neils-dev opened a new pull request #2945: URL: https://github.com/apache/ozone/pull/2945
…sync with Ozone master containing s3gateway perisistent connection hadoop rpc from HDDS-5881. This commit also includes functionality to configure omtransport choosiing either hrpc (default) or Grpc OmTransport s3gateway om channel - HDDS-5813. ## What changes were proposed in this pull request? Support for TLS secured Grpc OmTransport channel between s3gateway, s3g, and the ozone manager, om. TLS is enabled for the s3g persistent connection between the s3g and the om through the configuration "_**hdds.grpc.tls.enabled**_" boolean. Included is selection of OmTransport used between s3g and om through configuration "_**ozone.om.transport.class**_", `org.apache.hadoop.ozone.om.protocolPB.Hadoop3OmTransportFactory` (default) or `org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory`. Allowing use of Hadoop rpc, hrpc, (HDDS-5581) while migrating to the full HDDS-4440 feature using Grpc persistent OmTransport s3g. The TLS Grpc client connection is established by initially using a temporary secured (kerberos) hrpc connection between the s3g and the om to obtain the CA Certificates `(serviceInfo` `OmRequest`). The certificates are then used to authenticate the Grpc TLS connection established between the s3g and the om through the `GrpcOmTransport`. ## What is the link to the Apache JIRA https://issues.apache.org/jira/browse/HDDS-5545 ## How was this patch tested? Patch was tested through both unit tests and manually with the secureozone cluster. 1. unit test `TestGrpcOmTransport.testGrpcOmTransportFactory`, `TestGrpcOmTransport.testHrpcOmTransportFactory` `hadoop-ozone/s3gateway$ mvn -Dtest=TestGrpcOmTransport#testGrpcOmTransportFactory test` [INFO] Running org.apache.hadoop.ozone.protocolPB.TestGrpcOmTransport [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.97 s - in org.apache.hadoop.ozone.protocolPB.TestGrpcOmTransport [INFO] [INFO] Results: [INFO] [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0 `hadoop-ozone/s3gateway$ mvn -Dtest=TestGrpcOmTransport#testHrpcOmTransportFactory test` [INFO] Running org.apache.hadoop.ozone.protocolPB.TestGrpcOmTransport [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.647 s - in org.apache.hadoop.ozone.protocolPB.TestGrpcOmTransport [INFO] [INFO] Results: [INFO] [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0 2. manual testing with ozonesecure cluster: `hadoop-ozone/dist/target/ozone-1.2.0-SNAPSHOT/compose/ozonesecure$ docker-compose up -d --scale datanode=3` setup kdc and get user secret: ``` hadoop-ozone/dist/target/ozone-1.2.0-SNAPSHOT/compose/ozonesecure$ docker-compose exec scm bash $ kinit -kt /etc/security/keytabs/testuser.keytab testuser/[email protected] $ ozone s3 getsecret -u=testuser/[email protected] ``` With user credentials set in profile 'ozone' (aws secret & username testuser/[email protected]) through aws cli: ``` $ aws s3api --profile ozone --endpoint http://localhost:9878 list-buckets { "Buckets": [] } ``` Runs s3g with hrpc omtransport. Now for TLS Grpc rerun with same but with ozone configuration for Grpc om transport through "_**ozone.om.transport.class**_"=`org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory` ie. **set** in _hadoop-ozone/dist/target/ozone-1.2.0-SNAPSHOT/compose/ozonesecure/docker-config_ : ` OZONE-SITE.XML_ozone.om.transport.class=org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory` ``` $ aws s3api --profile ozone --endpoint http://localhost:9878 list-buckets { "Buckets": [] } ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
