You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/11/05 02:15:22 UTC
[GitHub] [ozone] errose28 opened a new pull request #2805: HDDS-5942. Move Ranger REST API interactions under same interface as Ranger client.
errose28 opened a new pull request #2805:
URL: https://github.com/apache/ozone/pull/2805
## What changes were proposed in this pull request?
Since more work is required before the Ranger client meets our use case, this PR defines a common interface for Ranger interaction that will be implemented by both the Ranger REST API and Ranger client when it is ready. This PR defines the interface and move the REST API implementation under it. The REST API implementation will be used for testing but is not intended to be used in the final version of the multi-tenancy feature.
The existing REST implementation and interface has been left for compatibility until requests are moved to use this new interface. The interface has been greatly simplified compared to the original, since we now have a much better idea of the operations we need from Ranger. To simplify testing and implementation, this interface aims to implement only the features we need for multi tenancy, but be extensible if more Ranger features are required in the future.
## What is the link to the Apache JIRA
HDDS-5942
## How was this patch tested?
Tested manually against a real Ranger instance.
## Example Usage
```java
OzoneConfiguration conf = conf.set(OZONE_RANGER_HTTPS_ADDRESS_KEY, "https://ranger:6182");
// These configs will be removed when the Ranger client implementation is ready.
conf.set(OZONE_OM_RANGER_HTTPS_ADMIN_API_USER, "user");
conf.set(OZONE_OM_RANGER_HTTPS_ADMIN_API_PASSWD, "password");
conf.set(OZONE_OM_RANGER_SERVICE, "ozone");
MultiTenantAccessController controller = new RangerRestMultiTenantAccessController(conf);
Role role = new Role("role1");
role.addUser(new BasicUserPrincipal("user1"));
role.setDescription("role1 description");
// Creates the role in Ranger.
long roleID = controller.createRole(role);
// Modifies the users in an existing role.
controller.addUsersToRole(roleID, new BasicUserPrincipal("user2"), new BasicUserPrincipal("user3"));
controller.removeUsersFromRole(roleID, new BasicUserPrincipal("user2"));
// For Ozone, a valid policy must specify at least one volume.
Policy policy1 = new Policy("policy1", "volume1");
policy1.addVolume("volume2");
policy1.addBuckets("bucket1", "bucket2");
policy1.addKey("*");
policy1.setDescription("policy1 description");
// Adds ACL to the role created above.
policy1.addRoleAcls("role1", Acl.allow(IAccessAuthorizer.ACLType.READ_ACL));
// Creates a new role with this ACL when this policy is created.
policy1.addRoleAcls("role2", Acl.deny(IAccessAuthorizer.ACLType.DELETE));
// Creates the policy in Ranger.
controller.createPolicy(policy1);
// Disables the policy in Ranger.
controller.disablePolicy(policy1);
```
## Known Issues
Creating a deny ACL (`"isAllowed": false` in the json) as part of policy creation causes a 400 error from Ranger. Not sure if this is an issue with the request or a Ranger bug, since setting the value to `true` does not cause an issue. If deny ACLs are needed for multi-tenancy testing we can investigate further.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] errose28 commented on pull request #2805: HDDS-5942. Move Ranger REST API interactions under same interface as Ranger client.
Posted by GitBox <gi...@apache.org>.
errose28 commented on pull request #2805:
URL: https://github.com/apache/ozone/pull/2805#issuecomment-969416142
@ppodge I've made some updates to the interface, PTAL!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] prashantpogde commented on pull request #2805: HDDS-5942. Move Ranger REST API interactions under same interface as Ranger client.
Posted by GitBox <gi...@apache.org>.
prashantpogde commented on pull request #2805:
URL: https://github.com/apache/ozone/pull/2805#issuecomment-973138713
@errose28 Updated changes look good to me.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] errose28 merged pull request #2805: HDDS-5942. Move Ranger REST API interactions under same interface as Ranger client.
Posted by GitBox <gi...@apache.org>.
errose28 merged pull request #2805:
URL: https://github.com/apache/ozone/pull/2805
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] errose28 commented on pull request #2805: HDDS-5942. Move Ranger REST API interactions under same interface as Ranger client.
Posted by GitBox <gi...@apache.org>.
errose28 commented on pull request #2805:
URL: https://github.com/apache/ozone/pull/2805#issuecomment-981849139
Thanks for the review @prashantpogde, merging this to our feature branch.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] errose28 edited a comment on pull request #2805: HDDS-5942. Move Ranger REST API interactions under same interface as Ranger client.
Posted by GitBox <gi...@apache.org>.
errose28 edited a comment on pull request #2805:
URL: https://github.com/apache/ozone/pull/2805#issuecomment-969416142
@prashantpogde I've made some updates to the interface, PTAL!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org