace accountNameSpace) throws IOException {
-
- }
-
- @Override
- public String createTenantDefaultPolicy(Tenant tenant,
- AccessPolicy policy) throws IOException {
- return null;
- }
-
- @Override
- public List<Pair<String, AccessPolicy>> listDefaultTenantPolicies(
- Tenant tenant) throws IOException {
- return null;
- }
-
- @Override
- public List<Pair<String, AccessPolicy>> listAllTenantPolicies(
- Tenant tenant) throws IOException {
- return null;
- }
-
- @Override
- public void updateTenantPolicy(Tenant tenant, String policyID,
- AccessPolicy policy) throws IOException {
-
- }
-
private AccessPolicy newDefaultVolumeAccessPolicy(String tenantId,
OzoneTenantRolePrincipal userRole, OzoneTenantRolePrincipal adminRole)
throws IOException {
@@ -641,39 +542,6 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
return policy;
}
- private AccessPolicy allowAccessBucketPolicy(String vol, String bucketName,
- OzoneTenantRolePrincipal principal) throws IOException {
- AccessPolicy policy = new RangerAccessPolicy(
- principal.getName() + "AllowBucketAccess" + vol + bucketName +
- "Policy");
- OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder()
- .setResType(BUCKET).setStoreType(OZONE).setVolumeName(vol)
- .setBucketName(bucketName).setKeyName("*").build();
- for (ACLType acl : ACLType.values()) {
- if (acl != NONE) {
- policy.addAccessPolicyElem(obj, principal, acl,
- ALLOW);
- }
- }
- return policy;
- }
-
- private AccessPolicy allowAccessKeyPolicy(String vol, String bucketName,
- OzoneTenantRolePrincipal principal) throws IOException {
- AccessPolicy policy = new RangerAccessPolicy(
- principal.getName() + "AllowBucketKeyAccess" + vol + bucketName +
- "Policy");
- OzoneObjInfo obj = OzoneObjInfo.Builder.newBuilder()
- .setResType(KEY).setStoreType(OZONE).setVolumeName(vol)
- .setBucketName(bucketName).setKeyName("*").build();
- for (ACLType acl :ACLType.values()) {
- if (acl != NONE) {
- policy.addAccessPolicyElem(obj, principal, acl, ALLOW);
- }
- }
- return policy;
- }
-
public OzoneConfiguration getConf() {
return conf;
}
@@ -706,6 +574,128 @@ public class OMMultiTenantManagerImpl implements
OMMultiTenantManager {
}
}
+
+ @Override
+ public void checkAdmin() throws OMException {
+
+ final UserGroupInformation ugi = ProtobufRpcEngine.Server.getRemoteUser();
+ if (!ozoneManager.isAdmin(ugi)) {
+ throw new OMException("User '" + ugi.getUserName() +
+ "' is not an Ozone admin.",
+ OMException.ResultCodes.PERMISSION_DENIED);
+ }
+ }
+
+ @Override
+ public void checkTenantAdmin(String tenantId) throws OMException {
+
+ final UserGroupInformation ugi = ProtobufRpcEngine.Server.getRemoteUser();
+ if (!isTenantAdmin(ugi, tenantId, true)) {
+ throw new OMException("User '" + ugi.getUserName() +
+ "' is neither an Ozone admin nor a delegated admin of tenant '" +
+ tenantId + "'.", OMException.ResultCodes.PERMISSION_DENIED);
+ }
+ }
+
+ @Override
+ public void checkTenantExistence(String tenantId) throws OMException {
+
+ try {
+ if (!omMetadataManager.getTenantStateTable().isExist(tenantId)) {
+ throw new OMException("Tenant '" + tenantId + "' doesn't exist.",
+ OMException.ResultCodes.TENANT_NOT_FOUND);
+ }
+ } catch (IOException ex) {
+ if (ex instanceof OMException) {
+ final OMException omEx = (OMException) ex;
+ if (omEx.getResult().equals(OMException.ResultCodes.TENANT_NOT_FOUND))
{
+ throw omEx;
+ }
+ }
+ throw new OMException("Error while retrieving OmDBTenantInfo for tenant "
+ + "'" + tenantId + "': " + ex.getMessage(),
+ OMException.ResultCodes.METADATA_ERROR);
+ }
+ }
+
+ @Override
+ public String getTenantVolumeName(String tenantId) throws IOException {
+
+ final OmDBTenantState tenantState =
+ omMetadataManager.getTenantStateTable().get(tenantId);
+
+ if (tenantState == null) {
+ throw new OMException("Potential DB error or race condition. "
+ + "OmDBTenantState entry is missing for tenant '" + tenantId + "'.",
+ OMException.ResultCodes.TENANT_NOT_FOUND);
+ }
+
+ final String volumeName = tenantState.getBucketNamespaceName();
+
+ if (volumeName == null) {
+ throw new OMException("Potential DB error. volumeName "
+ + "field is null for tenantId '" + tenantId + "'.",
+ OMException.ResultCodes.VOLUME_NOT_FOUND);
+ }
+
+ return volumeName;
+ }
+
+ @Override
+ public boolean isUserAccessIdPrincipalOrTenantAdmin(String accessId,
+ UserGroupInformation ugi) throws IOException {
+
+ final OmDBAccessIdInfo accessIdInfo =
+ omMetadataManager.getTenantAccessIdTable().get(accessId);
+
+ if (accessIdInfo == null) {
+ // Doesn't have the accessId entry in TenantAccessIdTable.
+ // Probably came from `ozone s3 getsecret` with older OM.
+ return false;
+ }
+
+ final String tenantId = accessIdInfo.getTenantId();
+ // Sanity check
+ if (tenantId == null) {
+ throw new OMException("Unexpected error: OmDBAccessIdInfo " +
+ "tenantId field should not have been null",
+ OMException.ResultCodes.METADATA_ERROR);
+ }
+
+ final String accessIdPrincipal = accessIdInfo.getUserPrincipal();
+ // Sanity check
+ if (accessIdPrincipal == null) {
+ throw new OMException("Unexpected error: OmDBAccessIdInfo " +
+ "kerberosPrincipal field should not have been null",
+ OMException.ResultCodes.METADATA_ERROR);
+ }
+
+ // Check if ugi matches the holder of the accessId
+ if (ugi.getShortUserName().equals(accessIdPrincipal)) {
+ return true;
+ }
+
+ // Check if ugi is a tenant admin (or an Ozone cluster admin)
+ if (isTenantAdmin(ugi, tenantId, false)) {
+ return true;
+ }
+
+
+ return false;
+ }
+
+ @Override
+ public boolean isTenantEmpty(String tenantId) throws IOException {
+
+
+ if (!tenantCache.containsKey(tenantId)) {
+ throw new OMException("Tenant does not exist for tenantId: " + tenantId,
+ TENANT_NOT_FOUND);
+ }
+
+ return tenantCache.get(tenantId).isTenantEmpty();
+ }
+
@VisibleForTesting
Map<String, CachedTenantState> getTenantCache() {
return tenantCache;
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 5e3430db55..0dc4825fcb 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -146,7 +146,6 @@ import org.apache.hadoop.hdds.utils.TransactionInfo;
import org.apache.hadoop.ozone.om.ratis.OzoneManagerRatisServer;
import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerRatisUtils;
import org.apache.hadoop.ozone.om.request.OMClientRequest;
-import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper;
import org.apache.hadoop.ozone.om.snapshot.OzoneManagerSnapshotProvider;
import org.apache.hadoop.ozone.om.upgrade.OMLayoutVersionManager;
import org.apache.hadoop.ozone.om.upgrade.OMUpgradeFinalizer;
@@ -254,7 +253,6 @@ import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.DETE
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_AUTH_METHOD;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_REQUEST;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.PERMISSION_DENIED;
-import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TENANT_NOT_FOUND;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_ERROR_OTHER;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.BUCKET_LOCK;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
@@ -3072,17 +3070,9 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
return null;
}
- if (!multiTenantManager.tenantExists(tenantId)) {
- // Throw exception to the client, which will handle this gracefully
- throw new OMException("Tenant '" + tenantId + "' not found",
- TENANT_NOT_FOUND);
- }
-
- final String volumeName = OMTenantRequestHelper.getTenantVolumeName(
- getMetadataManager(), tenantId);
- // TODO: Maybe use multiTenantManager.getTenantState(tenantId)
- // .getTenantBucketNameSpace() after refactoring
+ multiTenantManager.checkTenantExistence(tenantId);
+ final String volumeName = multiTenantManager.getTenantVolumeName(tenantId);
final Map<String, String> auditMap = new LinkedHashMap<>();
auditMap.put(OzoneConsts.TENANT, tenantId);
auditMap.put(OzoneConsts.VOLUME, volumeName);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/CachedTenantState.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/CachedTenantState.java
index 5dc512fab4..66f1c6ba73 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/CachedTenantState.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/CachedTenantState.java
@@ -42,4 +42,8 @@ public class CachedTenantState {
public String getTenantId() {
return tenantId;
}
+
+ public boolean isTenantEmpty() {
+ return tenantUserAccessIds.size() == 0;
+ }
}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
index 64f575ef9e..a1b5702a89 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
@@ -45,7 +45,6 @@ import java.util.HashMap;
import java.util.Map;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.S3_SECRET_LOCK;
-import static
org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.isUserAccessIdPrincipalOrTenantAdmin;
/**
* Handles SetSecret request.
@@ -108,7 +107,8 @@ public class OMSetSecretRequest extends OMClientRequest {
if (!username.equals(accessId) && !ozoneManager.isAdmin(ugi)) {
// Attempt to retrieve tenant info using the accessId
- if (!isUserAccessIdPrincipalOrTenantAdmin(ozoneManager, accessId, ugi)) {
+ if (!ozoneManager.getMultiTenantManager()
+ .isUserAccessIdPrincipalOrTenantAdmin(accessId, ugi)) {
throw new OMException("Permission denied. Requested accessId '" +
accessId + "' and user doesn't satisfy any of:\n" +
"1) accessId match current username: '" + username + "';\n" +
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
index 640d3ae5ac..da90f5fd95 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
@@ -26,6 +26,7 @@ import org.apache.hadoop.hdds.utils.db.cache.CacheValue;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.audit.OMAction;
import org.apache.hadoop.ozone.om.OMMetadataManager;
+import org.apache.hadoop.ozone.om.OMMultiTenantManager;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
@@ -47,8 +48,6 @@ import java.util.HashMap;
import java.util.Map;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
-import static
org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantAdmin;
-import static
org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantExistence;
import static
org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SCHEMA;
/*
@@ -79,18 +78,25 @@ public class OMTenantAssignAdminRequest extends
OMClientRequest {
final String accessId = request.getAccessId();
String tenantId = request.getTenantId();
+ final OMMultiTenantManager multiTenantManager =
+ ozoneManager.getMultiTenantManager();
// If tenantId (tenant name) is not provided, infer it from the accessId
if (StringUtils.isEmpty(tenantId)) {
- tenantId = OMTenantRequestHelper.getTenantIdFromAccessId(
- ozoneManager.getMetadataManager(), accessId);
- assert (tenantId != null);
+ Optional<String> optionalTenantId =
+ multiTenantManager.getTenantForAccessID(accessId);
+ if (!optionalTenantId.isPresent()) {
+ throw new OMException("OmDBAccessIdInfo is missing for accessId '" +
+ accessId + "' in DB.", OMException.ResultCodes.METADATA_ERROR);
+ }
+ tenantId = optionalTenantId.get();
+ assert (!StringUtils.isEmpty(tenantId));
}
- checkTenantExistence(ozoneManager.getMetadataManager(), tenantId);
+ multiTenantManager.checkTenantExistence(tenantId);
// Caller should be an Ozone admin or this tenant's delegated admin
- checkTenantAdmin(ozoneManager, tenantId);
+ multiTenantManager.checkTenantAdmin(tenantId);
OmDBAccessIdInfo accessIdInfo = ozoneManager.getMetadataManager()
.getTenantAccessIdTable().get(accessId);
@@ -174,8 +180,8 @@ public class OMTenantAssignAdminRequest extends
OMClientRequest {
String volumeName = null;
try {
- volumeName = OMTenantRequestHelper.getTenantVolumeName(
- omMetadataManager, tenantId);
+ volumeName = ozoneManager.getMultiTenantManager()
+ .getTenantVolumeName(tenantId);
acquiredVolumeLock = omMetadataManager.getLock().acquireWriteLock(
VOLUME_LOCK, volumeName);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
index a270dbdb0e..473259b6b1 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
@@ -56,8 +56,6 @@ import java.util.TreeSet;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.S3_SECRET_LOCK;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
-import static
org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantAdmin;
-import static
org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantExistence;
import static
org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SCHEMA;
/*
@@ -114,7 +112,7 @@ public class OMTenantAssignUserAccessIdRequest extends
OMClientRequest {
final String tenantId = request.getTenantId();
// Caller should be an Ozone admin or tenant delegated admin
- checkTenantAdmin(ozoneManager, tenantId);
+ ozoneManager.getMultiTenantManager().checkTenantAdmin(tenantId);
final String userPrincipal = request.getUserPrincipal();
final String accessId = request.getAccessId();
@@ -143,7 +141,7 @@ public class OMTenantAssignUserAccessIdRequest extends
OMClientRequest {
OMException.ResultCodes.INVALID_ACCESS_ID);
}
- checkTenantExistence(ozoneManager.getMetadataManager(), tenantId);
+ ozoneManager.getMultiTenantManager().checkTenantExistence(tenantId);
// Below call implies user existence check in authorizer.
// If the user doesn't exist, Ranger return 400 and the call should throw.
@@ -234,8 +232,8 @@ public class OMTenantAssignUserAccessIdRequest extends
OMClientRequest {
String volumeName = null;
try {
- volumeName = OMTenantRequestHelper.getTenantVolumeName(
- omMetadataManager, tenantId);
+ volumeName = ozoneManager.getMultiTenantManager()
+ .getTenantVolumeName(tenantId);
acquiredVolumeLock = omMetadataManager.getLock().acquireWriteLock(
VOLUME_LOCK, volumeName);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
index f3175f2bbd..fa4bb48941 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
@@ -115,7 +115,7 @@ public class OMTenantCreateRequest extends OMVolumeRequest {
public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
// Check Ozone cluster admin privilege
- OMTenantRequestHelper.checkAdmin(ozoneManager);
+ ozoneManager.getMultiTenantManager().checkAdmin();
final CreateTenantRequest request =
getOmRequest().getCreateTenantRequest();
final String tenantId = request.getTenantId();
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
index e1a9ee9019..3987224179 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
@@ -69,7 +69,7 @@ public class OMTenantDeleteRequest extends OMVolumeRequest {
public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
// Check Ozone cluster admin privilege
- OMTenantRequestHelper.checkAdmin(ozoneManager);
+ ozoneManager.getMultiTenantManager().checkAdmin();
// TODO: TBD: Call ozoneManager.getMultiTenantManager().deleteTenant() ?
@@ -121,7 +121,7 @@ public class OMTenantDeleteRequest extends OMVolumeRequest {
VOLUME_LOCK, volumeName);
// Check if there are any accessIds in the tenant
- if (!OMTenantRequestHelper.isTenantEmpty(omMetadataManager, tenantId)) {
+ if (!ozoneManager.getMultiTenantManager().isTenantEmpty(tenantId)) {
LOG.warn("tenant: '{}' is not empty. Unable to delete the tenant",
tenantId);
throw new OMException("Tenant '" + tenantId + "' is not empty. " +
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRequestHelper.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRequestHelper.java
deleted file mode 100644
index 56b3842bfc..0000000000
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRequestHelper.java
+++ /dev/null
@@ -1,248 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-package org.apache.hadoop.ozone.om.request.s3.tenant;
-
-import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.hdds.utils.db.Table;
-import org.apache.hadoop.hdds.utils.db.TableIterator;
-import org.apache.hadoop.ipc.ProtobufRpcEngine;
-import org.apache.hadoop.ozone.om.OMMetadataManager;
-import org.apache.hadoop.ozone.om.OMMultiTenantManager;
-import org.apache.hadoop.ozone.om.OzoneManager;
-import org.apache.hadoop.ozone.om.exceptions.OMException;
-import org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes;
-import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
-import org.apache.hadoop.ozone.om.helpers.OmDBTenantState;
-import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.UserAccessIdInfo;
-import org.apache.hadoop.security.UserGroupInformation;
-
-import java.io.IOException;
-import java.util.List;
-
-/**
- * Utility class that contains helper methods for OM tenant requests.
- */
-public final class OMTenantRequestHelper {
-
- private OMTenantRequestHelper() {
- }
-
- /**
- * Passes check only when caller is an Ozone (cluster) admin, throws
- * OMException otherwise.
- * @throws OMException PERMISSION_DENIED
- */
- static void checkAdmin(OzoneManager ozoneManager) throws OMException {
-
- final UserGroupInformation ugi = ProtobufRpcEngine.Server.getRemoteUser();
- if (!ozoneManager.isAdmin(ugi)) {
- throw new OMException("User '" + ugi.getUserName() +
- "' is not an Ozone admin.",
- OMException.ResultCodes.PERMISSION_DENIED);
- }
- }
-
- /**
- * Check if caller is an Ozone cluster admin or tenant (delegated) admin.
- * Throws PERMISSION_DENIED if the check failed.
- *
- * @throws OMException PERMISSION_DENIED
- */
- static void checkTenantAdmin(OzoneManager ozoneManager, String tenantId)
- throws OMException {
-
- final UserGroupInformation ugi = ProtobufRpcEngine.Server.getRemoteUser();
- if (!ozoneManager.getMultiTenantManager().isTenantAdmin(
- ugi, tenantId, true)) {
- throw new OMException("User '" + ugi.getUserName() +
- "' is neither an Ozone admin nor a delegated admin of tenant '" +
- tenantId + "'.", OMException.ResultCodes.PERMISSION_DENIED);
- }
- }
-
- /**
- * Check if the tenantId exists in the table, throws TENANT_NOT_FOUND if not.
- */
- static void checkTenantExistence(OMMetadataManager omMetadataManager,
- String tenantId) throws OMException {
-
- try {
- if (!omMetadataManager.getTenantStateTable().isExist(tenantId)) {
- throw new OMException("Tenant '" + tenantId + "' doesn't exist.",
- OMException.ResultCodes.TENANT_NOT_FOUND);
- }
- } catch (IOException ex) {
- if (ex instanceof OMException) {
- final OMException omEx = (OMException) ex;
- if (omEx.getResult().equals(OMException.ResultCodes.TENANT_NOT_FOUND))
{
- throw omEx;
- }
- }
- throw new OMException("Error while retrieving OmDBTenantState for tenant
"
- + "'" + tenantId + "': " + ex.getMessage(),
- OMException.ResultCodes.METADATA_ERROR);
- }
- }
-
- /**
- * Retrieve volume name of the tenant.
- *
- * Throws OMException TENANT_NOT_FOUND if tenantId doesn't exist.
- */
- public static String getTenantVolumeName(OMMetadataManager omMetadataManager,
- String tenantId) throws IOException
{
-
- final OmDBTenantState tenantState =
- omMetadataManager.getTenantStateTable().get(tenantId);
-
- if (tenantState == null) {
- throw new OMException("Potential DB error or race condition. "
- + "OmDBTenantState entry is missing for tenant '" + tenantId + "'.",
- ResultCodes.TENANT_NOT_FOUND);
- }
-
- final String volumeName = tenantState.getBucketNamespaceName();
-
- if (volumeName == null) {
- throw new OMException("Potential DB error. volumeName "
- + "field is null for tenantId '" + tenantId + "'.",
- ResultCodes.VOLUME_NOT_FOUND);
- }
-
- return volumeName;
- }
-
- public static String getTenantIdFromAccessId(
- OMMetadataManager omMetadataManager, String accessId) throws IOException
{
-
- final OmDBAccessIdInfo accessIdInfo = omMetadataManager
- .getTenantAccessIdTable().get(accessId);
-
- if (accessIdInfo == null) {
- throw new OMException("OmDBAccessIdInfo is missing for accessId '" +
- accessId + "' in DB.", OMException.ResultCodes.METADATA_ERROR);
- }
-
- final String tenantId = accessIdInfo.getTenantId();
-
- if (StringUtils.isEmpty(tenantId)) {
- throw new OMException("tenantId field is null or empty for accessId '" +
- accessId + "'.", OMException.ResultCodes.METADATA_ERROR);
- }
-
- return tenantId;
- }
-
- public static boolean isUserAccessIdPrincipalOrTenantAdmin(
- OzoneManager ozoneManager, String accessId,
- UserGroupInformation ugi) throws IOException {
-
- final OMMetadataManager metadataManager =
ozoneManager.getMetadataManager();
- final OmDBAccessIdInfo accessIdInfo =
- metadataManager.getTenantAccessIdTable().get(accessId);
-
- if (accessIdInfo == null) {
- // Doesn't have the accessId entry in TenantAccessIdTable.
- // Probably came from `ozone s3 getsecret` with older OM.
- return false;
- }
-
- final String tenantId = accessIdInfo.getTenantId();
- // Sanity check
- if (tenantId == null) {
- throw new OMException("Unexpected error: OmDBAccessIdInfo " +
- "tenantId field should not have been null",
- OMException.ResultCodes.METADATA_ERROR);
- }
-
- final String accessIdPrincipal = accessIdInfo.getUserPrincipal();
- // Sanity check
- if (accessIdPrincipal == null) {
- throw new OMException("Unexpected error: OmDBAccessIdInfo " +
- "kerberosPrincipal field should not have been null",
- OMException.ResultCodes.METADATA_ERROR);
- }
-
- // Check if ugi matches the holder of the accessId
- if (ugi.getShortUserName().equals(accessIdPrincipal)) {
- return true;
- }
-
- // Check if ugi is a tenant admin (or an Ozone cluster admin)
- final OMMultiTenantManager multiTenantManager =
- ozoneManager.getMultiTenantManager();
- if (multiTenantManager.isTenantAdmin(ugi, tenantId, false)) {
- return true;
- }
-
- return false;
- }
-
- /**
- * Scans (Slow!) TenantAccessIdTable for the given tenantId.
- * Returns true if the tenant doesn't have any accessIds assigned to it
- * (i.e. the tenantId is not found in this table for any existing accessIds);
- * Returns false otherwise.
- *
- * @param metadataManager
- * @param tenantId
- * @return
- * @throws IOException
- */
- static boolean isTenantEmpty(OMMetadataManager metadataManager,
- String tenantId) throws IOException {
-
- // TODO: Do we need to iterate cache here as well? Very cumbersome if so.
- // This helper function is a placeholder for the isTenantEmpty check,
- // once tenantCache/Ranger is fixed this will be removed.
- try (TableIterator<String,
- ? extends Table.KeyValue<String, OmDBAccessIdInfo>> iter =
- metadataManager.getTenantAccessIdTable().iterator()) {
- while (iter.hasNext()) {
- final OmDBAccessIdInfo accessIdInfo = iter.next().getValue();
- if (accessIdInfo.getTenantId().equals(tenantId)) {
- return false;
- }
- }
- }
-
- return true;
- }
-
- /**
- * Return true if the tenant doesn't have any accessIds assigned to it,
- * false otherwise. Uses in-memory mapping tenantCache which can be seen as
- * a reverse-mapping of tenantAccessIdTable (Fast).
- * @param tenantManager
- * @param tenantId
- * @return
- * @throws IOException
- */
- static boolean isTenantEmpty(OMMultiTenantManager tenantManager,
- String tenantId) throws IOException {
- // TODO: OMMultiTenantManager#listUsersInTenant relies on the tenantCache
- // mapping which I believe is only updated on leader node in preExecute
- // (apart from it being populated on OM startup) right now.
- // So unless tenantCache is updated on follower nodes later as well,
- // we can't use listUsersInTenant to check tenant emptiness in followers.
- final List<UserAccessIdInfo> tenantUserAccessIdsList =
- tenantManager.listUsersInTenant(tenantId, "").getUserAccessIds();
- return tenantUserAccessIdsList.size() == 0;
- }
-}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
index ef72019fac..d03b948f33 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
@@ -26,6 +26,7 @@ import org.apache.hadoop.hdds.utils.db.cache.CacheValue;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.audit.OMAction;
import org.apache.hadoop.ozone.om.OMMetadataManager;
+import org.apache.hadoop.ozone.om.OMMultiTenantManager;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
@@ -47,8 +48,6 @@ import java.util.HashMap;
import java.util.Map;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
-import static
org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantAdmin;
-import static
org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantExistence;
import static
org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SCHEMA;
/*
@@ -79,19 +78,26 @@ public class OMTenantRevokeAdminRequest extends
OMClientRequest {
final String accessId = request.getAccessId();
String tenantId = request.getTenantId();
+ final OMMultiTenantManager multiTenantManager =
+ ozoneManager.getMultiTenantManager();
// If tenantId is not specified, infer it from the accessId
if (StringUtils.isEmpty(tenantId)) {
- tenantId = OMTenantRequestHelper.getTenantIdFromAccessId(
- ozoneManager.getMetadataManager(), accessId);
- assert (tenantId != null);
+ Optional<String> optionalTenantId =
+ multiTenantManager.getTenantForAccessID(accessId);
+ if (!optionalTenantId.isPresent()) {
+ throw new OMException("OmDBAccessIdInfo is missing for accessId '" +
+ accessId + "' in DB.", OMException.ResultCodes.METADATA_ERROR);
+ }
+ tenantId = optionalTenantId.get();
+ assert (!StringUtils.isEmpty(tenantId));
}
// Sanity check
- checkTenantExistence(ozoneManager.getMetadataManager(), tenantId);
+ multiTenantManager.checkTenantExistence(tenantId);
// Caller should be an Ozone admin or this tenant's delegated admin
- checkTenantAdmin(ozoneManager, tenantId);
+ multiTenantManager.checkTenantAdmin(tenantId);
OmDBAccessIdInfo accessIdInfo = ozoneManager.getMetadataManager()
.getTenantAccessIdTable().get(accessId);
@@ -156,8 +162,8 @@ public class OMTenantRevokeAdminRequest extends
OMClientRequest {
String volumeName = null;
try {
- volumeName = OMTenantRequestHelper.getTenantVolumeName(
- omMetadataManager, tenantId);
+ volumeName = ozoneManager.getMultiTenantManager()
+ .getTenantVolumeName(tenantId);
acquiredVolumeLock = omMetadataManager.getLock().acquireWriteLock(
VOLUME_LOCK, volumeName);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeUserAccessIdRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeUserAccessIdRequest.java
index 6105fc7a66..24ee6d5022 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeUserAccessIdRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeUserAccessIdRequest.java
@@ -26,6 +26,7 @@ import org.apache.hadoop.hdds.utils.db.cache.CacheValue;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.audit.OMAction;
import org.apache.hadoop.ozone.om.OMMetadataManager;
+import org.apache.hadoop.ozone.om.OMMultiTenantManager;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes;
@@ -51,8 +52,6 @@ import java.util.Map;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.S3_SECRET_LOCK;
import static
org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
-import static
org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantAdmin;
-import static
org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantExistence;
import static
org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SCHEMA;
/*
@@ -91,6 +90,8 @@ public class OMTenantRevokeUserAccessIdRequest extends
OMClientRequest {
ozoneManager.getMetadataManager();
final OmDBAccessIdInfo accessIdInfo = omMetadataManager
.getTenantAccessIdTable().get(accessId);
+ final OMMultiTenantManager multiTenantManager =
+ ozoneManager.getMultiTenantManager();
if (accessIdInfo == null) {
throw new OMException("accessId '" + accessId + "' doesn't exist",
@@ -100,16 +101,21 @@ public class OMTenantRevokeUserAccessIdRequest extends
OMClientRequest {
// If tenantId is not specified, we can infer it from the accessId
String tenantId = request.getTenantId();
if (StringUtils.isEmpty(tenantId)) {
- tenantId = OMTenantRequestHelper.getTenantIdFromAccessId(
- ozoneManager.getMetadataManager(), accessId);
- assert (tenantId != null);
+ Optional<String> optionalTenantId =
+ multiTenantManager.getTenantForAccessID(accessId);
+ if (!optionalTenantId.isPresent()) {
+ throw new OMException("OmDBAccessIdInfo is missing for accessId '" +
+ accessId + "' in DB.", OMException.ResultCodes.METADATA_ERROR);
+ }
+ tenantId = optionalTenantId.get();
+ assert (!StringUtils.isEmpty(tenantId));
}
// Sanity check
- checkTenantExistence(ozoneManager.getMetadataManager(), tenantId);
+ multiTenantManager.checkTenantExistence(tenantId);
// Caller should be an Ozone admin or this tenant's delegated admin
- checkTenantAdmin(ozoneManager, tenantId);
+ multiTenantManager.checkTenantAdmin(tenantId);
if (accessIdInfo.getIsAdmin()) {
throw new OMException("accessId '" + accessId + "' is a tenant admin of "
@@ -165,8 +171,8 @@ public class OMTenantRevokeUserAccessIdRequest extends
OMClientRequest {
String volumeName = null;
try {
- volumeName = OMTenantRequestHelper.getTenantVolumeName(
- omMetadataManager, tenantId);
+ volumeName = ozoneManager.getMultiTenantManager()
+ .getTenantVolumeName(tenantId);
acquiredVolumeLock =
omMetadataManager.getLock().acquireWriteLock(VOLUME_LOCK,
volumeName);
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
index b6899c0702..a78762980d 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
@@ -376,6 +376,8 @@ public class TestS3GetSecretRequest {
).preExecute(ozoneManager)
);
+ when(omMultiTenantManager.getTenantVolumeName(TENANT_ID))
+ .thenReturn(TENANT_ID);
// Run validateAndUpdateCache
omClientResponse =
omTenantAssignUserAccessIdRequest.validateAndUpdateCache(ozoneManager,
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
