You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by si...@apache.org on 2022/05/13 18:12:05 UTC
[ozone] branch HDDS-4944 updated: HDDS-6625. [Multi-Tenant] Follow-up: Set owner of buckets created via S3 Gateway to actual user (#3327)
This is an automated email from the ASF dual-hosted git repository.
siyao pushed a commit to branch HDDS-4944
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/HDDS-4944 by this push:
new 42d30d37f1 HDDS-6625. [Multi-Tenant] Follow-up: Set owner of buckets created via S3 Gateway to actual user (#3327)
42d30d37f1 is described below
commit 42d30d37f16c4a91becbb5467caa144579aa0bcc
Author: Siyao Meng <50...@users.noreply.github.com>
AuthorDate: Fri May 13 11:11:59 2022 -0700
HDDS-6625. [Multi-Tenant] Follow-up: Set owner of buckets created via S3 Gateway to actual user (#3327)
---
.../apache/hadoop/ozone/client/rpc/RpcClient.java | 4 +--
.../smoketest/security/ozone-secure-tenant.robot | 4 +++
.../org/apache/hadoop/ozone/om/OzoneManager.java | 42 ++++++++++++++--------
3 files changed, 34 insertions(+), 16 deletions(-)
diff --git a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
index 4d39f469b1..3077bc73c1 100644
--- a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
+++ b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
@@ -554,8 +554,8 @@ public class RpcClient implements ClientProtocol {
// If S3 auth exists, set owner name to the short user name derived from the
// accessId. Similar to RpcClient#getDEK
if (getThreadLocalS3Auth() != null) {
- UserGroupInformation s3gUGI = UserGroupInformation.createRemoteUser(
- getThreadLocalS3Auth().getAccessID());
+ final UserGroupInformation s3gUGI = UserGroupInformation.createRemoteUser(
+ getThreadLocalS3Auth().getUserPrincipal());
owner = s3gUGI.getShortUserName();
} else {
owner = bucketArgs.getOwner() == null ?
diff --git a/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-tenant.robot b/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-tenant.robot
index 507be54d6a..2e59c8c260 100644
--- a/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-tenant.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-tenant.robot
@@ -64,6 +64,10 @@ Secure Tenant Create Bucket 1 Success via S3 API
${output} = Execute aws s3api --endpoint-url ${S3G_ENDPOINT_URL} list-buckets
Should contain ${output} bucket-test1
+Secure Tenant Verify Bucket 1 Owner
+ ${result} = Execute ozone sh bucket info /tenantone/bucket-test1 | jq -r '.owner'
+ Should Be Equal ${result} testuser
+
Secure Tenant SetSecret Success with Cluster Admin
${output} = Execute ozone tenant user setsecret 'tenantone$testuser' --secret=somesecret1 --export
Should contain ${output} export AWS_SECRET_ACCESS_KEY='somesecret1'
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 445218f530..47a2282d87 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -3117,14 +3117,39 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
// to the default S3 volume.
String s3Volume = HddsClientUtils.getDefaultS3VolumeName(configuration);
S3Authentication s3Auth = getS3Auth();
- String userPrincipal = Server.getRemoteUser().getShortUserName();
+ final String userPrincipal;
- if (s3Auth != null) {
+ if (s3Auth == null) {
+ // This is the default user principal if request does not have S3Auth set
+ userPrincipal = Server.getRemoteUser().getShortUserName();
+
+ if (LOG.isDebugEnabled()) {
+ // An old S3 gateway talking to a new OM may not attach the auth info.
+ // This old version of s3g will also not have a client that supports
+ // multi-tenancy, so we can direct requests to the default S3 volume.
+ LOG.debug("S3 authentication was not attached to the OM request. " +
+ "Directing requests to the default S3 volume {}.",
+ s3Volume);
+ }
+ } else {
String accessId = s3Auth.getAccessId();
Optional<String> optionalTenantId =
multiTenantManager.getTenantForAccessID(accessId);
- if (optionalTenantId.isPresent()) {
+ if (!optionalTenantId.isPresent()) {
+ final UserGroupInformation s3gUGI =
+ UserGroupInformation.createRemoteUser(accessId);
+ // When the accessId belongs to the default s3v (i.e. when the accessId
+ // key pair is generated using the regular `ozone s3 getsecret`), the
+ // user principal returned here should simply be the accessId's short
+ // user name (processed by the auth_to_local rule)
+ userPrincipal = s3gUGI.getShortUserName();
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No tenant found for access ID {}. Directing "
+ + "requests to default s3 volume {}.", accessId, s3Volume);
+ }
+ } else {
final String tenantId = optionalTenantId.get();
OmDBTenantState tenantState =
@@ -3158,18 +3183,7 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
VOLUME_LOCK, s3Volume);
}
}
-
- } else if (LOG.isDebugEnabled()) {
- LOG.debug("No tenant found for access ID {}. Directing " +
- "requests to default s3 volume {}.", accessId, s3Volume);
}
- } else if (LOG.isDebugEnabled()) {
- // An old S3 gateway talking to a new OM may not attach the auth info.
- // This old version of s3g will also not have a client that supports
- // multi-tenancy, so we can direct requests to the default S3 volume.
- LOG.debug("S3 authentication was not attached to the OM request. " +
- "Directing requests to the default S3 volume {}.",
- s3Volume);
}
// getVolumeInfo() performs acl checks and checks volume existence.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org