neils-dev opened a new pull request #2721:
URL: https://github.com/apache/ozone/pull/2721
… basis.
## What changes were proposed in this pull request?
Included in this PR is added functionality to s3 gateway Grpc feature to
support s3 request user authentication on a per request basis. Each s3 request
through the s3 gateway is transported over gRPC through a persistent connection
between the s3 gateway, s3g, and the Ozone Manager, om. The s3g client creates
an Ozone `S3AUTHINFO` token that is relayed over gRPC, `GrpcOmTransport`,
through the `OzoneManagerProtocol` `OmRequest` to the om. The om authenticates
the user (s3 secret lookup) and either processes the request or rejects the
request on authentication failure.
Items of interest for request authentication:
The client side s3g `GrpcOmTransport` sets the` OmRequest`
`S3Authentication` structure with the contents of the `S3AUTHINFO` token within
the thread context via `UserGroupInformation`.
The server side `OzoneManagerServiceGrpc` uses the `OmRequest`
`S3Authentication` to verifiy the s3 request `signature` thorugh a s3 secret
lookup based on the `accessID` and generating the signature with the secret key
and `stringToSign`. This is done with the om
`OzoneDelegationTokenSecretManager`.
## What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-5780
## How was this patch tested?
Unit tests: TestGrpcOzoneManagerServer;
Manual Testing with secure ozone cluster:
s3 request - ozone cluster processing s3 create bucket request
`$ cd hadoop-ozone/dist/target/ozone-1.2.0-SNAPSHOT/compose/ozonesecure`
**ENABLE** gRPC Ozone Manager through config.
**DISABLE** acls through config.
**_ozone.om.s3.grpc.server_enabled: "true"_**
**_ozone.acl.enabled: "false"_**
ADD to docker-compose.yaml or docker-config:
$ vi docker-compose.yaml
`OZONE-SITE.XML_ozone.om.s3.grpc.server_enabled: "true"`
`OZONE-SITE.XML_ozone.acl.enabled: "false"`
`$ docker-compose up -d --scale datanode=3`
`$ docker-compose run scm bash`
`bash-4.2$ kinit -kt /etc/security/keytabs/testuser.keytab testuser/scm`
`bash-4.2$ ozone s3 getsecret`
`$ export AWS_ACCESS_KEY=testuser/[email protected] AWS_SECRET_KEY=<key>`
`$ aws s3api --endpoint http://localhost:9878 create-bucket --bucket=bucket1`
_{
"Location": "http://localhost:9878/bucket1";
}_
Now run unauthorized:
`$ export AWS_ACCESS_KEY=`
`$ export AWS_SECRET_KEY=`
`$ aws s3api --endpoint http://localhost:9878 create-bucket --bucket=bucket1`
_An error occurred (500) when calling the CreateBucket operation (reached
max retries: 2): Internal Server Error_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
