[
https://issues.apache.org/jira/browse/HDDS-4089?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17636027#comment-17636027
]
Siyao Meng commented on HDDS-4089:
----------------------------------
+1 [~erose]. We could potentially use {{RangerClient}} to push and pull Ranger
ACLs in OM when Ozone client does {{setAcl}} and {{getAcl}}.
Some thoughts:
1. {{OM<*>SetAclRequest}} would still have to go through Ratis. And the leader
OM will be responsible for issuing the Ranger client request. In this case the
leader might have to make sure the setAcl request is successful (either
accepted or rejected by Ranger Admin Server) before returning to the client.
-- Actually, a cleaner way IMO is to set both Ozone native ACL (which is
persisted in OM DB without network latency) and external authorizer ACL for a
client SetAcl, where setAcl only need to care about writing the ACL to OM DB
(the existing logic), and a background external ACL sync thread thread would
pick the change up and push it to Ranger. Thus similar to what we have already
done in
[{{RangerBGSyncTask}}|https://github.com/apache/ozone/blob/e7f4c05d0967932d5bde49c51501ba83e6af532a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/service/OMRangerBGSyncService.java#L272]
with multi-tenancy. But, a prerequisite of this approach to work is that OM DB
ACL *can* persist the full Ranger ACL state pertaining to Ozone objects, which
may or may not be the case. (For example, one need to look into whether
Ranger's built-in user list/management would get in the way.) -- I think this
is doable.
2. As of now, there are some delays (~30 sec) before ACLs are applied and
reflected on the cluster when Ranger ACLs are updated. The delay is caused by
Ranger plugin's periodic polling (installed in each OM). Thus, {{setAcl}}
through {{RangerClient}} would also have some delays. We could improve user
experience by (somehow) immediately triggering the Ranger plugin policy update
pull after new ACLs are pushed in the background sync thread as described in
(1). But I don't think Ranger plugin has such API yet. So this can be an
improvement request to the Ranger.
> Allow ozone ACL CLI to work with external authorizers
> -----------------------------------------------------
>
> Key: HDDS-4089
> URL: https://issues.apache.org/jira/browse/HDDS-4089
> Project: Apache Ozone
> Issue Type: Improvement
> Reporter: Xiaoyu Yao
> Assignee: Xiaoyu Yao
> Priority: Major
>
> Currently ozone ACL client only works with native authorizer. This ticket is
> opened to allow interop with external authorizers such as Ranger Ozone
> plugin.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
