This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new f2ef43b638 HDDS-9018. Refactor creation of IAccessAuthorizer (#5069)
f2ef43b638 is described below
commit f2ef43b638e2df94af2a8e30fcef3849697195dc
Author: Doroszlai, Attila <[email protected]>
AuthorDate: Wed Jul 19 12:00:54 2023 +0200
HDDS-9018. Refactor creation of IAccessAuthorizer (#5069)
---
.../ozone/security/acl/IAccessAuthorizer.java | 7 +
.../ozone/security/acl/OzoneAccessAuthorizer.java | 7 +
.../apache/hadoop/ozone/om/OmMetadataReader.java | 59 +-------
.../org/apache/hadoop/ozone/om/OmSnapshot.java | 7 +-
.../org/apache/hadoop/ozone/om/OzoneManager.java | 7 +-
.../request/bucket/OMBucketSetPropertyRequest.java | 12 +-
.../hadoop/ozone/om/request/key/OMKeyRequest.java | 12 +-
.../ozone/security/acl/OzoneAuthorizerFactory.java | 112 ++++++++++++++
.../ozone/security/acl/OzoneNativeAuthorizer.java | 8 +-
.../ozone/om/request/key/TestOMKeyRequest.java | 3 +
.../s3/multipart/TestS3MultipartRequest.java | 3 +
.../security/acl/TestOzoneAuthorizerFactory.java | 162 +++++++++++++++++++++
12 files changed, 317 insertions(+), 82 deletions(-)
diff --git
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java
index 3523618d66..060372f118 100644
---
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java
+++
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/IAccessAuthorizer.java
@@ -42,6 +42,13 @@ public interface IAccessAuthorizer {
boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
throws OMException;
+ /**
+ * @return true for Ozone-native authorizer
+ */
+ default boolean isNative() {
+ return false;
+ }
+
/**
* ACL rights.
*/
diff --git
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAccessAuthorizer.java
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAccessAuthorizer.java
index ae37bc8719..1f105a03ad 100644
---
a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAccessAuthorizer.java
+++
b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAccessAuthorizer.java
@@ -23,6 +23,13 @@ import org.apache.hadoop.ozone.om.exceptions.OMException;
* */
public class OzoneAccessAuthorizer implements IAccessAuthorizer {
+ private static final OzoneAccessAuthorizer INSTANCE =
+ new OzoneAccessAuthorizer();
+
+ public static OzoneAccessAuthorizer get() {
+ return INSTANCE;
+ }
+
@Override
public boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
throws OMException {
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java
index 7ee4772b71..af671cb5d7 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataReader.java
@@ -19,7 +19,6 @@ package org.apache.hadoop.ozone.om;
import java.io.IOException;
import org.apache.commons.lang3.tuple.Pair;
-import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ipc.ProtobufRpcEngine;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.ozone.OzoneAcl;
@@ -39,7 +38,6 @@ import org.apache.hadoop.ozone.om.helpers.S3VolumeContext;
import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.security.acl.RequestContext;
import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.util.ReflectionUtils;
import org.apache.hadoop.util.Time;
import org.slf4j.Logger;
import java.net.InetAddress;
@@ -48,7 +46,6 @@ import java.util.Map;
import static org.apache.hadoop.hdds.server.ServerUtils.getRemoteUserName;
import static org.apache.hadoop.hdds.utils.HddsServerUtil.getRemoteUser;
-import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_FS_LISTING_PAGE_SIZE;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_FS_LISTING_PAGE_SIZE_DEFAULT;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_FS_LISTING_PAGE_SIZE_MAX;
@@ -58,7 +55,6 @@ import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType;
import org.apache.hadoop.ozone.security.acl.OzoneAccessAuthorizer;
-import org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType;
import org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType;
@@ -79,7 +75,6 @@ public class OmMetadataReader implements IOmMetadataReader,
Auditor {
private final OzoneManager ozoneManager;
private final boolean isAclEnabled;
private final IAccessAuthorizer accessAuthorizer;
- private final boolean isNativeAuthorizerEnabled;
private final OmMetadataReaderMetrics metrics;
private final Logger log;
private final AuditLogger audit;
@@ -91,50 +86,19 @@ public class OmMetadataReader implements IOmMetadataReader,
Auditor {
Logger log,
AuditLogger audit,
OmMetadataReaderMetrics omMetadataReaderMetrics,
- boolean bNeedAccessAuthInitialization) {
+ IAccessAuthorizer accessAuthorizer) {
this.keyManager = keyManager;
this.bucketManager = ozoneManager.getBucketManager();
this.volumeManager = ozoneManager.getVolumeManager();
this.prefixManager = prefixManager;
- OzoneConfiguration configuration = ozoneManager.getConfiguration();
this.ozoneManager = ozoneManager;
this.isAclEnabled = ozoneManager.getAclsEnabled();
this.log = log;
this.audit = audit;
- boolean allowListAllVolumes = ozoneManager.getAllowListAllVolumes();
this.metrics = omMetadataReaderMetrics;
this.perfMetrics = ozoneManager.getPerfMetrics();
- if (isAclEnabled) {
- Class<? extends IAccessAuthorizer> clazz = configuration.getClass(
- OZONE_ACL_AUTHORIZER_CLASS, OzoneAccessAuthorizer.class,
- IAccessAuthorizer.class);
- if (bNeedAccessAuthInitialization ||
- clazz.getSimpleName().equals(
- OzoneNativeAuthorizer.class.getSimpleName())) {
- // In case of NativeAuthorizer always re-initialize
- accessAuthorizer = getACLAuthorizerInstance(configuration, clazz);
- if (accessAuthorizer instanceof OzoneNativeAuthorizer) {
- OzoneNativeAuthorizer authorizer =
- (OzoneNativeAuthorizer) accessAuthorizer;
- isNativeAuthorizerEnabled = true;
- authorizer.setVolumeManager(volumeManager);
- authorizer.setBucketManager(bucketManager);
- authorizer.setKeyManager(keyManager);
- authorizer.setPrefixManager(prefixManager);
- authorizer.setAdminCheck(ozoneManager::isAdmin);
- authorizer.setReadOnlyAdminCheck(ozoneManager::isReadOnlyAdmin);
- authorizer.setAllowListAllVolumes(allowListAllVolumes);
- } else {
- isNativeAuthorizerEnabled = false;
- }
- } else {
- accessAuthorizer = ozoneManager.getAccessAuthorizer();
- isNativeAuthorizerEnabled = false;
- }
- } else {
- accessAuthorizer = null;
- isNativeAuthorizerEnabled = false;
- }
+ this.accessAuthorizer = accessAuthorizer != null ? accessAuthorizer
+ : OzoneAccessAuthorizer.get();
}
/**
@@ -529,17 +493,6 @@ public class OmMetadataReader implements
IOmMetadataReader, Auditor {
}
}
- /**
- * Returns an instance of {@link IAccessAuthorizer}.
- * Looks up the configuration to see if there is custom class specified.
- * Constructs the instance by passing the configuration directly to the
- * constructor to achieve thread safety using final fields.
- */
- private IAccessAuthorizer getACLAuthorizerInstance(
- OzoneConfiguration conf, Class<? extends IAccessAuthorizer> clazz) {
- return ReflectionUtils.newInstance(clazz, conf);
- }
-
static String getClientAddress() {
String clientMachine = Server.getRemoteAddress();
if (clientMachine == null) { //not a RPC client
@@ -581,11 +534,7 @@ public class OmMetadataReader implements
IOmMetadataReader, Auditor {
* @return if native authorizer is enabled.
*/
public boolean isNativeAuthorizerEnabled() {
- return isNativeAuthorizerEnabled;
- }
-
- public IAccessAuthorizer getAccessAuthorizer() {
- return accessAuthorizer;
+ return accessAuthorizer.isNative();
}
private ResourceType getResourceType(OmKeyArgs args) {
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshot.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshot.java
index 6e277e1408..8fa9bc25f1 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshot.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmSnapshot.java
@@ -29,6 +29,8 @@ import org.apache.hadoop.ozone.om.helpers.OmKeyInfo;
import org.apache.hadoop.ozone.om.helpers.OmKeyLocationInfoGroup;
import org.apache.hadoop.ozone.om.helpers.OzoneFileStatus;
import org.apache.hadoop.ozone.om.helpers.SnapshotInfo;
+import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
+import org.apache.hadoop.ozone.security.acl.OzoneAuthorizerFactory;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.util.Time;
@@ -78,9 +80,12 @@ public class OmSnapshot implements IOmMetadataReader,
Closeable {
String volumeName,
String bucketName,
String snapshotName) {
+ IAccessAuthorizer accessAuthorizer =
+ OzoneAuthorizerFactory.forSnapshot(ozoneManager,
+ keyManager, prefixManager);
omMetadataReader = new OmMetadataReader(keyManager, prefixManager,
ozoneManager, LOG, AUDIT,
- OmSnapshotMetrics.getInstance(), false);
+ OmSnapshotMetrics.getInstance(), accessAuthorizer);
this.snapshotName = snapshotName;
this.bucketName = bucketName;
this.volumeName = volumeName;
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index f50d0c8c5f..2d0ec01980 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -98,6 +98,7 @@ import org.apache.hadoop.ozone.om.snapshot.OmSnapshotUtils;
import org.apache.hadoop.ozone.om.snapshot.ReferenceCounted;
import org.apache.hadoop.ozone.om.snapshot.SnapshotCache;
import org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature;
+import org.apache.hadoop.ozone.security.acl.OzoneAuthorizerFactory;
import org.apache.hadoop.ozone.snapshot.CancelSnapshotDiffResponse;
import org.apache.hadoop.ozone.snapshot.SnapshotDiffResponse;
import org.apache.hadoop.ozone.util.OzoneNetUtils;
@@ -473,6 +474,7 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
private final boolean isSecurityEnabled;
+ private IAccessAuthorizer accessAuthorizer;
// This metadata reader points to the active filesystem
private OmMetadataReader omMetadataReader;
// Wrap active DB metadata reader in ReferenceCounted once to avoid
@@ -829,8 +831,9 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
prefixManager = new PrefixManagerImpl(metadataManager, isRatisEnabled);
keyManager = new KeyManagerImpl(this, scmClient, configuration,
perfMetrics);
+ accessAuthorizer = OzoneAuthorizerFactory.forOM(this);
omMetadataReader = new OmMetadataReader(keyManager, prefixManager,
- this, LOG, AUDIT, metrics, true);
+ this, LOG, AUDIT, metrics, accessAuthorizer);
// Active DB's OmMetadataReader instance does not need to be reference
// counted, but it still needs to be wrapped to be consistent.
rcOmMetadataReader = new ReferenceCounted<>(omMetadataReader, true, null);
@@ -1552,7 +1555,7 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
}
public IAccessAuthorizer getAccessAuthorizer() {
- return omMetadataReader.getAccessAuthorizer();
+ return accessAuthorizer;
}
/**
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java
index f1e8d202a1..912289f843 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketSetPropertyRequest.java
@@ -26,8 +26,6 @@ import org.apache.hadoop.hdds.client.DefaultReplicationConfig;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.audit.AuditLogger;
import org.apache.hadoop.ozone.audit.OMAction;
-import org.apache.hadoop.ozone.om.IOmMetadataReader;
-import org.apache.hadoop.ozone.om.OmMetadataReader;
import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper;
import org.apache.hadoop.ozone.om.request.util.OmResponseUtil;
@@ -35,8 +33,6 @@ import
org.apache.hadoop.ozone.om.request.validation.RequestFeatureValidator;
import org.apache.hadoop.ozone.om.request.validation.RequestProcessingPhase;
import org.apache.hadoop.ozone.om.request.validation.ValidationCondition;
import org.apache.hadoop.ozone.om.request.validation.ValidationContext;
-import org.apache.hadoop.ozone.om.snapshot.ReferenceCounted;
-import org.apache.hadoop.ozone.om.snapshot.SnapshotCache;
import org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Type;
import org.apache.hadoop.security.UserGroupInformation;
@@ -274,13 +270,7 @@ public class OMBucketSetPropertyRequest extends
OMClientRequest {
private void checkAclPermission(
OzoneManager ozoneManager, String volumeName, String bucketName)
throws IOException {
- final boolean nativeAuthorizerEnabled;
- try (ReferenceCounted<IOmMetadataReader, SnapshotCache> rcMetadataReader =
- ozoneManager.getOmMetadataReader()) {
- OmMetadataReader mdReader = (OmMetadataReader) rcMetadataReader.get();
- nativeAuthorizerEnabled = mdReader.isNativeAuthorizerEnabled();
- }
- if (nativeAuthorizerEnabled) {
+ if (ozoneManager.getAccessAuthorizer().isNative()) {
UserGroupInformation ugi = createUGI();
String bucketOwner = ozoneManager.getBucketOwner(volumeName, bucketName,
IAccessAuthorizer.ACLType.READ, OzoneObj.ResourceType.BUCKET);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java
index e8b0f8cc24..16ec6a5bd5 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java
@@ -39,9 +39,7 @@ import org.apache.hadoop.hdds.utils.db.cache.CacheValue;
import org.apache.hadoop.ozone.OmUtils;
import org.apache.hadoop.ozone.OzoneAcl;
import org.apache.hadoop.ozone.OzoneConsts;
-import org.apache.hadoop.ozone.om.IOmMetadataReader;
import org.apache.hadoop.ozone.om.OMMetrics;
-import org.apache.hadoop.ozone.om.OmMetadataReader;
import org.apache.hadoop.ozone.om.PrefixManager;
import org.apache.hadoop.ozone.om.ResolvedBucket;
import org.apache.hadoop.ozone.om.helpers.BucketEncryptionKeyInfo;
@@ -59,8 +57,6 @@ import org.apache.hadoop.ozone.om.helpers.RepeatedOmKeyInfo;
import org.apache.hadoop.ozone.om.lock.OzoneLockStrategy;
import org.apache.hadoop.ozone.om.request.OMClientRequestUtils;
import org.apache.hadoop.ozone.om.request.file.OMFileRequest;
-import org.apache.hadoop.ozone.om.snapshot.ReferenceCounted;
-import org.apache.hadoop.ozone.om.snapshot.SnapshotCache;
import org.apache.hadoop.ozone.protocolPB.OMPBHelper;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
@@ -385,18 +381,12 @@ public abstract class OMKeyRequest extends
OMClientRequest {
protected void checkKeyAclsInOpenKeyTable(OzoneManager ozoneManager,
String volume, String bucket, String key,
IAccessAuthorizer.ACLType aclType, long clientId) throws IOException {
- final boolean nativeAuthorizerEnabled;
- try (ReferenceCounted<IOmMetadataReader, SnapshotCache> rcMetadataReader =
- ozoneManager.getOmMetadataReader()) {
- OmMetadataReader mdReader = (OmMetadataReader) rcMetadataReader.get();
- nativeAuthorizerEnabled = mdReader.isNativeAuthorizerEnabled();
- }
String keyNameForAclCheck = key;
// Native authorizer requires client id as part of key name to check
// write ACL on key. Add client id to key name if ozone native
// authorizer is configured.
- if (nativeAuthorizerEnabled) {
+ if (ozoneManager.getAccessAuthorizer().isNative()) {
keyNameForAclCheck = key + "/" + clientId;
}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java
new file mode 100644
index 0000000000..5a5b1a7f26
--- /dev/null
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneAuthorizerFactory.java
@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.ozone.security.acl;
+
+import org.apache.hadoop.hdds.conf.ConfigurationSource;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.ozone.om.KeyManager;
+import org.apache.hadoop.ozone.om.OmSnapshot;
+import org.apache.hadoop.ozone.om.OzoneManager;
+import org.apache.hadoop.ozone.om.PrefixManager;
+
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
+import static org.apache.hadoop.util.ReflectionUtils.newInstance;
+
+/**
+ * Creates {@link IAccessAuthorizer} instances based on configuration.
+ */
+public final class OzoneAuthorizerFactory {
+
+ private OzoneAuthorizerFactory() {
+ // no instances
+ }
+
+ /**
+ * @return authorizer instance for {@link OzoneManager}
+ */
+ public static IAccessAuthorizer forOM(OzoneManager om) {
+ return create(om, om.getKeyManager(), om.getPrefixManager());
+ }
+
+ /**
+ * @return authorizer instance for {@link OmSnapshot}, may be new instance,
+ * or existing one, depending on configuration
+ */
+ public static IAccessAuthorizer forSnapshot(
+ OzoneManager om, KeyManager keyManager, PrefixManager prefixManager
+ ) {
+ return om.getAccessAuthorizer().isNative()
+ ? create(om, keyManager, prefixManager)
+ : om.getAccessAuthorizer();
+ }
+
+ /**
+ * Creates new instance (except for {@link OzoneAccessAuthorizer},
+ * which is a no-op authorizer.
+ */
+ private static IAccessAuthorizer create(
+ OzoneManager om, KeyManager km, PrefixManager pm
+ ) {
+ if (!om.getAclsEnabled()) {
+ return OzoneAccessAuthorizer.get();
+ }
+
+ final OzoneConfiguration conf = om.getConfiguration();
+ final Class<? extends IAccessAuthorizer> clazz = authorizerClass(conf);
+
+ if (OzoneAccessAuthorizer.class == clazz) {
+ return OzoneAccessAuthorizer.get();
+ }
+
+ if (OzoneNativeAuthorizer.class == clazz) {
+ final OzoneNativeAuthorizer authorizer = new OzoneNativeAuthorizer();
+ return configure(authorizer, om, km, pm);
+ }
+
+ final IAccessAuthorizer authorizer = newInstance(clazz, conf);
+ return authorizer instanceof OzoneNativeAuthorizer
+ ? configure((OzoneNativeAuthorizer) authorizer, om, km, pm)
+ : authorizer;
+ }
+
+ /**
+ * Configure {@link OzoneNativeAuthorizer}.
+ * @return same instance for convenience
+ */
+ private static IAccessAuthorizer configure(
+ OzoneNativeAuthorizer authorizer,
+ OzoneManager om, KeyManager km, PrefixManager pm
+ ) {
+ authorizer.setVolumeManager(om.getVolumeManager());
+ authorizer.setBucketManager(om.getBucketManager());
+ authorizer.setKeyManager(km);
+ authorizer.setPrefixManager(pm);
+ authorizer.setAdminCheck(om::isAdmin);
+ authorizer.setReadOnlyAdminCheck(om::isReadOnlyAdmin);
+ authorizer.setAllowListAllVolumes(om.getAllowListAllVolumes());
+ return authorizer;
+ }
+
+ private static Class<? extends IAccessAuthorizer> authorizerClass(
+ ConfigurationSource conf) {
+ return conf.getClass(OZONE_ACL_AUTHORIZER_CLASS,
+ OzoneAccessAuthorizer.class,
+ IAccessAuthorizer.class);
+ }
+
+}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer.java
index 7d75a3a7a2..28194115e4 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer.java
@@ -37,8 +37,7 @@ import java.util.function.Predicate;
import static
org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_REQUEST;
/**
- * Public API for Ozone ACLs. Security providers providing support for Ozone
- * ACLs should implement this.
+ * Native (internal) implementation of {@link IAccessAuthorizer}.
*/
@InterfaceAudience.LimitedPrivate({"HDFS", "Yarn", "Ranger", "Hive", "HBase"})
@InterfaceStability.Evolving
@@ -71,6 +70,11 @@ public class OzoneNativeAuthorizer implements
IAccessAuthorizer {
this.adminCheck = ozoneAdmins::isAdmin;
}
+ @Override
+ public boolean isNative() {
+ return true;
+ }
+
/**
* Check access for given ozoneObject.
*
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
index ff943bee8d..0043ea841c 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
@@ -44,6 +44,7 @@ import org.apache.hadoop.ozone.om.snapshot.ReferenceCounted;
import org.apache.hadoop.ozone.om.snapshot.SnapshotCache;
import org.apache.hadoop.ozone.om.upgrade.OMLayoutVersionManager;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.KeyArgs;
+import org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer;
import org.apache.hadoop.security.UserGroupInformation;
import org.jetbrains.annotations.NotNull;
import org.junit.After;
@@ -168,6 +169,8 @@ public class TestOMKeyRequest {
when(ozoneManager.getOMNodeId()).thenReturn(UUID.randomUUID().toString());
when(scmClient.getBlockClient()).thenReturn(scmBlockLocationProtocol);
when(ozoneManager.getKeyManager()).thenReturn(keyManager);
+ when(ozoneManager.getAccessAuthorizer())
+ .thenReturn(new OzoneNativeAuthorizer());
ReferenceCounted<IOmMetadataReader, SnapshotCache> rcOmMetadataReader =
mock(ReferenceCounted.class);
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/multipart/TestS3MultipartRequest.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/multipart/TestS3MultipartRequest.java
index 099af69791..4a2ced8e60 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/multipart/TestS3MultipartRequest.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/multipart/TestS3MultipartRequest.java
@@ -25,6 +25,7 @@ import java.util.List;
import org.apache.hadoop.hdds.client.ReplicationConfig;
import org.apache.hadoop.ozone.om.helpers.BucketLayout;
import org.apache.hadoop.ozone.om.request.OMClientRequest;
+import org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
@@ -95,6 +96,8 @@ public class TestS3MultipartRequest {
OmMetadataReader omMetadataReader = Mockito.mock(OmMetadataReader.class);
when(omMetadataReader.isNativeAuthorizerEnabled()).thenReturn(true);
when(rcOmMetadataReader.get()).thenReturn(omMetadataReader);
+ when(ozoneManager.getAccessAuthorizer())
+ .thenReturn(new OzoneNativeAuthorizer());
when(ozoneManager.getAuditLogger()).thenReturn(auditLogger);
when(ozoneManager.getDefaultReplicationConfig()).thenReturn(
ReplicationConfig.getDefault(ozoneConfiguration));
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java
new file mode 100644
index 0000000000..868c7f80a1
--- /dev/null
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/acl/TestOzoneAuthorizerFactory.java
@@ -0,0 +1,162 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.ozone.security.acl;
+
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.ozone.om.OzoneManager;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import javax.annotation.Nonnull;
+
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertInstanceOf;
+import static org.junit.jupiter.api.Assertions.assertNotSame;
+import static org.junit.jupiter.api.Assertions.assertSame;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class TestOzoneAuthorizerFactory {
+
+ @Test
+ void aclsDisabled() {
+ // GIVEN
+ OzoneManager om = disableAcls();
+
+ // WHEN
+ IAccessAuthorizer omAuth =
+ OzoneAuthorizerFactory.forOM(om);
+
+ // THEN
+ assertSame(OzoneAccessAuthorizer.get(), omAuth);
+
+ assertSameInstanceForSnapshot(om, omAuth);
+ }
+
+ @ParameterizedTest
+ @ValueSource(classes = {
+ OzoneNativeAuthorizer.class,
+ MockNativeAuthorizer.class,
+ })
+ void nativeAuthorizer(Class<? extends IAccessAuthorizer> clazz) {
+ // GIVEN
+ OzoneManager om = enableAcls(clazz);
+
+ // WHEN
+ IAccessAuthorizer omAuth =
+ OzoneAuthorizerFactory.forOM(om);
+
+ // THEN
+ assertInstanceOf(clazz, omAuth);
+
+ assertNewInstanceForSnapshot(om, omAuth);
+ }
+
+ @Test
+ void thirdPartyAuthorizer() {
+ // GIVEN
+ OzoneManager om = enableAcls(MockThirdPartyAuthorizer.class);
+
+ // WHEN
+ IAccessAuthorizer omAuth =
+ OzoneAuthorizerFactory.forOM(om);
+
+ // THEN
+ assertInstanceOf(MockThirdPartyAuthorizer.class, omAuth);
+
+ assertSameInstanceForSnapshot(om, omAuth);
+ }
+
+ private static void assertSameInstanceForSnapshot(
+ OzoneManager om, IAccessAuthorizer omAuth) {
+ // GIVEN
+ when(om.getAccessAuthorizer()).thenReturn(omAuth);
+
+ // WHEN
+ IAccessAuthorizer snapshotAuth =
+ OzoneAuthorizerFactory.forSnapshot(om, null, null);
+
+ // THEN
+ assertSame(omAuth, snapshotAuth);
+ }
+
+ private static void assertNewInstanceForSnapshot(
+ OzoneManager om, IAccessAuthorizer omAuth) {
+ // GIVEN
+ when(om.getAccessAuthorizer()).thenReturn(omAuth);
+
+ // WHEN
+ IAccessAuthorizer snapshotAuth =
+ OzoneAuthorizerFactory.forSnapshot(om, null, null);
+
+ // THEN
+ assertEquals(omAuth.getClass(), snapshotAuth.getClass());
+ assertNotSame(omAuth, snapshotAuth);
+ }
+
+ @Nonnull
+ private static OzoneManager disableAcls() {
+ return configureOM(false, OzoneNativeAuthorizer.class);
+ }
+
+ @Nonnull
+ private static OzoneManager enableAcls(
+ Class<? extends IAccessAuthorizer> clazz) {
+ return configureOM(true, clazz);
+ }
+
+ @Nonnull
+ private static OzoneManager configureOM(boolean aclEnabled,
+ Class<? extends IAccessAuthorizer> clazz) {
+
+ OzoneConfiguration conf = new OzoneConfiguration();
+ conf.setBoolean(OZONE_ACL_ENABLED, aclEnabled);
+ conf.setClass(OZONE_ACL_AUTHORIZER_CLASS, clazz, IAccessAuthorizer.class);
+
+ OzoneManager om = mock(OzoneManager.class);
+ when(om.getConfiguration())
+ .thenReturn(conf);
+ when(om.getAclsEnabled())
+ .thenReturn(aclEnabled);
+
+ return om;
+ }
+
+ /**
+ * Non-native authorizer for tests.
+ */
+ public static class MockNativeAuthorizer extends OzoneNativeAuthorizer {
+ @Override
+ public boolean checkAccess(IOzoneObj ozoneObject, RequestContext context) {
+ return false;
+ }
+ }
+
+ /**
+ * Non-native authorizer for tests.
+ */
+ public static class MockThirdPartyAuthorizer implements IAccessAuthorizer {
+ @Override
+ public boolean checkAccess(IOzoneObj ozoneObject, RequestContext context) {
+ return false;
+ }
+ }
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
