smengcl commented on PR #4188: URL: https://github.com/apache/ozone/pull/4188#issuecomment-1959002351
> > > @smengcl @errose28 Is it sufficient for S3 to use the AWS `Access ID` directly as the `Owner` of the Object (one-to-one `Access ID` and `Owner` of the Object) > > > > > > @xichen01 Uh preferrably not. `accessId` should be mapped to a user name (similar idea to `ugi.getShortUserName()`) before it can be used in the `owner` field: > > https://github.com/apache/ozone/blob/cce2f969a85323441c476aaeaf27d45b081b0c2f/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java#L417-L420 > > @smengcl. Thank for your suggestion. How to map the `accessId` to a `user name`. Are you saying we should use `Displayname` as the `owner` of the Ozone key? The AWS S3 Owner is the `ID` and `Displayname`, while the Ozone Owner is simply a string. > > ```java > public class S3Owner { > > public static final S3Owner > NOT_SUPPORTED_OWNER = new S3Owner("NOT-SUPPORTED", "Not Supported"); > > @XmlElement(name = "DisplayName") > private String displayName; > > @XmlElement(name = "ID") > private String id; > > } > ``` @xichen01 > > > @smengcl @errose28 Is it sufficient for S3 to use the AWS `Access ID` directly as the `Owner` of the Object (one-to-one `Access ID` and `Owner` of the Object) > > > > > > @xichen01 Uh preferrably not. `accessId` should be mapped to a user name (similar idea to `ugi.getShortUserName()`) before it can be used in the `owner` field: > > https://github.com/apache/ozone/blob/cce2f969a85323441c476aaeaf27d45b081b0c2f/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java#L417-L420 > > @smengcl. Thank for your suggestion. How to map the `accessId` to a `user name`. Are you saying we should use `Displayname` as the `owner` of the Ozone key? The AWS S3 Owner is the `ID` and `Displayname`, while the Ozone Owner is simply a string. > > ```java > public class S3Owner { > > public static final S3Owner > NOT_SUPPORTED_OWNER = new S3Owner("NOT-SUPPORTED", "Not Supported"); > > @XmlElement(name = "DisplayName") > private String displayName; > > @XmlElement(name = "ID") > private String id; > > } > ``` We can add a helper method to do the conversion. For `accessId -> user name` conversion there are two cases to be considered: 1. When accessId is generated with [`ozone s3 getsecret`](https://ozone.apache.org/docs/1.3.0/interface/s3.html#security) (not managed under an Ozone tenant), the accessId **is** the Kerberos principal, e.g. `testuser/[email protected]`. The conversion can be done with `ugi.getShortUserName()` (it automatically applies the conversion rules specified in `hadoop.security.auth_to_local`), where `ugi` can be created from `String` like this: https://github.com/apache/ozone/blob/2ae531b0f6a069db5a46bd486bb50225a168485d/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java#L1502-L1503 2. When accessId is generated with [`ozone tenant user assign`](https://ozone.apache.org/docs/1.3.0/feature/s3-tenant-commands.html#assign-a-user-to-a-tenant) (managed by an Ozone tenant), the accessId to username mapping is stored in [`tenantAccessIdTable`](https://github.com/apache/ozone/blob/2f2234c7b61714404399ada8f31b3fb4772b613a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataManagerImpl.java#L166) table. So the conversion can be done by first getting the `OmDBAccessIdInfo` associated with the `accessId`, then getting its `userPrincipal`, which should already be the (short) user name we need for the owner field: https://github.com/apache/ozone/blob/6d7ba130cf5a660780aceb773bb17d738df33905/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmDBAccessIdInfo.java#L47-L50 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
