You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by si...@apache.org on 2022/03/07 19:18:25 UTC
[ozone] branch HDDS-4944 updated: HDDS-6063. [Multi-Tenant] Use VOLUME_LOCK in read and write requests, and some minor refactoring (#3051)
This is an automated email from the ASF dual-hosted git repository.
siyao pushed a commit to branch HDDS-4944
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/HDDS-4944 by this push:
new 5231830 HDDS-6063. [Multi-Tenant] Use VOLUME_LOCK in read and write requests, and some minor refactoring (#3051)
5231830 is described below
commit 52318302a60c4697fd98b3878aa35786e403a15b
Author: Siyao Meng <50...@users.noreply.github.com>
AuthorDate: Mon Mar 7 11:16:05 2022 -0800
HDDS-6063. [Multi-Tenant] Use VOLUME_LOCK in read and write requests, and some minor refactoring (#3051)
---
.../java/org/apache/hadoop/ozone/OzoneConsts.java | 6 +-
.../ozone/client/protocol/ClientProtocol.java | 2 +-
.../org/apache/hadoop/ozone/om/OMConfigKeys.java | 3 +
.../hadoop/ozone/om/exceptions/OMException.java | 11 +--
.../hadoop/ozone/om/helpers/OmDBTenantInfo.java | 31 ++++++-
.../hadoop/ozone/om/helpers/TenantUserList.java | 2 +-
...{DefaultOzoneS3Tenant.java => OzoneTenant.java} | 6 +-
.../om/multitenant/OzoneTenantRolePrincipal.java | 2 +-
.../ozone/om/protocol/OzoneManagerProtocol.java | 14 +--
...OzoneManagerProtocolClientSideTranslatorPB.java | 22 ++---
.../hadoop/ozone/TestSecureOzoneCluster.java | 2 +-
.../om/multitenant/TestMultiTenantVolume.java | 24 ++---
.../hadoop/ozone/shell/TestOzoneTenantShell.java | 14 ++-
.../src/main/proto/OmClientProtocol.proto | 60 ++++++------
.../org/apache/hadoop/ozone/om/KeyManagerImpl.java | 2 +-
.../hadoop/ozone/om/OMMultiTenantManager.java | 25 +++--
.../hadoop/ozone/om/OMMultiTenantManagerImpl.java | 55 ++++++-----
.../org/apache/hadoop/ozone/om/OzoneManager.java | 103 +++++++++++++++------
.../om/ratis/utils/OzoneManagerRatisUtils.java | 4 +-
.../om/request/s3/security/OMSetSecretRequest.java | 6 +-
.../om/request/s3/security/S3GetSecretRequest.java | 4 +-
.../s3/tenant/OMTenantAssignAdminRequest.java | 41 ++++----
...java => OMTenantAssignUserAccessIdRequest.java} | 89 ++++++++----------
.../request/s3/tenant/OMTenantCreateRequest.java | 19 ++--
.../request/s3/tenant/OMTenantDeleteRequest.java | 4 +-
.../request/s3/tenant/OMTenantRequestHelper.java | 35 ++++---
.../s3/tenant/OMTenantRevokeAdminRequest.java | 37 ++++----
.../tenant/OMTenantRevokeUserAccessIdRequest.java | 61 ++++++------
.../protocolPB/OzoneManagerRequestHandler.java | 15 +--
.../ozone/om/TestOMMultiTenantManagerImpl.java | 2 +-
.../s3/security/TestS3GetSecretRequest.java | 32 +++----
.../ozone/shell/tenant/GetUserInfoHandler.java | 4 +-
.../shell/tenant/TenantAssignAdminHandler.java | 4 +-
.../tenant/TenantAssignUserAccessIdHandler.java | 6 +-
.../shell/tenant/TenantBucketLinkHandler.java | 2 +
.../ozone/shell/tenant/TenantCreateHandler.java | 6 +-
.../ozone/shell/tenant/TenantDeleteHandler.java | 2 +
.../ozone/shell/tenant/TenantGetSecretHandler.java | 4 +-
.../hadoop/ozone/shell/tenant/TenantHandler.java | 2 +
.../ozone/shell/tenant/TenantListHandler.java | 19 ++--
.../ozone/shell/tenant/TenantListUsersHandler.java | 4 +-
.../ozone/shell/tenant/TenantModifyHandler.java | 35 -------
.../shell/tenant/TenantRevokeAdminHandler.java | 4 +-
.../tenant/TenantRevokeUserAccessIdHandler.java | 2 +
.../ozone/shell/tenant/TenantSetSecretHandler.java | 4 +-
.../hadoop/ozone/shell/tenant/TenantShell.java | 1 -
46 files changed, 445 insertions(+), 387 deletions(-)
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java
index 33173c5..40f29b0 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java
@@ -340,8 +340,8 @@ public final class OzoneConsts {
public static final String USER_PREFIX = "userPrefix";
// For multi-tenancy
- public static final String TENANT_NAME_USER_NAME_DELIMITER = "$";
- public static final String TENANT_NAME_ROLE_DELIMITER = "-";
+ public static final String TENANT_ID_USERNAME_DELIMITER = "$";
+ public static final String TENANT_ID_ROLE_DELIMITER = "-";
public static final String DEFAULT_TENANT_USER_POLICY_SUFFIX = "-users";
public static final String DEFAULT_TENANT_BUCKET_POLICY_SUFFIX = "-buckets";
public static final String DEFAULT_TENANT_POLICY_ID_SUFFIX = "-default";
@@ -484,7 +484,7 @@ public final class OzoneConsts {
public static final String OZONE_OM_RANGER_ADMIN_GET_ROLE_HTTP_ENDPOINT =
"/service/roles/roles/name/";
- // TODO: Change to delete role endpoint
+ // TODO: Use delete role endpoint
public static final String OZONE_OM_RANGER_ADMIN_DELETE_GROUP_HTTP_ENDPOINT =
"/service/xusers/secure/groups/id/";
diff --git a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
index bae3de7..9ab58e4 100644
--- a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
+++ b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
@@ -558,7 +558,7 @@ public interface ClientProtocol {
* Returns S3 Secret given kerberos user.
* Will generate a secret access key for the accessId (=kerberosID)
* if it doesn't exist.
- * @param kerberosID
+ * @param kerberosID Access ID
* @return S3SecretValue
* @throws IOException
*/
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java
index 9c2e091..41f598d 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java
@@ -308,6 +308,9 @@ public final class OMConfigKeys {
OZONE_RANGER_OM_CONNECTION_REQUEST_TIMEOUT_DEFAULT = "5s";
public static final String OZONE_OM_RANGER_HTTPS_ADMIN_API_USER =
"ozone.om.ranger.https.admin.api.user";
+ // TODO: Note this should be removed once Ranger Java Client is in place.
+ // And Ranger SPNEGO auth (ranger.spnego.kerberos.principal ?) should be used
+ // instead. Or keep this solely for dev testing. See HDDS-5836.
public static final String OZONE_OM_RANGER_HTTPS_ADMIN_API_PASSWD =
"ozone.om.ranger.https.admin.api.passwd";
public static final String OZONE_RANGER_HTTPS_ADDRESS_KEY =
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/exceptions/OMException.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/exceptions/OMException.java
index 0d164a9..f2838f5 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/exceptions/OMException.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/exceptions/OMException.java
@@ -245,13 +245,12 @@ public class OMException extends IOException {
NOT_SUPPORTED_OPERATION_WHEN_PREPARED,
TENANT_NOT_FOUND,
- TENANT_ALREADY_EXISTS,
- INVALID_TENANT_NAME,
+ TENANT_ALREADY_EXISTS, INVALID_TENANT_ID,
- ACCESSID_NOT_FOUND,
- TENANT_USER_ACCESSID_ALREADY_EXISTS,
- INVALID_TENANT_USER_NAME,
- INVALID_ACCESSID,
+ ACCESS_ID_NOT_FOUND,
+ TENANT_USER_ACCESS_ID_ALREADY_EXISTS,
+ INVALID_TENANT_USERNAME,
+ INVALID_ACCESS_ID,
TENANT_AUTHORIZER_ERROR,
VOLUME_IS_REFERENCED,
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmDBTenantInfo.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmDBTenantInfo.java
index 7345863..3b82782 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmDBTenantInfo.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmDBTenantInfo.java
@@ -20,10 +20,12 @@ package org.apache.hadoop.ozone.om.helpers;
import com.google.common.base.Preconditions;
import org.apache.hadoop.hdds.StringUtils;
+import java.util.Objects;
+
/**
* This class is used for storing Ozone tenant info.
*/
-public final class OmDBTenantInfo {
+public final class OmDBTenantInfo implements Comparable<OmDBTenantInfo> {
/**
* Name of the tenant.
*/
@@ -69,6 +71,33 @@ public final class OmDBTenantInfo {
bucketPolicyGroupName = tInfo[4];
}
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ OmDBTenantInfo that = (OmDBTenantInfo) o;
+ return Objects.equals(tenantId, that.tenantId)
+ && Objects.equals(bucketNamespaceName, that.bucketNamespaceName)
+ && Objects.equals(accountNamespaceName, that.accountNamespaceName)
+ && Objects.equals(userPolicyGroupName, that.userPolicyGroupName)
+ && Objects.equals(bucketPolicyGroupName, that.bucketPolicyGroupName);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(tenantId, bucketNamespaceName, accountNamespaceName,
+ userPolicyGroupName, bucketPolicyGroupName);
+ }
+
+ @Override
+ public int compareTo(OmDBTenantInfo o) {
+ return this.getTenantId().compareTo(o.getTenantId());
+ }
+
public String getTenantId() {
return tenantId;
}
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/TenantUserList.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/TenantUserList.java
index 62f6a77..58253ec 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/TenantUserList.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/TenantUserList.java
@@ -49,7 +49,7 @@ public class TenantUserList {
}
public static TenantUserList fromProtobuf(TenantListUserResponse response) {
- return new TenantUserList(response.getTenantName(),
+ return new TenantUserList(response.getTenantId(),
response.getUserAccessIdInfoList());
}
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/DefaultOzoneS3Tenant.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/OzoneTenant.java
similarity index 94%
rename from hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/DefaultOzoneS3Tenant.java
rename to hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/OzoneTenant.java
index 48685f2..375e260 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/DefaultOzoneS3Tenant.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/OzoneTenant.java
@@ -24,16 +24,16 @@ import org.apache.hadoop.ozone.om.multitenant.impl.AccountNameSpaceImpl;
import org.apache.hadoop.ozone.om.multitenant.impl.SingleVolumeTenantNamespace;
/**
- * Implements Tenant.
+ * In-memory tenant info. For DB state, see OmDBTenantInfo.
*/
-public class DefaultOzoneS3Tenant implements Tenant {
+public class OzoneTenant implements Tenant {
private final String tenantID;
private List<String> tenantRoleIds;
private List<AccessPolicy> accessPolicies;
private final AccountNameSpace accountNameSpace;
private final BucketNameSpace bucketNameSpace;
- public DefaultOzoneS3Tenant(String id) {
+ public OzoneTenant(String id) {
tenantID = id;
accessPolicies = new ArrayList<>();
tenantRoleIds = new ArrayList<>();
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/OzoneTenantRolePrincipal.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/OzoneTenantRolePrincipal.java
index 7f2e651..a3bc905 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/OzoneTenantRolePrincipal.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/multitenant/OzoneTenantRolePrincipal.java
@@ -51,6 +51,6 @@ public final class OzoneTenantRolePrincipal implements Principal {
@Override
public String getName() {
- return tenantID + OzoneConsts.TENANT_NAME_ROLE_DELIMITER + roleName;
+ return tenantID + OzoneConsts.TENANT_ID_ROLE_DELIMITER + roleName;
}
}
\ No newline at end of file
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
index f144d62..80c3ac9 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
@@ -605,13 +605,13 @@ public interface OzoneManagerProtocol
/**
* Assign user to a tenant.
* @param username user name to be assigned.
- * @param tenantName tenant name.
+ * @param tenantId tenant name.
* @param accessId access ID.
* @return S3SecretValue
* @throws IOException
*/
default S3SecretValue tenantAssignUserAccessId(String username,
- String tenantName,
+ String tenantId,
String accessId)
throws IOException {
throw new UnsupportedOperationException("OzoneManager does not require " +
@@ -633,12 +633,12 @@ public interface OzoneManagerProtocol
/**
* Assign admin role to a user identified by an accessId in a tenant.
* @param accessId access ID.
- * @param tenantName tenant name.
+ * @param tenantId tenant name.
* @param delegated true if making delegated admin.
* @throws IOException
*/
default void tenantAssignAdmin(String accessId,
- String tenantName,
+ String tenantId,
boolean delegated)
throws IOException {
throw new UnsupportedOperationException("OzoneManager does not require " +
@@ -648,11 +648,11 @@ public interface OzoneManagerProtocol
/**
* Revoke admin role of an accessId in a tenant.
* @param accessId access ID.
- * @param tenantName tenant name.
+ * @param tenantId tenant name.
* @throws IOException
*/
default void tenantRevokeAdmin(String accessId,
- String tenantName) throws IOException {
+ String tenantId) throws IOException {
throw new UnsupportedOperationException("OzoneManager does not require " +
"this to be implemented, as write requests use a new approach");
}
@@ -666,7 +666,7 @@ public interface OzoneManagerProtocol
TenantUserInfoValue tenantGetUserInfo(String userPrincipal)
throws IOException;
- TenantUserList listUsersInTenant(String tenantName, String prefix)
+ TenantUserList listUsersInTenant(String tenantId, String prefix)
throws IOException;
/**
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
index a57bb39..ca23c82 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
@@ -976,7 +976,7 @@ public final class OzoneManagerProtocolClientSideTranslatorPB
@Override
public void createTenant(OmTenantArgs omTenantArgs) throws IOException {
final CreateTenantRequest request = CreateTenantRequest.newBuilder()
- .setTenantName(omTenantArgs.getTenantId())
+ .setTenantId(omTenantArgs.getTenantId())
.setVolumeName(omTenantArgs.getVolumeName())
// TODO: Add more args like policy names later
.build();
@@ -1012,8 +1012,8 @@ public final class OzoneManagerProtocolClientSideTranslatorPB
final TenantAssignUserAccessIdRequest request =
TenantAssignUserAccessIdRequest.newBuilder()
- .setTenantUsername(username)
- .setTenantName(tenantId)
+ .setUserPrincipal(username)
+ .setTenantId(tenantId)
.setAccessId(accessId)
.build();
final OMRequest omRequest = createOMRequest(Type.TenantAssignUserAccessId)
@@ -1048,15 +1048,15 @@ public final class OzoneManagerProtocolClientSideTranslatorPB
* {@inheritDoc}
*/
@Override
- public void tenantAssignAdmin(String accessId, String tenantName,
+ public void tenantAssignAdmin(String accessId, String tenantId,
boolean delegated) throws IOException {
final TenantAssignAdminRequest.Builder requestBuilder =
TenantAssignAdminRequest.newBuilder()
.setAccessId(accessId)
.setDelegated(delegated);
- if (tenantName != null) {
- requestBuilder.setTenantName(tenantName);
+ if (tenantId != null) {
+ requestBuilder.setTenantId(tenantId);
}
final TenantAssignAdminRequest request = requestBuilder.build();
final OMRequest omRequest = createOMRequest(Type.TenantAssignAdmin)
@@ -1070,14 +1070,14 @@ public final class OzoneManagerProtocolClientSideTranslatorPB
* {@inheritDoc}
*/
@Override
- public void tenantRevokeAdmin(String accessId, String tenantName)
+ public void tenantRevokeAdmin(String accessId, String tenantId)
throws IOException {
final TenantRevokeAdminRequest.Builder requestBuilder =
TenantRevokeAdminRequest.newBuilder()
.setAccessId(accessId);
- if (tenantName != null) {
- requestBuilder.setTenantName(tenantName);
+ if (tenantId != null) {
+ requestBuilder.setTenantId(tenantId);
}
final TenantRevokeAdminRequest request = requestBuilder.build();
final OMRequest omRequest = createOMRequest(Type.TenantRevokeAdmin)
@@ -1109,10 +1109,10 @@ public final class OzoneManagerProtocolClientSideTranslatorPB
}
@Override
- public TenantUserList listUsersInTenant(String tenantName, String prefix)
+ public TenantUserList listUsersInTenant(String tenantId, String prefix)
throws IOException {
TenantListUserRequest.Builder builder =
- TenantListUserRequest.newBuilder().setTenantName(tenantName);
+ TenantListUserRequest.newBuilder().setTenantId(tenantId);
if (prefix != null) {
builder.setPrefix(prefix);
}
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
index 17195cd..d5a4432 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
@@ -645,7 +645,7 @@ public final class TestSecureOzoneCluster {
try {
omClient.setS3Secret(username, secretKeySet);
} catch (OMException omEx) {
- assertEquals(OMException.ResultCodes.ACCESSID_NOT_FOUND,
+ assertEquals(OMException.ResultCodes.ACCESS_ID_NOT_FOUND,
omEx.getResult());
}
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
index 14e8d2d..0a068c8 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java
@@ -55,7 +55,7 @@ public class TestMultiTenantVolume {
private static MiniOzoneCluster cluster;
private static String s3VolumeName;
- private static final String TENANT_NAME = "tenant";
+ private static final String TENANT_ID = "tenant";
private static final String USER_PRINCIPAL = "username";
private static final String BUCKET_NAME = "bucket";
private static final String ACCESS_ID = UUID.randomUUID().toString();
@@ -96,21 +96,21 @@ public class TestMultiTenantVolume {
expectFailurePreFinalization(
store::listTenant);
expectFailurePreFinalization(() ->
- store.listUsersInTenant(TENANT_NAME, ""));
+ store.listUsersInTenant(TENANT_ID, ""));
expectFailurePreFinalization(() ->
store.tenantGetUserInfo(USER_PRINCIPAL));
expectFailurePreFinalization(() ->
- store.createTenant(TENANT_NAME));
+ store.createTenant(TENANT_ID));
expectFailurePreFinalization(() ->
- store.tenantAssignUserAccessId(USER_PRINCIPAL, TENANT_NAME, ACCESS_ID));
+ store.tenantAssignUserAccessId(USER_PRINCIPAL, TENANT_ID, ACCESS_ID));
expectFailurePreFinalization(() ->
- store.tenantAssignAdmin(USER_PRINCIPAL, TENANT_NAME, true));
+ store.tenantAssignAdmin(USER_PRINCIPAL, TENANT_ID, true));
expectFailurePreFinalization(() ->
- store.tenantRevokeAdmin(ACCESS_ID, TENANT_NAME));
+ store.tenantRevokeAdmin(ACCESS_ID, TENANT_ID));
expectFailurePreFinalization(() ->
store.tenantRevokeUserAccessId(ACCESS_ID));
expectFailurePreFinalization(() ->
- store.deleteTenant(TENANT_NAME));
+ store.deleteTenant(TENANT_ID));
// S3 get/set/revoke secret APIs still work before finalization
final String accessId = "testUser1accessId1";
@@ -179,16 +179,16 @@ public class TestMultiTenantVolume {
ObjectStore store = getStoreForAccessID(ACCESS_ID);
- store.createTenant(TENANT_NAME);
- store.tenantAssignUserAccessId(USER_PRINCIPAL, TENANT_NAME, ACCESS_ID);
+ store.createTenant(TENANT_ID);
+ store.tenantAssignUserAccessId(USER_PRINCIPAL, TENANT_ID, ACCESS_ID);
// S3 volume pointed to by the store should be for the tenant.
- Assert.assertEquals(TENANT_NAME, store.getS3Volume().getName());
+ Assert.assertEquals(TENANT_ID, store.getS3Volume().getName());
// Create bucket in the tenant volume.
store.createS3Bucket(BUCKET_NAME);
OzoneBucket bucket = store.getS3Bucket(BUCKET_NAME);
- Assert.assertEquals(TENANT_NAME, bucket.getVolumeName());
+ Assert.assertEquals(TENANT_ID, bucket.getVolumeName());
// A different user should not see bucket, since they will be directed to
// the s3 volume.
@@ -200,7 +200,7 @@ public class TestMultiTenantVolume {
assertS3BucketNotFound(store, BUCKET_NAME);
store.tenantRevokeUserAccessId(ACCESS_ID);
- store.deleteTenant(TENANT_NAME);
+ store.deleteTenant(TENANT_ID);
}
/**
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
index cfcd978..cbbbc27 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java
@@ -30,7 +30,7 @@ import org.apache.hadoop.ozone.om.OMConfigKeys;
import org.apache.hadoop.ozone.om.OMMultiTenantManagerImpl;
import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
import org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessAuthorizerRangerPlugin;
-import org.apache.hadoop.ozone.om.request.s3.tenant.OMAssignUserToTenantRequest;
+import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantAssignUserAccessIdRequest;
import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantCreateRequest;
import org.apache.hadoop.ozone.shell.tenant.TenantShell;
import org.apache.hadoop.security.UserGroupInformation;
@@ -66,6 +66,9 @@ import static org.junit.Assert.fail;
/**
* Integration test for Ozone tenant shell command. HA enabled.
+ *
+ * TODO: HDDS-6338. Add a Kerberized version of this
+ * TODO: HDDS-6336. Add a mock Ranger server to test Ranger HTTP endpoint calls
*/
public class TestOzoneTenantShell {
@@ -185,9 +188,10 @@ public class TestOzoneTenantShell {
GenericTestUtils.setLogLevel(RetryInvocationHandler.LOG, Level.WARN);
// Enable debug logging for interested classes
GenericTestUtils.setLogLevel(OMTenantCreateRequest.LOG, Level.DEBUG);
- GenericTestUtils.setLogLevel(OMAssignUserToTenantRequest.LOG, Level.DEBUG);
- GenericTestUtils.setLogLevel(MultiTenantAccessAuthorizerRangerPlugin.LOG,
- Level.DEBUG);
+ GenericTestUtils.setLogLevel(
+ OMTenantAssignUserAccessIdRequest.LOG, Level.DEBUG);
+ GenericTestUtils.setLogLevel(
+ MultiTenantAccessAuthorizerRangerPlugin.LOG, Level.DEBUG);
}
@After
@@ -667,7 +671,7 @@ public class TestOzoneTenantShell {
executeHA(tenantShell, new String[] {
"user", "list", "--tenant=unknown"});
checkOutput(err, "Failed to Get Users in tenant 'unknown': " +
- "Tenant 'unknown' not found!\n", true);
+ "Tenant 'unknown' not found\n", true);
// Clean up
executeHA(tenantShell, new String[] {
diff --git a/hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto b/hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto
index 77c5376..fc57bf4 100644
--- a/hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto
+++ b/hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto
@@ -408,12 +408,12 @@ enum Status {
TENANT_NOT_FOUND = 75;
TENANT_ALREADY_EXISTS = 76;
- INVALID_TENANT_NAME = 77;
+ INVALID_TENANT_ID = 77;
- ACCESSID_NOT_FOUND = 78;
- TENANT_USER_ACCESSID_ALREADY_EXISTS = 79;
- INVALID_TENANT_USER_NAME = 80;
- INVALID_ACCESSID = 81;
+ ACCESS_ID_NOT_FOUND = 78;
+ TENANT_USER_ACCESS_ID_ALREADY_EXISTS = 79;
+ INVALID_TENANT_USERNAME = 80;
+ INVALID_ACCESS_ID = 81;
TENANT_AUTHORIZER_ERROR = 82;
VOLUME_IS_REFERENCED = 83;
@@ -1383,12 +1383,12 @@ message CancelDelegationTokenResponseProto {
}
message S3Secret {
- required string kerberosID = 1;
+ required string kerberosID = 1; // HDDS-6339: This really means accessId
required string awsSecret = 2;
}
message GetS3SecretRequest {
- required string kerberosID = 1;
+ required string kerberosID = 1; // HDDS-6339: This really means accessId
optional bool createIfNotExist = 2;
}
@@ -1407,7 +1407,7 @@ message SetS3SecretResponse {
}
message TenantInfo {
- optional string tenantName = 1;
+ optional string tenantId = 1;
optional string bucketNamespaceName = 2;
optional string accountNamespaceName = 3;
optional string userPolicyGroupName = 4;
@@ -1415,7 +1415,7 @@ message TenantInfo {
}
message TenantUserAccessId {
- optional string user = 1;
+ optional string userPrincipal = 1;
optional string accessId = 2;
optional bool isAdmin = 3;
optional bool isDelegatedAdmin = 4;
@@ -1427,8 +1427,7 @@ message ListTenantRequest {
}
message ListTenantResponse {
- optional bool success = 1; // TODO: Remove this field
- repeated TenantInfo tenantInfo = 2;
+ repeated TenantInfo tenantInfo = 1;
}
message TenantGetUserInfoRequest {
@@ -1436,19 +1435,17 @@ message TenantGetUserInfoRequest {
}
message TenantListUserRequest {
- optional string tenantName = 1;
+ optional string tenantId = 1;
optional string prefix = 2;
}
message TenantGetUserInfoResponse {
- optional bool success = 1; // TODO: Remove this field
- optional TenantUserInfo tenantUserInfo = 2;
+ optional TenantUserInfo tenantUserInfo = 1;
}
message TenantListUserResponse {
- optional bool success = 1; // TODO: Remove this field
- optional string tenantName = 2;
- repeated TenantUserAccessId userAccessIdInfo = 3;
+ optional string tenantId = 1;
+ repeated TenantUserAccessId userAccessIdInfo = 2;
}
message TenantUserInfo {
@@ -1458,7 +1455,7 @@ message TenantUserInfo {
message TenantAccessIdInfo {
optional string accessId = 1;
- optional string tenantName = 2;
+ optional string tenantId = 2;
optional bool isAdmin = 3;
optional bool isDelegatedAdmin = 4;
}
@@ -1469,11 +1466,11 @@ message LayoutVersion {
}
message RevokeS3SecretRequest {
- required string kerberosID = 1;
+ required string kerberosID = 1; // HDDS-6339: This really means accessId
}
message CreateTenantRequest {
- optional string tenantName = 1;
+ optional string tenantId = 1; // Tenant name
optional string tenantDefaultPolicyName = 2;
optional string volumeName = 3;
}
@@ -1483,25 +1480,25 @@ message DeleteTenantRequest {
}
message TenantAssignUserAccessIdRequest {
- optional string tenantUsername = 1;
- optional string tenantName = 2;
+ optional string userPrincipal = 1;
+ optional string tenantId = 2;
optional string accessId = 3;
}
message TenantRevokeUserAccessIdRequest {
optional string accessId = 1;
- optional string tenantName = 2;
+ optional string tenantId = 2;
}
message TenantAssignAdminRequest {
optional string accessId = 1;
- optional string tenantName = 2;
+ optional string tenantId = 2;
optional bool delegated = 3;
}
message TenantRevokeAdminRequest {
optional string accessId = 1;
- optional string tenantName = 2;
+ optional string tenantId = 2;
}
message GetS3VolumeContextRequest {
@@ -1509,7 +1506,7 @@ message GetS3VolumeContextRequest {
}
message CreateTenantResponse {
- optional bool success = 1; // TODO: Remove this field
+
}
message DeleteTenantResponse {
@@ -1518,20 +1515,19 @@ message DeleteTenantResponse {
}
message TenantAssignUserAccessIdResponse {
- optional bool success = 1; // TODO: Remove this field
- optional S3Secret s3Secret = 2;
+ optional S3Secret s3Secret = 1;
}
message TenantRevokeUserAccessIdResponse {
- optional bool success = 1; // TODO: Remove this field
+
}
message TenantAssignAdminResponse {
- optional bool success = 1; // TODO: Remove this field
+
}
message TenantRevokeAdminResponse {
- optional bool success = 1; // TODO: Remove this field
+
}
message OmDBAccessInfo {
@@ -1552,7 +1548,7 @@ message GetS3VolumeContextResponse {
OM's.
*/
message UpdateGetS3SecretRequest {
- required string kerberosID = 1;
+ required string kerberosID = 1; // HDDS-6339: This really means accessId
required string awsSecret = 2;
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java
index 8c3f295..57fc25d 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java
@@ -1508,7 +1508,7 @@ public class KeyManagerImpl implements KeyManager {
metadataManager.getLock().acquireReadLock(BUCKET_LOCK, volumeName,
bucketName);
- Table keyTable = metadataManager
+ Table<String, OmKeyInfo> keyTable = metadataManager
.getKeyTable(getBucketLayout(metadataManager, volName, buckName));
TableIterator<String, ? extends Table.KeyValue<String, OmKeyInfo>>
iterator;
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
index 558f9be..bdd8ab7 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java
@@ -113,13 +113,13 @@ public interface OMMultiTenantManager {
/**
* Creates a new user that exists for S3 API access to Ozone.
* @param principal
- * @param tenantName
- * @param accessID
+ * @param tenantId
+ * @param accessId
* @return Unique UserID.
* @throws IOException if there is any error condition detected.
*/
- String assignUserToTenant(BasicUserPrincipal principal, String tenantName,
- String accessID) throws IOException;
+ String assignUserToTenant(BasicUserPrincipal principal, String tenantId,
+ String accessId) throws IOException;
/**
* Revoke user accessId.
@@ -136,8 +136,8 @@ public interface OMMultiTenantManager {
* request (current it runs in preExecute).
* TODO: Remove this if unneeded when Ranger thread patch lands.
*/
- void removeUserAccessIdFromCache(String accessID, String userPrincipal,
- String tenantName);
+ void removeUserAccessIdFromCache(String accessId, String userPrincipal,
+ String tenantId);
/**
* Given an accessId, return kerberos user name for the tenant user.
@@ -171,13 +171,22 @@ public interface OMMultiTenantManager {
/**
* Check if a user is a tenant Admin.
* @param user user name.
- * @param tenantName tenant name.
+ * @param tenantId tenant name.
* @return
*/
- boolean isTenantAdmin(String user, String tenantName);
+ boolean isTenantAdmin(String user, String tenantId);
+
+ /**
+ * Check if a tenant exists.
+ * @param tenantId tenant name.
+ * @return true if tenant exists, false otherwise.
+ * @throws IOException
+ */
+ boolean tenantExists(String tenantId) throws IOException;
/**
* List all the user & accessIDs of all users that belong to this Tenant.
+ * Note this read is unprotected. See OzoneManager#listUserInTenant
* @param tenantID
* @return List of users
*/
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
index c9eeab4..fd2045e 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java
@@ -17,7 +17,7 @@
*/
package org.apache.hadoop.ozone.om;
-import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_ACCESSID;
+import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_ACCESS_ID;
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TENANT_AUTHORIZER_ERROR;
import static org.apache.hadoop.ozone.om.multitenant.AccessPolicy.AccessGrantType.ALLOW;
import static org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL;
@@ -55,7 +55,7 @@ import org.apache.hadoop.ozone.om.multitenant.AccessPolicy;
import org.apache.hadoop.ozone.om.multitenant.AccountNameSpace;
import org.apache.hadoop.ozone.om.multitenant.BucketNameSpace;
import org.apache.hadoop.ozone.om.multitenant.CachedTenantInfo;
-import org.apache.hadoop.ozone.om.multitenant.DefaultOzoneS3Tenant;
+import org.apache.hadoop.ozone.om.multitenant.OzoneTenant;
import org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessAuthorizer;
import org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessAuthorizerDummyPlugin;
import org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessAuthorizerRangerPlugin;
@@ -163,7 +163,7 @@ public class OMMultiTenantManagerImpl implements OMMultiTenantManager {
public Tenant createTenantAccessInAuthorizer(String tenantID)
throws IOException {
- Tenant tenant = new DefaultOzoneS3Tenant(tenantID);
+ Tenant tenant = new OzoneTenant(tenantID);
try {
controlPathLock.writeLock().lock();
@@ -259,35 +259,35 @@ public class OMMultiTenantManagerImpl implements OMMultiTenantManager {
* these control path operations.
*
* @param principal
- * @param tenantName
- * @param accessID
+ * @param tenantId
+ * @param accessId
* @return Tenant, or null on error
* @throws IOException
*/
@Override
public String assignUserToTenant(BasicUserPrincipal principal,
- String tenantName,
- String accessID) throws IOException {
+ String tenantId,
+ String accessId) throws IOException {
ImmutablePair<String, String> userAccessIdPair =
- new ImmutablePair<>(principal.getName(), accessID);
+ new ImmutablePair<>(principal.getName(), accessId);
try {
controlPathLock.writeLock().lock();
LOG.info("Adding user '{}' to tenant '{}' in-memory state.",
- principal.getName(), tenantName);
+ principal.getName(), tenantId);
CachedTenantInfo cachedTenantInfo =
- tenantCache.getOrDefault(tenantName,
- new CachedTenantInfo(tenantName));
+ tenantCache.getOrDefault(tenantId,
+ new CachedTenantInfo(tenantId));
cachedTenantInfo.getTenantUsers().add(userAccessIdPair);
final OzoneTenantRolePrincipal roleTenantAllUsers =
- OzoneTenantRolePrincipal.getUserRole(tenantName);
+ OzoneTenantRolePrincipal.getUserRole(tenantId);
String roleJsonStr = authorizer.getRole(roleTenantAllUsers);
String roleId = authorizer.assignUser(principal, roleJsonStr, false);
return roleId;
} catch (Exception e) {
- revokeUserAccessId(accessID);
- tenantCache.get(tenantName).getTenantUsers().remove(userAccessIdPair);
+ revokeUserAccessId(accessId);
+ tenantCache.get(tenantId).getTenantUsers().remove(userAccessIdPair);
throw new OMException(e.getMessage(), TENANT_AUTHORIZER_ERROR);
} finally {
controlPathLock.writeLock().unlock();
@@ -301,14 +301,14 @@ public class OMMultiTenantManagerImpl implements OMMultiTenantManager {
OmDBAccessIdInfo omDBAccessIdInfo =
omMetadataManager.getTenantAccessIdTable().get(accessID);
if (omDBAccessIdInfo == null) {
- throw new OMException(INVALID_ACCESSID);
+ throw new OMException(INVALID_ACCESS_ID);
}
- String tenantName = omDBAccessIdInfo.getTenantId();
- if (tenantName == null) {
+ String tenantId = omDBAccessIdInfo.getTenantId();
+ if (tenantId == null) {
LOG.error("Tenant doesn't exist");
return;
}
- tenantCache.get(tenantName).getTenantUsers()
+ tenantCache.get(tenantId).getTenantUsers()
.remove(new ImmutablePair<>(omDBAccessIdInfo.getUserPrincipal(),
accessID));
// TODO: Determine how to replace this code.
@@ -323,11 +323,11 @@ public class OMMultiTenantManagerImpl implements OMMultiTenantManager {
/**
* {@inheritDoc}
*/
- public void removeUserAccessIdFromCache(String accessID, String userPrincipal,
- String tenantName) {
+ public void removeUserAccessIdFromCache(String accessId, String userPrincipal,
+ String tenantId) {
try {
- tenantCache.get(tenantName).getTenantUsers().remove(
- new ImmutablePair<>(userPrincipal, accessID));
+ tenantCache.get(tenantId).getTenantUsers().remove(
+ new ImmutablePair<>(userPrincipal, accessId));
} catch (NullPointerException e) {
// tenantCache is somehow empty. Ignore for now.
// But how?
@@ -374,11 +374,16 @@ public class OMMultiTenantManagerImpl implements OMMultiTenantManager {
}
@Override
- public boolean isTenantAdmin(String user, String tenantName) {
+ public boolean isTenantAdmin(String user, String tenantId) {
return true;
}
@Override
+ public boolean tenantExists(String tenantId) throws IOException {
+ return omMetadataManager.getTenantStateTable().isExist(tenantId);
+ }
+
+ @Override
public TenantUserList listUsersInTenant(String tenantID, String prefix)
throws IOException {
@@ -399,7 +404,7 @@ public class OMMultiTenantManagerImpl implements OMMultiTenantManager {
.forEach(
k -> userAccessIds.add(
TenantUserAccessId.newBuilder()
- .setUser(k.getKey())
+ .setUserPrincipal(k.getKey())
.setAccessId(k.getValue())
.build()));
return new TenantUserList(tenantID, userAccessIds);
@@ -431,7 +436,7 @@ public class OMMultiTenantManagerImpl implements OMMultiTenantManager {
Optional<String> optionalTenant = getTenantForAccessID(accessID);
if (!optionalTenant.isPresent()) {
throw new OMException("No tenant found for access ID " + accessID,
- INVALID_ACCESSID);
+ INVALID_ACCESS_ID);
}
final String tenantId = optionalTenant.get();
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 93c6dbc..cac903a 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -146,6 +146,7 @@ import org.apache.hadoop.hdds.utils.TransactionInfo;
import org.apache.hadoop.ozone.om.ratis.OzoneManagerRatisServer;
import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerRatisUtils;
import org.apache.hadoop.ozone.om.request.OMClientRequest;
+import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper;
import org.apache.hadoop.ozone.om.snapshot.OzoneManagerSnapshotProvider;
import org.apache.hadoop.ozone.om.upgrade.OMLayoutVersionManager;
import org.apache.hadoop.ozone.om.upgrade.OMUpgradeFinalizer;
@@ -253,6 +254,7 @@ import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.DETE
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_AUTH_METHOD;
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_REQUEST;
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.PERMISSION_DENIED;
+import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TENANT_NOT_FOUND;
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_ERROR_OTHER;
import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.BUCKET_LOCK;
import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
@@ -2962,19 +2964,28 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
throw omEx;
}
- final List<TenantInfo> tenantInfoList = new ArrayList<>();
+ final Table<String, OmDBTenantInfo> tenantStateTable =
+ metadataManager.getTenantStateTable();
+
+ // Won't iterate cache here, mainly because we can't acquire a read lock
+ // for cache iteration: no tenant is specified, hence no volume name to
+ // acquire VOLUME_LOCK on. There could be a few millis delay before entries
+ // are flushed to the table. This should be acceptable for a list tenant
+ // request.
- // TODO: Iterate cache first. See KeyManagerImpl#listStatus
+ final TableIterator<String, ? extends KeyValue<String, OmDBTenantInfo>>
+ iterator = tenantStateTable.iterator();
- TableIterator<String, ? extends KeyValue<String, OmDBTenantInfo>>
- iterator = metadataManager.getTenantStateTable().iterator();
+ final List<TenantInfo> tenantInfoList = new ArrayList<>();
+ // Iterate table
while (iterator.hasNext()) {
final Table.KeyValue<String, OmDBTenantInfo> dbEntry = iterator.next();
+ final String tenantId = dbEntry.getKey();
final OmDBTenantInfo omDBTenantInfo = dbEntry.getValue();
- assert (dbEntry.getKey().equals(omDBTenantInfo.getTenantId()));
+ assert (tenantId.equals(omDBTenantInfo.getTenantId()));
tenantInfoList.add(TenantInfo.newBuilder()
- .setTenantName(omDBTenantInfo.getTenantId())
+ .setTenantId(omDBTenantInfo.getTenantId())
.setBucketNamespaceName(omDBTenantInfo.getBucketNamespaceName())
.setAccountNamespaceName(omDBTenantInfo.getAccountNamespaceName())
.setUserPolicyGroupName(omDBTenantInfo.getUserPolicyGroupName())
@@ -3000,7 +3011,11 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
final List<TenantAccessIdInfo> accessIdInfoList = new ArrayList<>();
- // Retrieve a list of accessIds associates to this user principal
+ // Won't iterate cache here for a similar reason as in OM#listTenant
+ // tenantGetUserInfo lists all accessIds assigned to a user across
+ // multiple tenants.
+
+ // Retrieve the list of accessIds associated to this user principal
final OmDBKerberosPrincipalInfo kerberosPrincipalInfo =
metadataManager.getPrincipalToAccessIdsTable().get(userPrincipal);
if (kerberosPrincipalInfo == null) {
@@ -3015,17 +3030,18 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
try {
final OmDBAccessIdInfo accessIdInfo =
metadataManager.getTenantAccessIdTable().get(accessId);
- // Sanity check
if (accessIdInfo == null) {
- LOG.error("Potential metadata error. Unexpected null accessIdInfo: "
- + "entry for accessId '{}' doesn't exist in TenantAccessIdTable",
- accessId);
- throw new NullPointerException("accessIdInfo is null");
+ // As we are not acquiring a lock, the accessId entry might have been
+ // removed from the TenantAccessIdTable already.
+ // Log a warning (shouldn't happen very often) and move on.
+ LOG.warn("Expected accessId '{}' not found in TenantAccessIdTable. "
+ + "Might have been removed already.", accessId);
+ return;
}
assert (accessIdInfo.getUserPrincipal().equals(userPrincipal));
accessIdInfoList.add(TenantAccessIdInfo.newBuilder()
.setAccessId(accessId)
- .setTenantName(accessIdInfo.getTenantId())
+ .setTenantId(accessIdInfo.getTenantId())
.setIsAdmin(accessIdInfo.getIsAdmin())
.setIsDelegatedAdmin(accessIdInfo.getIsDelegatedAdmin())
.build());
@@ -3054,9 +3070,24 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
return null;
}
+ if (!multiTenantManager.tenantExists(tenantId)) {
+ // Throw exception to the client, which will handle this gracefully
+ throw new OMException("Tenant '" + tenantId + "' not found",
+ TENANT_NOT_FOUND);
+ }
+
+ final String volumeName = OMTenantRequestHelper.getTenantVolumeName(
+ getMetadataManager(), tenantId);
+ // TODO: Maybe use multiTenantManager.getTenantInfo(tenantId)
+ // .getTenantBucketNameSpace() after refactoring
+
final Map<String, String> auditMap = new LinkedHashMap<>();
auditMap.put(OzoneConsts.TENANT, tenantId);
+ auditMap.put(OzoneConsts.VOLUME, volumeName);
auditMap.put(OzoneConsts.USER_PREFIX, prefix);
+
+ boolean lockAcquired =
+ metadataManager.getLock().acquireReadLock(VOLUME_LOCK, volumeName);
try {
String userName = getRemoteUser().getUserName();
if (!multiTenantManager.isTenantAdmin(userName, tenantId)
@@ -3064,7 +3095,6 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
throw new IOException("Only tenant and ozone admins can access this " +
"API. '" + userName + "' is not an admin.");
}
-
final TenantUserList userList =
multiTenantManager.listUsersInTenant(tenantId, prefix);
AUDIT.logReadSuccess(buildAuditMessageForSuccess(
@@ -3074,6 +3104,10 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
AUDIT.logReadFailure(buildAuditMessageForFailure(
OMAction.TENANT_LIST_USER, auditMap, ex));
throw ex;
+ } finally {
+ if (lockAcquired) {
+ metadataManager.getLock().releaseReadLock(VOLUME_LOCK, volumeName);
+ }
}
}
@@ -3087,37 +3121,48 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
String userPrincipal = Server.getRemoteUser().getShortUserName();
if (s3Auth != null) {
- String accessID = s3Auth.getAccessId();
- // TODO HDDS-6063: Volume lock is needed here along with the other
- // multi-tenant read requests.
+ String accessId = s3Auth.getAccessId();
Optional<String> optionalTenantId =
- multiTenantManager.getTenantForAccessID(accessID);
+ multiTenantManager.getTenantForAccessID(accessId);
if (optionalTenantId.isPresent()) {
- String tenantId = optionalTenantId.get();
+ final String tenantId = optionalTenantId.get();
+
OmDBTenantInfo tenantInfo =
metadataManager.getTenantStateTable().get(tenantId);
if (tenantInfo != null) {
- s3Volume = metadataManager.getTenantStateTable().get(tenantId)
- .getBucketNamespaceName();
+ s3Volume = tenantInfo.getBucketNamespaceName();
} else {
- String message = "Expected to find a tenant for access ID " +
- accessID +
- " but no tenant was found. Possibly inconsistent OM DB!";
- LOG.error(message);
+ String message = "Unable to find tenant '" + tenantId
+ + "' details for access ID " + accessId
+ + ". The tenant might have been removed during this operation, "
+ + "or the OM DB is inconsistent";
+ LOG.warn(message);
throw new OMException(message, ResultCodes.TENANT_NOT_FOUND);
}
if (LOG.isDebugEnabled()) {
LOG.debug("Get S3 volume request for access ID {} belonging to " +
- "tenant {} is directed to the volume {}.", accessID, tenantId,
+ "tenant {} is directed to the volume {}.", accessId, tenantId,
s3Volume);
}
- // Inject user name to the response to be used for KMS on the client
- userPrincipal = OzoneAclUtils.accessIdToUserPrincipal(accessID);
+ boolean acquiredVolumeLock =
+ getMetadataManager().getLock().acquireReadLock(
+ VOLUME_LOCK, s3Volume);
+
+ try {
+ // Inject user name to the response to be used for KMS on the client
+ userPrincipal = OzoneAclUtils.accessIdToUserPrincipal(accessId);
+ } finally {
+ if (acquiredVolumeLock) {
+ getMetadataManager().getLock().releaseReadLock(
+ VOLUME_LOCK, s3Volume);
+ }
+ }
+
} else if (LOG.isDebugEnabled()) {
LOG.debug("No tenant found for access ID {}. Directing " +
- "requests to default s3 volume {}.", accessID, s3Volume);
+ "requests to default s3 volume {}.", accessId, s3Volume);
}
} else if (LOG.isDebugEnabled()) {
// An old S3 gateway talking to a new OM may not attach the auth info.
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java
index de4c586..114a528 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java
@@ -58,7 +58,7 @@ import org.apache.hadoop.ozone.om.request.key.acl.prefix.OMPrefixSetAclRequest;
import org.apache.hadoop.ozone.om.request.s3.security.OMSetSecretRequest;
import org.apache.hadoop.ozone.om.request.s3.security.S3GetSecretRequest;
import org.apache.hadoop.ozone.om.request.s3.security.S3RevokeSecretRequest;
-import org.apache.hadoop.ozone.om.request.s3.tenant.OMAssignUserToTenantRequest;
+import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantAssignUserAccessIdRequest;
import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantAssignAdminRequest;
import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantCreateRequest;
import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantDeleteRequest;
@@ -185,7 +185,7 @@ public final class OzoneManagerRatisUtils {
case DeleteTenant:
return new OMTenantDeleteRequest(omRequest);
case TenantAssignUserAccessId:
- return new OMAssignUserToTenantRequest(omRequest);
+ return new OMTenantAssignUserAccessIdRequest(omRequest);
case TenantRevokeUserAccessId:
return new OMTenantRevokeUserAccessIdRequest(omRequest);
case TenantAssignAdmin:
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
index 9c8ddb7..64f575e 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/OMSetSecretRequest.java
@@ -77,7 +77,7 @@ public class OMSetSecretRequest extends OMClientRequest {
// Check (old) S3SecretTable
if (omMetadataManager.getS3SecretTable().get(accessId) == null) {
throw new OMException("accessId '" + accessId + "' not found.",
- OMException.ResultCodes.ACCESSID_NOT_FOUND);
+ OMException.ResultCodes.ACCESS_ID_NOT_FOUND);
}
}
@@ -157,9 +157,9 @@ public class OMSetSecretRequest extends OMClientRequest {
new CacheValue<>(Optional.of(newS3SecretValue),
transactionLogIndex));
} else {
- // If S3SecretTable is not updated, throw ACCESSID_NOT_FOUND exception.
+ // If S3SecretTable is not updated, throw ACCESS_ID_NOT_FOUND exception.
throw new OMException("accessId '" + accessId + "' not found.",
- OMException.ResultCodes.ACCESSID_NOT_FOUND);
+ OMException.ResultCodes.ACCESS_ID_NOT_FOUND);
}
// Compose response
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3GetSecretRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3GetSecretRequest.java
index 7eb0f38..ce5fe50 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3GetSecretRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3GetSecretRequest.java
@@ -184,12 +184,12 @@ public class S3GetSecretRequest extends OMClientRequest {
assignS3SecretValue = null;
}
- // Throw ACCESSID_NOT_FOUND to the client if accessId doesn't exist
+ // Throw ACCESS_ID_NOT_FOUND to the client if accessId doesn't exist
// when createIfNotExist is false.
if (awsSecret == null) {
assert (!createIfNotExist);
throw new OMException("accessId '" + accessId + "' doesn't exist",
- OMException.ResultCodes.ACCESSID_NOT_FOUND);
+ OMException.ResultCodes.ACCESS_ID_NOT_FOUND);
}
// Compose response
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
index 3a7ca0c..0967388 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignAdminRequest.java
@@ -47,6 +47,8 @@ import java.util.HashMap;
import java.util.Map;
import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
+import static org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantAdmin;
+import static org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantExistence;
import static org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SCHEMA;
/*
@@ -76,33 +78,33 @@ public class OMTenantAssignAdminRequest extends OMClientRequest {
getOmRequest().getTenantAssignAdminRequest();
final String accessId = request.getAccessId();
- String tenantName = request.getTenantName();
+ String tenantId = request.getTenantId();
- // If tenantName is not provided, figure it out from the table
- if (StringUtils.isEmpty(tenantName)) {
- tenantName = OMTenantRequestHelper.getTenantNameFromAccessId(
+ // If tenantId (tenant name) is not provided, infer it from the accessId
+ if (StringUtils.isEmpty(tenantId)) {
+ tenantId = OMTenantRequestHelper.getTenantIdFromAccessId(
ozoneManager.getMetadataManager(), accessId);
- assert (tenantName != null);
+ assert (tenantId != null);
}
- // Caller should be an Ozone admin or this tenant's delegated admin
- OMTenantRequestHelper.checkTenantAdmin(ozoneManager, tenantName);
+ checkTenantExistence(ozoneManager.getMetadataManager(), tenantId);
- // TODO: Check tenant existence?
+ // Caller should be an Ozone admin or this tenant's delegated admin
+ checkTenantAdmin(ozoneManager, tenantId);
OmDBAccessIdInfo accessIdInfo = ozoneManager.getMetadataManager()
.getTenantAccessIdTable().get(accessId);
if (accessIdInfo == null) {
throw new OMException("accessId '" + accessId + "' not found.",
- OMException.ResultCodes.ACCESSID_NOT_FOUND);
+ OMException.ResultCodes.ACCESS_ID_NOT_FOUND);
}
// Check if accessId is assigned to the tenant
- if (!accessIdInfo.getTenantId().equals(tenantName)) {
+ if (!accessIdInfo.getTenantId().equals(tenantId)) {
throw new OMException("accessId '" + accessId +
- "' must be assigned to tenant '" + tenantName + "' first.",
- OMException.ResultCodes.INVALID_TENANT_NAME);
+ "' must be assigned to tenant '" + tenantId + "' first.",
+ OMException.ResultCodes.INVALID_TENANT_ID);
}
final boolean delegated;
@@ -120,7 +122,7 @@ public class OMTenantAssignAdminRequest extends OMClientRequest {
.setTenantAssignAdminRequest(
TenantAssignAdminRequest.newBuilder()
.setAccessId(accessId)
- .setTenantName(tenantName)
+ .setTenantId(tenantId)
.setDelegated(delegated)
.build())
.setCmdType(getOmRequest().getCmdType())
@@ -162,7 +164,7 @@ public class OMTenantAssignAdminRequest extends OMClientRequest {
final TenantAssignAdminRequest request =
getOmRequest().getTenantAssignAdminRequest();
final String accessId = request.getAccessId();
- final String tenantId = request.getTenantName();
+ final String tenantId = request.getTenantId();
final boolean delegated = request.getDelegated();
boolean acquiredVolumeLock = false;
@@ -207,7 +209,8 @@ public class OMTenantAssignAdminRequest extends OMClientRequest {
// new CacheValue<>(Optional.of(roleName), transactionLogIndex));
omResponse.setTenantAssignAdminResponse(
- TenantAssignAdminResponse.newBuilder().setSuccess(true).build());
+ TenantAssignAdminResponse.newBuilder()
+ .build());
omClientResponse = new OMTenantAssignAdminResponse(omResponse.build(),
accessId, newOmDBAccessIdInfo);
@@ -215,9 +218,7 @@ public class OMTenantAssignAdminRequest extends OMClientRequest {
// Error handling
handleRequestFailure(ozoneManager);
exception = ex;
- // Set success flag to false
- omResponse.setTenantAssignAdminResponse(
- TenantAssignAdminResponse.newBuilder().setSuccess(false).build());
+ // Prepare omClientResponse
omClientResponse = new OMTenantAssignAdminResponse(
createErrorOMResponse(omResponse, ex));
} finally {
@@ -240,12 +241,12 @@ public class OMTenantAssignAdminRequest extends OMClientRequest {
if (exception == null) {
LOG.info("Assigned admin to accessId '{}' in tenant '{}', "
+ "delegated: {}", accessId, tenantId, delegated);
- // TODO: omMetrics.incNumTenantAssignAdmin()
+ // TODO: HDDS-6375: omMetrics.incNumTenantAssignAdmin()
} else {
LOG.error("Failed to assign admin to accessId '{}' in tenant '{}', "
+ "delegated: {}: {}",
accessId, tenantId, delegated, exception.getMessage());
- // TODO: omMetrics.incNumTenantAssignAdminFails()
+ // TODO: HDDS-6375: omMetrics.incNumTenantAssignAdminFails()
}
return omClientResponse;
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMAssignUserToTenantRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
similarity index 84%
rename from hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMAssignUserToTenantRequest.java
rename to hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
index a7d6041..69c77ef 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMAssignUserToTenantRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java
@@ -62,10 +62,9 @@ import static org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper
import static org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SCHEMA;
/*
- Ratis execution flow for OMAssignUserToTenant request:
- (might be a bit outdated)
+ Execution flow (might be a bit outdated):
-- Client (AssignUserToTenantHandler, etc.)
+- Client (AssignUserToTenantHandler)
- Check admin privilege
- Check username validity: ensure no invalid characters
- Send request to server
@@ -102,14 +101,12 @@ import static org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SC
/**
* Handles OMAssignUserToTenantRequest.
- *
- * TODO: Rename this to OMTenantAssignUserAccessIdRequest after rebase.
*/
-public class OMAssignUserToTenantRequest extends OMClientRequest {
+public class OMTenantAssignUserAccessIdRequest extends OMClientRequest {
public static final Logger LOG =
- LoggerFactory.getLogger(OMAssignUserToTenantRequest.class);
+ LoggerFactory.getLogger(OMTenantAssignUserAccessIdRequest.class);
- public OMAssignUserToTenantRequest(OMRequest omRequest) {
+ public OMTenantAssignUserAccessIdRequest(OMRequest omRequest) {
super(omRequest);
}
@@ -119,39 +116,36 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
final TenantAssignUserAccessIdRequest request =
getOmRequest().getTenantAssignUserAccessIdRequest();
- final String tenantName = request.getTenantName();
+ final String tenantId = request.getTenantId();
// Caller should be an Ozone admin or tenant delegated admin
- checkTenantAdmin(ozoneManager, tenantName);
+ checkTenantAdmin(ozoneManager, tenantId);
- // Note: Tenant username _is_ the user principal (short name)
- final String tenantUsername = request.getTenantUsername();
+ final String userPrincipal = request.getUserPrincipal();
final String accessId = request.getAccessId();
- // Check tenantUsername (user principal) validity.
- // TODO: Rename tenantUsername to userPrincipal,
- // INVALID_TENANT_USER_NAME to INVALID_TENANT_USER_PRINCIPAL, ...
- if (tenantUsername.contains(OzoneConsts.TENANT_NAME_USER_NAME_DELIMITER)) {
- throw new OMException("Invalid tenant username '" + tenantUsername +
+ // Check userPrincipal (username) validity.
+ if (userPrincipal.contains(OzoneConsts.TENANT_ID_USERNAME_DELIMITER)) {
+ throw new OMException("Invalid tenant username '" + userPrincipal +
"'. Tenant username shouldn't contain delimiter.",
- OMException.ResultCodes.INVALID_TENANT_USER_NAME);
+ OMException.ResultCodes.INVALID_TENANT_USERNAME);
}
// Check tenant name validity.
- if (tenantName.contains(OzoneConsts.TENANT_NAME_USER_NAME_DELIMITER)) {
- throw new OMException("Invalid tenant name '" + tenantUsername +
+ if (tenantId.contains(OzoneConsts.TENANT_ID_USERNAME_DELIMITER)) {
+ throw new OMException("Invalid tenant name '" + tenantId +
"'. Tenant name shouldn't contain delimiter.",
- OMException.ResultCodes.INVALID_TENANT_NAME);
+ OMException.ResultCodes.INVALID_TENANT_ID);
}
// Check accessId validity.
if (accessId.contains(SERIALIZATION_SPLIT_KEY)) {
throw new OMException("Invalid accessId '" + accessId +
"'. accessId should not contain '" + SERIALIZATION_SPLIT_KEY + "'",
- OMException.ResultCodes.INVALID_ACCESSID);
+ OMException.ResultCodes.INVALID_ACCESS_ID);
}
- checkTenantExistence(ozoneManager.getMetadataManager(), tenantName);
+ checkTenantExistence(ozoneManager.getMetadataManager(), tenantId);
// Below call implies user existence check in authorizer.
// If the user doesn't exist, Ranger return 400 and the call should throw.
@@ -160,7 +154,7 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
// Inform MultiTenantManager of user assignment so it could
// initialize some policies in Ranger.
final String roleId = ozoneManager.getMultiTenantManager()
- .assignUserToTenant(new BasicUserPrincipal(tenantUsername), tenantName,
+ .assignUserToTenant(new BasicUserPrincipal(userPrincipal), tenantId,
accessId);
if (LOG.isDebugEnabled()) {
LOG.debug("roleId that the user is assigned to: {}", roleId);
@@ -198,11 +192,11 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
ozoneManager.getMultiTenantManager().revokeUserAccessId(
request.getAccessId());
} catch (IOException ioEx) {
- final String userPrincipal = request.getTenantUsername();
- final String tenantName = request.getTenantName();
+ final String userPrincipal = request.getUserPrincipal();
+ final String tenantId = request.getTenantId();
final String accessId = request.getAccessId();
ozoneManager.getMultiTenantManager().removeUserAccessIdFromCache(
- accessId, userPrincipal, tenantName);
+ accessId, userPrincipal, tenantId);
} catch (Exception e) {
// TODO: Ignore for now. See OMTenantCreateRequest#handleRequestFailure
// TODO: Temporary solution for remnant tenantCache entry. Might becomes
@@ -232,8 +226,8 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
final TenantAssignUserAccessIdRequest request =
getOmRequest().getTenantAssignUserAccessIdRequest();
- final String tenantId = request.getTenantName();
- final String principal = request.getTenantUsername();
+ final String tenantId = request.getTenantId();
+ final String userPrincipal = request.getUserPrincipal();
assert (accessId.equals(request.getAccessId()));
IOException exception = null;
@@ -258,11 +252,11 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
if (omMetadataManager.getTenantAccessIdTable().isExist(accessId)) {
LOG.error("accessId {} already exists", accessId);
throw new OMException("accessId '" + accessId + "' already exists!",
- OMException.ResultCodes.TENANT_USER_ACCESSID_ALREADY_EXISTS);
+ OMException.ResultCodes.TENANT_USER_ACCESS_ID_ALREADY_EXISTS);
}
OmDBKerberosPrincipalInfo principalInfo = omMetadataManager
- .getPrincipalToAccessIdsTable().getIfExist(principal);
+ .getPrincipalToAccessIdsTable().getIfExist(userPrincipal);
// Reject if the user is already assigned to the tenant
if (principalInfo != null) {
// If any existing accessIds are assigned to the same tenant, throw ex
@@ -277,10 +271,10 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
}
if (tenantId.equals(accessIdInfo.getTenantId())) {
throw new OMException("The same user is not allowed to be assigned "
- + "to the same tenant more than once. User '" + principal
+ + "to the same tenant more than once. User '" + userPrincipal
+ "' is already assigned to tenant '" + tenantId + "' with "
+ "accessId '" + existingAccId + "'.",
- OMException.ResultCodes.TENANT_USER_ACCESSID_ALREADY_EXISTS);
+ OMException.ResultCodes.TENANT_USER_ACCESS_ID_ALREADY_EXISTS);
}
}
}
@@ -291,7 +285,7 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
// Add to tenantAccessIdTable
final OmDBAccessIdInfo omDBAccessIdInfo = new OmDBAccessIdInfo.Builder()
.setTenantId(tenantId)
- .setKerberosPrincipal(principal)
+ .setKerberosPrincipal(userPrincipal)
.setIsAdmin(false)
.setIsDelegatedAdmin(false)
.build();
@@ -308,12 +302,12 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
principalInfo.addAccessId(accessId);
}
omMetadataManager.getPrincipalToAccessIdsTable().addCacheEntry(
- new CacheKey<>(principal),
+ new CacheKey<>(userPrincipal),
new CacheValue<>(Optional.of(principalInfo),
transactionLogIndex));
// Add to tenantGroupTable
- // TODO: DOUBLE CHECK GROUP NAME USAGE
+ // TODO: TenantGroupTable is unused for now.
final String defaultGroupName =
tenantId + OzoneConsts.DEFAULT_TENANT_USER_GROUP_SUFFIX;
omMetadataManager.getTenantGroupTable().addCacheEntry(
@@ -321,7 +315,7 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
new CacheValue<>(Optional.of(defaultGroupName), transactionLogIndex));
// Add to tenantRoleTable
- // TODO: DOUBLE CHECK ROLENAME
+ // TODO: TenantRoleTable is unused for now.
final String roleName = "user";
omMetadataManager.getTenantRoleTable().addCacheEntry(
new CacheKey<>(accessId),
@@ -336,7 +330,7 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
LOG.error("accessId '{}' already exists in S3SecretTable", accessId);
throw new OMException("accessId '" + accessId +
"' already exists in S3SecretTable",
- OMException.ResultCodes.TENANT_USER_ACCESSID_ALREADY_EXISTS);
+ OMException.ResultCodes.TENANT_USER_ACCESS_ID_ALREADY_EXISTS);
}
omMetadataManager.getS3SecretTable().addCacheEntry(
@@ -348,20 +342,18 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
// Generate response
omResponse.setTenantAssignUserAccessIdResponse(
- TenantAssignUserAccessIdResponse.newBuilder().setSuccess(true)
+ TenantAssignUserAccessIdResponse.newBuilder()
.setS3Secret(S3Secret.newBuilder()
.setAwsSecret(awsSecret).setKerberosID(accessId))
.build());
omClientResponse = new OMTenantAssignUserAccessIdResponse(
- omResponse.build(), s3SecretValue, principal, defaultGroupName,
+ omResponse.build(), s3SecretValue, userPrincipal, defaultGroupName,
roleName, accessId, omDBAccessIdInfo, principalInfo);
} catch (IOException ex) {
handleRequestFailure(ozoneManager);
exception = ex;
- // Set response success flag to false
omResponse.setTenantAssignUserAccessIdResponse(
- TenantAssignUserAccessIdResponse.newBuilder()
- .setSuccess(false).build());
+ TenantAssignUserAccessIdResponse.newBuilder().build());
omClientResponse = new OMTenantAssignUserAccessIdResponse(
createErrorOMResponse(omResponse, ex));
} finally {
@@ -380,7 +372,7 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
// Audit
auditMap.put(OzoneConsts.TENANT, tenantId);
- auditMap.put("user", principal);
+ auditMap.put("user", userPrincipal);
auditMap.put("accessId", accessId);
auditLog(ozoneManager.getAuditLogger(), buildAuditMessage(
OMAction.TENANT_ASSIGN_USER_ACCESSID, auditMap, exception,
@@ -388,13 +380,12 @@ public class OMAssignUserToTenantRequest extends OMClientRequest {
if (exception == null) {
LOG.info("Assigned user '{}' to tenant '{}' with accessId '{}'",
- principal, tenantId, accessId);
- // TODO: omMetrics.incNumTenantAssignUser()
+ userPrincipal, tenantId, accessId);
+ // TODO: HDDS-6375: omMetrics.incNumTenantAssignUser()
} else {
LOG.error("Failed to assign '{}' to tenant '{}' with accessId '{}': {}",
- principal, tenantId, accessId, exception.getMessage());
- // TODO: Check if the exception message is sufficient.
- // TODO: omMetrics.incNumTenantAssignUserFails()
+ userPrincipal, tenantId, accessId, exception.getMessage());
+ // TODO: HDDS-6375: omMetrics.incNumTenantAssignUserFails()
}
return omClientResponse;
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
index 73da4ee..17e739c 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
@@ -119,10 +119,10 @@ public class OMTenantCreateRequest extends OMVolumeRequest {
OMTenantRequestHelper.checkAdmin(ozoneManager);
final CreateTenantRequest request = getOmRequest().getCreateTenantRequest();
- final String tenantId = request.getTenantName();
+ final String tenantId = request.getTenantId();
// Check tenantId validity
- if (tenantId.contains(OzoneConsts.TENANT_NAME_USER_NAME_DELIMITER)) {
+ if (tenantId.contains(OzoneConsts.TENANT_ID_USERNAME_DELIMITER)) {
throw new OMException("Invalid tenant name " + tenantId +
". Tenant name should not contain delimiter.",
OMException.ResultCodes.INVALID_VOLUME_NAME);
@@ -181,7 +181,7 @@ public class OMTenantCreateRequest extends OMVolumeRequest {
.setCreateTenantRequest(
CreateTenantRequest.newBuilder()
.setTenantDefaultPolicyName(tenantDefaultPolicies)
- .setTenantName(tenantId))
+ .setTenantId(tenantId))
.setCreateVolumeRequest(
CreateVolumeRequest.newBuilder().setVolumeInfo(updatedVolumeInfo))
// TODO: Can the three lines below be ignored?
@@ -223,12 +223,11 @@ public class OMTenantCreateRequest extends OMVolumeRequest {
OmVolumeArgs omVolumeArgs;
boolean acquiredVolumeLock = false;
boolean acquiredUserLock = false;
- boolean acquiredTenantLock = false;
final String owner = getOmRequest().getUserInfo().getUserName();
Map<String, String> auditMap = new HashMap<>();
OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager();
final CreateTenantRequest request = getOmRequest().getCreateTenantRequest();
- final String tenantId = request.getTenantName();
+ final String tenantId = request.getTenantId();
final VolumeInfo volumeInfo =
getOmRequest().getCreateVolumeRequest().getVolumeInfo();
final String volumeName = volumeInfo.getVolume();
@@ -314,8 +313,8 @@ public class OMTenantCreateRequest extends OMVolumeRequest {
new CacheValue<>(Optional.of(bucketPolicyId), transactionLogIndex));
omResponse.setCreateTenantResponse(
- CreateTenantResponse.newBuilder().setSuccess(true).build()
- );
+ CreateTenantResponse.newBuilder()
+ .build());
omClientResponse = new OMTenantCreateResponse(
omResponse.build(),
omVolumeArgs, volumeList,
@@ -338,8 +337,6 @@ public class OMTenantCreateRequest extends OMVolumeRequest {
handleRequestFailure(ozoneManager);
}
// Prepare omClientResponse
- omResponse.setCreateTenantResponse(
- CreateTenantResponse.newBuilder().setSuccess(false).build());
omClientResponse = new OMTenantCreateResponse(
createErrorOMResponse(omResponse, ex));
exception = ex;
@@ -370,10 +367,10 @@ public class OMTenantCreateRequest extends OMVolumeRequest {
if (exception == null) {
LOG.info("Created tenant '{}' and volume '{}'", tenantId, volumeName);
- // TODO: omMetrics.incNumTenants()
+ // TODO: HDDS-6375: omMetrics.incNumTenants()
} else {
LOG.error("Failed to create tenant '{}'", tenantId, exception);
- // TODO: omMetrics.incNumTenantCreateFails()
+ // TODO: HDDS-6375: omMetrics.incNumTenantCreateFails()
}
return omClientResponse;
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
index 69afb07..2db50a8 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
@@ -214,10 +214,10 @@ public class OMTenantDeleteRequest extends OMVolumeRequest {
if (exception == null) {
LOG.info("Deleted tenant '{}' and volume '{}'", tenantId, volumeName);
- // TODO: omMetrics.decNumTenants()
+ // TODO: HDDS-6375: omMetrics.decNumTenants()
} else {
LOG.error("Failed to delete tenant '{}'", tenantId, exception);
- // TODO: omMetrics.incNumTenantDeleteFails()
+ // TODO: HDDS-6375: omMetrics.incNumTenantDeleteFails()
}
return omClientResponse;
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRequestHelper.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRequestHelper.java
index 2d67bd3..b880675 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRequestHelper.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRequestHelper.java
@@ -63,24 +63,27 @@ public final class OMTenantRequestHelper {
* throws OMException otherwise.
* @throws OMException PERMISSION_DENIED
*/
- static void checkTenantAdmin(OzoneManager ozoneManager, String tenantName)
+ static void checkTenantAdmin(OzoneManager ozoneManager, String tenantId)
throws OMException {
final UserGroupInformation ugi = ProtobufRpcEngine.Server.getRemoteUser();
if (!ozoneManager.isAdmin(ugi) &&
- !ozoneManager.isTenantAdmin(ugi, tenantName, true)) {
+ !ozoneManager.isTenantAdmin(ugi, tenantId, true)) {
throw new OMException("User '" + ugi.getUserName() +
"' is neither an Ozone admin nor a delegated admin of tenant '" +
- tenantName + "'.", OMException.ResultCodes.PERMISSION_DENIED);
+ tenantId + "'.", OMException.ResultCodes.PERMISSION_DENIED);
}
}
+ /**
+ * Check if the tenantId exists in the table, throws TENANT_NOT_FOUND if not.
+ */
static void checkTenantExistence(OMMetadataManager omMetadataManager,
- String tenantName) throws OMException {
+ String tenantId) throws OMException {
try {
- if (!omMetadataManager.getTenantStateTable().isExist(tenantName)) {
- throw new OMException("Tenant '" + tenantName + "' doesn't exist.",
+ if (!omMetadataManager.getTenantStateTable().isExist(tenantId)) {
+ throw new OMException("Tenant '" + tenantId + "' doesn't exist.",
OMException.ResultCodes.TENANT_NOT_FOUND);
}
} catch (IOException ex) {
@@ -90,17 +93,19 @@ public final class OMTenantRequestHelper {
throw omEx;
}
}
- throw new OMException("Unable to retrieve "
- + "OmDBTenantInfo entry for tenant '" + tenantName + "': "
- + ex.getMessage(), OMException.ResultCodes.METADATA_ERROR);
+ throw new OMException("Error while retrieving OmDBTenantInfo for tenant "
+ + "'" + tenantId + "': " + ex.getMessage(),
+ OMException.ResultCodes.METADATA_ERROR);
}
}
/**
* Retrieve volume name of the tenant.
+ *
+ * Throws OMException TENANT_NOT_FOUND if tenantId doesn't exist.
*/
- static String getTenantVolumeName(OMMetadataManager omMetadataManager,
- String tenantId) throws IOException {
+ public static String getTenantVolumeName(OMMetadataManager omMetadataManager,
+ String tenantId) throws IOException {
final OmDBTenantInfo tenantInfo =
omMetadataManager.getTenantStateTable().get(tenantId);
@@ -122,7 +127,7 @@ public final class OMTenantRequestHelper {
return volumeName;
}
- public static String getTenantNameFromAccessId(
+ public static String getTenantIdFromAccessId(
OMMetadataManager omMetadataManager, String accessId) throws IOException {
final OmDBAccessIdInfo accessIdInfo = omMetadataManager
@@ -156,9 +161,9 @@ public final class OMTenantRequestHelper {
return false;
}
- final String tenantName = accessIdInfo.getTenantId();
+ final String tenantId = accessIdInfo.getTenantId();
// Sanity check
- if (tenantName == null) {
+ if (tenantId == null) {
throw new OMException("Unexpected error: OmDBAccessIdInfo " +
"tenantId field should not have been null",
OMException.ResultCodes.METADATA_ERROR);
@@ -178,7 +183,7 @@ public final class OMTenantRequestHelper {
}
// Check if ugi is an admin of this tenant
- if (ozoneManager.isTenantAdmin(ugi, tenantName, true)) {
+ if (ozoneManager.isTenantAdmin(ugi, tenantId, true)) {
return true;
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
index 7598adf..5757b0f 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeAdminRequest.java
@@ -47,6 +47,8 @@ import java.util.HashMap;
import java.util.Map;
import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
+import static org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantAdmin;
+import static org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantExistence;
import static org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SCHEMA;
/*
@@ -76,32 +78,34 @@ public class OMTenantRevokeAdminRequest extends OMClientRequest {
getOmRequest().getTenantRevokeAdminRequest();
final String accessId = request.getAccessId();
- String tenantId = request.getTenantName();
+ String tenantId = request.getTenantId();
- // If tenant name is not specified, try figuring it out from accessId.
+ // If tenantId is not specified, infer it from the accessId
if (StringUtils.isEmpty(tenantId)) {
- tenantId = OMTenantRequestHelper.getTenantNameFromAccessId(
+ tenantId = OMTenantRequestHelper.getTenantIdFromAccessId(
ozoneManager.getMetadataManager(), accessId);
+ assert (tenantId != null);
}
- // Caller should be an Ozone admin or this tenant's delegated admin
- OMTenantRequestHelper.checkTenantAdmin(ozoneManager, tenantId);
+ // Sanity check
+ checkTenantExistence(ozoneManager.getMetadataManager(), tenantId);
- // TODO: Check tenant existence?
+ // Caller should be an Ozone admin or this tenant's delegated admin
+ checkTenantAdmin(ozoneManager, tenantId);
OmDBAccessIdInfo accessIdInfo = ozoneManager.getMetadataManager()
.getTenantAccessIdTable().get(accessId);
if (accessIdInfo == null) {
throw new OMException("accessId '" + accessId + "' not found.",
- OMException.ResultCodes.ACCESSID_NOT_FOUND);
+ OMException.ResultCodes.ACCESS_ID_NOT_FOUND);
}
// Check if accessId is assigned to the tenant
if (!accessIdInfo.getTenantId().equals(tenantId)) {
throw new OMException("accessId '" + accessId +
"' must be assigned to tenant '" + tenantId + "' first.",
- OMException.ResultCodes.INVALID_TENANT_NAME);
+ OMException.ResultCodes.INVALID_TENANT_ID);
}
// TODO: Call OMMTM to remove user from admin group of the tenant.
@@ -114,7 +118,7 @@ public class OMTenantRevokeAdminRequest extends OMClientRequest {
// Regenerate request just in case tenantId is not provided
// by the client
TenantRevokeAdminRequest.newBuilder()
- .setTenantName(tenantId)
+ .setTenantId(tenantId)
.setAccessId(request.getAccessId())
.build())
.setCmdType(getOmRequest().getCmdType())
@@ -143,7 +147,7 @@ public class OMTenantRevokeAdminRequest extends OMClientRequest {
final TenantRevokeAdminRequest request =
getOmRequest().getTenantRevokeAdminRequest();
final String accessId = request.getAccessId();
- final String tenantId = request.getTenantName();
+ final String tenantId = request.getTenantId();
boolean acquiredVolumeLock = false; // TODO: use tenant lock instead, maybe
IOException exception = null;
@@ -188,18 +192,13 @@ public class OMTenantRevokeAdminRequest extends OMClientRequest {
omResponse.setTenantRevokeAdminResponse(
TenantRevokeAdminResponse.newBuilder()
- .setSuccess(true).build());
+ .build());
omClientResponse = new OMTenantRevokeAdminResponse(omResponse.build(),
accessId, newOmDBAccessIdInfo);
} catch (IOException ex) {
- // Error handling: do nothing to Authorizer (Ranger) here?
-
exception = ex;
- // Set success flag to false
- omResponse.setTenantRevokeAdminResponse(
- TenantRevokeAdminResponse.newBuilder()
- .setSuccess(false).build());
+ // Prepare omClientResponse
omClientResponse = new OMTenantRevokeAdminResponse(
createErrorOMResponse(omResponse, ex));
} finally {
@@ -222,11 +221,11 @@ public class OMTenantRevokeAdminRequest extends OMClientRequest {
if (exception == null) {
LOG.info("Revoked admin of accessId '{}' from tenant '{}'",
accessId, tenantId);
- // TODO: omMetrics.incNumTenantRevokeAdmin()
+ // TODO: HDDS-6375: omMetrics.incNumTenantRevokeAdmin()
} else {
LOG.error("Failed to revoke admin of accessId '{}' from tenant '{}': {}",
accessId, tenantId, exception.getMessage());
- // TODO: omMetrics.incNumTenantRevokeAdminFails()
+ // TODO: HDDS-6375: omMetrics.incNumTenantRevokeAdminFails()
}
return omClientResponse;
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeUserAccessIdRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeUserAccessIdRequest.java
index 90232c5..e8f4f51 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeUserAccessIdRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantRevokeUserAccessIdRequest.java
@@ -20,6 +20,7 @@ package org.apache.hadoop.ozone.om.request.s3.tenant;
import com.google.common.base.Optional;
import com.google.common.base.Preconditions;
+import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hdds.utils.db.cache.CacheKey;
import org.apache.hadoop.hdds.utils.db.cache.CacheValue;
import org.apache.hadoop.ozone.OzoneConsts;
@@ -27,6 +28,7 @@ import org.apache.hadoop.ozone.audit.OMAction;
import org.apache.hadoop.ozone.om.OMMetadataManager;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
+import org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes;
import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
import org.apache.hadoop.ozone.om.helpers.OmDBKerberosPrincipalInfo;
import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper;
@@ -37,6 +39,7 @@ import org.apache.hadoop.ozone.om.response.s3.tenant.OMTenantRevokeUserAccessIdR
import org.apache.hadoop.ozone.om.upgrade.DisallowedUntilLayoutVersion;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest.Builder;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.TenantRevokeUserAccessIdRequest;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.TenantRevokeUserAccessIdResponse;
import org.slf4j.Logger;
@@ -48,6 +51,8 @@ import java.util.Map;
import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.S3_SECRET_LOCK;
import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
+import static org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantAdmin;
+import static org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantRequestHelper.checkTenantExistence;
import static org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SCHEMA;
/*
@@ -55,7 +60,7 @@ import static org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature.MULTITENANCY_SC
- preExecute
- Check accessId existence
- - Get tenantName from accessId
+ - Get tenantId (tenant name) from accessId
- Check caller Ozone admin or tenant admin privilege
- Throw if accessId is a tenant admin
- Call Authorizer
@@ -82,47 +87,47 @@ public class OMTenantRevokeUserAccessIdRequest extends OMClientRequest {
final String accessId = request.getAccessId();
- // As of now, OMTenantRevokeUserAccessIdRequest does not get tenantName
- // from the client, we just get it from the OM DB table. Uncomment
- // below if we want the request to be similar to OMTenantRevokeAdminRequest
-// String tenantName = request.getTenantName();
-// if (tenantName == null) {
-// }
-
final OMMetadataManager omMetadataManager =
ozoneManager.getMetadataManager();
final OmDBAccessIdInfo accessIdInfo = omMetadataManager
.getTenantAccessIdTable().get(accessId);
if (accessIdInfo == null) {
- // Note: This potentially leaks which accessIds exists in OM.
throw new OMException("accessId '" + accessId + "' doesn't exist",
- OMException.ResultCodes.ACCESSID_NOT_FOUND);
+ ResultCodes.ACCESS_ID_NOT_FOUND);
+ }
+
+ // If tenantId is not specified, we can infer it from the accessId
+ String tenantId = request.getTenantId();
+ if (StringUtils.isEmpty(tenantId)) {
+ tenantId = OMTenantRequestHelper.getTenantIdFromAccessId(
+ ozoneManager.getMetadataManager(), accessId);
+ assert (tenantId != null);
}
- final String tenantName = accessIdInfo.getTenantId();
- assert (tenantName != null);
- assert (tenantName.length() > 0);
+ // Sanity check
+ checkTenantExistence(ozoneManager.getMetadataManager(), tenantId);
// Caller should be an Ozone admin or this tenant's delegated admin
- OMTenantRequestHelper.checkTenantAdmin(ozoneManager, tenantName);
+ checkTenantAdmin(ozoneManager, tenantId);
if (accessIdInfo.getIsAdmin()) {
- throw new OMException("accessId '" + accessId + "' is tenant admin of '" +
- tenantName + "'. Revoke admin first.",
- OMException.ResultCodes.PERMISSION_DENIED);
+ throw new OMException("accessId '" + accessId + "' is a tenant admin of "
+ + "tenant'" + tenantId + "'. Please revoke its tenant admin "
+ + "privilege before revoking the accessId.",
+ ResultCodes.PERMISSION_DENIED);
}
// Call OMMTM to revoke user access to tenant
- // TODO: DOUBLE CHECK destroyUser() behavior
+ // TODO: Check destroyUser() behavior
ozoneManager.getMultiTenantManager().revokeUserAccessId(accessId);
- final OMRequest.Builder omRequestBuilder = getOmRequest().toBuilder()
+ final Builder omRequestBuilder = getOmRequest().toBuilder()
.setUserInfo(getUserInfo())
.setTenantRevokeUserAccessIdRequest(
TenantRevokeUserAccessIdRequest.newBuilder()
.setAccessId(accessId)
- .setTenantName(tenantName)
+ .setTenantId(tenantId)
.build())
.setCmdType(getOmRequest().getCmdType())
.setClientId(getOmRequest().getClientId());
@@ -149,7 +154,7 @@ public class OMTenantRevokeUserAccessIdRequest extends OMClientRequest {
final TenantRevokeUserAccessIdRequest request =
getOmRequest().getTenantRevokeUserAccessIdRequest();
final String accessId = request.getAccessId();
- final String tenantId = request.getTenantName();
+ final String tenantId = request.getTenantId();
boolean acquiredS3SecretLock = false;
boolean acquiredVolumeLock = false;
@@ -209,17 +214,13 @@ public class OMTenantRevokeUserAccessIdRequest extends OMClientRequest {
// Generate response
omResponse.setTenantRevokeUserAccessIdResponse(
- TenantRevokeUserAccessIdResponse.newBuilder().setSuccess(true).build()
- );
+ TenantRevokeUserAccessIdResponse.newBuilder()
+ .build());
omClientResponse = new OMTenantRevokeUserAccessIdResponse(
omResponse.build(), accessId, userPrincipal, principalInfo);
} catch (IOException ex) {
- // Error handling: do nothing to Authorizer here?
exception = ex;
- // Set response success flag to false
- omResponse.setTenantRevokeUserAccessIdResponse(
- TenantRevokeUserAccessIdResponse.newBuilder()
- .setSuccess(false).build());
+ // Prepare omClientResponse
omClientResponse = new OMTenantRevokeUserAccessIdResponse(
createErrorOMResponse(omResponse, ex));
} finally {
@@ -247,11 +248,11 @@ public class OMTenantRevokeUserAccessIdRequest extends OMClientRequest {
if (exception == null) {
LOG.info("Revoked user '{}' accessId '{}' to tenant '{}'",
userPrincipal, accessId, tenantId);
- // TODO: omMetrics.incNumTenantRevokeUser()
+ // TODO: HDDS-6375: omMetrics.incNumTenantRevokeUser()
} else {
LOG.error("Failed to revoke user '{}' accessId '{}' to tenant '{}': {}",
userPrincipal, accessId, tenantId, exception.getMessage());
- // TODO: omMetrics.incNumTenantRevokeUserFails()
+ // TODO: HDDS-6375: omMetrics.incNumTenantRevokeUserFails()
}
return omClientResponse;
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
index d98cbae..3cad217 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
@@ -384,11 +384,9 @@ public class OzoneManagerRequestHandler implements RequestHandler {
final String userPrincipal = request.getUserPrincipal();
TenantUserInfoValue ret = impl.tenantGetUserInfo(userPrincipal);
+ // Note impl.tenantGetUserInfo() throws if errs
if (ret != null) {
- resp.setSuccess(true);
resp.setTenantUserInfo(ret.getProtobuf());
- } else {
- resp.setSuccess(false);
}
return resp.build();
@@ -400,12 +398,10 @@ public class OzoneManagerRequestHandler implements RequestHandler {
TenantListUserResponse.Builder builder =
TenantListUserResponse.newBuilder();
TenantUserList usersInTenant =
- impl.listUsersInTenant(request.getTenantName(), request.getPrefix());
- if (usersInTenant == null) {
- builder.setSuccess(false);
- } else {
- builder.setSuccess(true);
- builder.setTenantName(request.getTenantName());
+ impl.listUsersInTenant(request.getTenantId(), request.getPrefix());
+ // Note impl.listUsersInTenant() throws if errs
+ if (usersInTenant != null) {
+ builder.setTenantId(request.getTenantId());
builder.addAllUserAccessIdInfo(usersInTenant.getUserAccessIds());
}
return builder.build();
@@ -418,7 +414,6 @@ public class OzoneManagerRequestHandler implements RequestHandler {
final ListTenantResponse.Builder resp = ListTenantResponse.newBuilder();
TenantInfoList ret = impl.listTenant();
- resp.setSuccess(true);
resp.addAllTenantInfo(ret.getTenantInfoList());
return resp.build();
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMultiTenantManagerImpl.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMultiTenantManagerImpl.java
index 7c07ac8..0b74355 100644
--- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMultiTenantManagerImpl.java
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/TestOMMultiTenantManagerImpl.java
@@ -95,7 +95,7 @@ public class TestOMMultiTenantManagerImpl {
assertEquals(2, userAccessIds.size());
for (TenantUserAccessId userAccessId : userAccessIds) {
- String user = userAccessId.getUser();
+ String user = userAccessId.getUserPrincipal();
if (user.equals("user1")) {
assertEquals("accessId1", userAccessId.getAccessId());
} else if (user.equals("seed-user1")) {
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
index 52803e2..c4f638f 100644
--- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java
@@ -35,7 +35,7 @@ import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.apache.hadoop.ozone.om.multitenant.Tenant;
import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper;
-import org.apache.hadoop.ozone.om.request.s3.tenant.OMAssignUserToTenantRequest;
+import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantAssignUserAccessIdRequest;
import org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantCreateRequest;
import org.apache.hadoop.ozone.om.response.OMClientResponse;
import org.apache.hadoop.ozone.om.response.s3.security.S3GetSecretResponse;
@@ -62,7 +62,7 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.UUID;
-import static org.apache.hadoop.ozone.OzoneConsts.TENANT_NAME_USER_NAME_DELIMITER;
+import static org.apache.hadoop.ozone.OzoneConsts.TENANT_ID_USERNAME_DELIMITER;
import static org.apache.hadoop.security.authentication.util.KerberosName.DEFAULT_MECHANISM;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.doNothing;
@@ -89,10 +89,10 @@ public class TestS3GetSecretRequest {
// Multi-tenant related vars
private static final String USER_ALICE = "alice@EXAMPLE.COM";
- private static final String TENANT_NAME = "finance";
+ private static final String TENANT_ID = "finance";
private static final String USER_BOB = "bob@EXAMPLE.COM";
private static final String ACCESS_ID_BOB =
- TENANT_NAME + TENANT_NAME_USER_NAME_DELIMITER + USER_BOB;
+ TENANT_ID + TENANT_ID_USERNAME_DELIMITER + USER_BOB;
private UserGroupInformation ugiAlice;
@@ -137,7 +137,7 @@ public class TestS3GetSecretRequest {
when(ozoneManager.getMultiTenantManager()).thenReturn(omMultiTenantManager);
when(tenant.getTenantAccessPolicies()).thenReturn(new ArrayList<>());
- when(omMultiTenantManager.createTenantAccessInAuthorizer(TENANT_NAME))
+ when(omMultiTenantManager.createTenantAccessInAuthorizer(TENANT_ID))
.thenReturn(tenant);
}
@@ -154,7 +154,7 @@ public class TestS3GetSecretRequest {
.setCmdType(Type.CreateTenant)
.setCreateTenantRequest(
CreateTenantRequest.newBuilder()
- .setTenantName(tenantNameStr)
+ .setTenantId(tenantNameStr)
.setVolumeName(tenantNameStr)
.build()
).build();
@@ -168,8 +168,8 @@ public class TestS3GetSecretRequest {
.setCmdType(Type.TenantAssignUserAccessId)
.setTenantAssignUserAccessIdRequest(
TenantAssignUserAccessIdRequest.newBuilder()
- .setTenantName(tenantNameStr)
- .setTenantUsername(userPrincipalStr)
+ .setTenantId(tenantNameStr)
+ .setUserPrincipal(userPrincipalStr)
.setAccessId(accessIdStr)
.build()
).build();
@@ -340,7 +340,7 @@ public class TestS3GetSecretRequest {
OMTenantCreateRequest omTenantCreateRequest =
new OMTenantCreateRequest(
new OMTenantCreateRequest(
- createTenantRequest(TENANT_NAME)
+ createTenantRequest(TENANT_ID)
).preExecute(ozoneManager)
);
// Run validateAndUpdateCache
@@ -353,23 +353,23 @@ public class TestS3GetSecretRequest {
(OMTenantCreateResponse) omClientResponse;
// Check response
Assert.assertTrue(omTenantCreateResponse.getOMResponse().getSuccess());
- Assert.assertEquals(TENANT_NAME,
+ Assert.assertEquals(TENANT_ID,
omTenantCreateResponse.getOmDBTenantInfo().getTenantId());
// 2. AssignUserToTenantRequest: Assign "bob@EXAMPLE.COM" to "finance".
++txLogIndex;
// Run preExecute
- OMAssignUserToTenantRequest omAssignUserToTenantRequest =
- new OMAssignUserToTenantRequest(
- new OMAssignUserToTenantRequest(
- assignUserToTenantRequest(TENANT_NAME, USER_BOB, ACCESS_ID_BOB)
+ OMTenantAssignUserAccessIdRequest omTenantAssignUserAccessIdRequest =
+ new OMTenantAssignUserAccessIdRequest(
+ new OMTenantAssignUserAccessIdRequest(
+ assignUserToTenantRequest(TENANT_ID, USER_BOB, ACCESS_ID_BOB)
).preExecute(ozoneManager)
);
// Run validateAndUpdateCache
omClientResponse =
- omAssignUserToTenantRequest.validateAndUpdateCache(ozoneManager,
+ omTenantAssignUserAccessIdRequest.validateAndUpdateCache(ozoneManager,
txLogIndex, ozoneManagerDoubleBufferHelper);
// Check response type and cast
@@ -383,7 +383,7 @@ public class TestS3GetSecretRequest {
Assert.assertTrue(omTenantAssignUserAccessIdResponse.getOMResponse()
.getSuccess());
Assert.assertTrue(omTenantAssignUserAccessIdResponse.getOMResponse()
- .getTenantAssignUserAccessIdResponse().getSuccess());
+ .hasTenantAssignUserAccessIdResponse());
final OmDBAccessIdInfo omDBAccessIdInfo =
omTenantAssignUserAccessIdResponse.getOmDBAccessIdInfo();
Assert.assertNotNull(omDBAccessIdInfo);
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/GetUserInfoHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/GetUserInfoHandler.java
index c3ee7f8..dfc28a5 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/GetUserInfoHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/GetUserInfoHandler.java
@@ -42,6 +42,8 @@ public class GetUserInfoHandler extends TenantHandler {
@CommandLine.Parameters(description = "List of user principal(s)")
private List<String> userPrincipals = new ArrayList<>();
+ // TODO: HDDS-6340. Add an option to print JSON result
+
private boolean isEmptyList(List<String> list) {
return list == null || list.size() == 0;
}
@@ -78,7 +80,7 @@ public class GetUserInfoHandler extends TenantHandler {
adminInfoString = "";
}
out().format("- Tenant '%s'%s with accessId '%s'%n",
- accessIdInfo.getTenantName(), adminInfoString,
+ accessIdInfo.getTenantId(), adminInfoString,
accessIdInfo.getAccessId());
}
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantAssignAdminHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantAssignAdminHandler.java
index 1de3ec1..59a2cfd 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantAssignAdminHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantAssignAdminHandler.java
@@ -50,6 +50,8 @@ public class TenantAssignAdminHandler extends TenantHandler {
description = "Make delegated admin")
private boolean delegated;
+ // TODO: HDDS-6340. Add an option to print JSON result
+
@Override
protected void execute(OzoneClient client, OzoneAddress address) {
final ObjectStore objStore = client.getObjectStore();
@@ -57,7 +59,7 @@ public class TenantAssignAdminHandler extends TenantHandler {
for (final String accessId : accessIds) {
try {
objStore.tenantAssignAdmin(accessId, tenantId, delegated);
- // TODO: Make tenantAssignAdmin return accessId, tenantName, user later.
+ // TODO: Make tenantAssignAdmin return accessId, tenantId, user later.
err().println("Assigned admin to '" + accessId +
(tenantId != null ? "' in tenant '" + tenantId : "") + "'");
} catch (IOException e) {
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantAssignUserAccessIdHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantAssignUserAccessIdHandler.java
index 2fe0f3e..8ef65d4 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantAssignUserAccessIdHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantAssignUserAccessIdHandler.java
@@ -29,7 +29,7 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
-import static org.apache.hadoop.ozone.OzoneConsts.TENANT_NAME_USER_NAME_DELIMITER;
+import static org.apache.hadoop.ozone.OzoneConsts.TENANT_ID_USERNAME_DELIMITER;
/**
* ozone tenant user assign.
@@ -59,8 +59,10 @@ public class TenantAssignUserAccessIdHandler extends TenantHandler {
// `s3 getsecret` and leak the secret if an admin isn't careful.
private String accessId;
+ // TODO: HDDS-6340. Add an option to print JSON result
+
private String getDefaultAccessId(String userPrincipal) {
- return tenantId + TENANT_NAME_USER_NAME_DELIMITER + userPrincipal;
+ return tenantId + TENANT_ID_USERNAME_DELIMITER + userPrincipal;
}
@Override
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantBucketLinkHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantBucketLinkHandler.java
index 5d1d5d4..11a7972 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantBucketLinkHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantBucketLinkHandler.java
@@ -51,6 +51,8 @@ public class TenantBucketLinkHandler extends TenantHandler {
converter = BucketUri.class)
private OzoneAddress target;
+ // TODO: HDDS-6340. Add an option to print JSON result
+
@Override
protected void execute(OzoneClient client, OzoneAddress address)
throws IOException {
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantCreateHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantCreateHandler.java
index 486b680..a550bf9 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantCreateHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantCreateHandler.java
@@ -28,18 +28,20 @@ import java.io.IOException;
*/
@CommandLine.Command(name = "create",
description = "Create a tenant."
- + " This will also create a new Ozone volume for the tenant.")
+ + " This can create a new Ozone volume for the tenant.")
public class TenantCreateHandler extends TenantHandler {
@CommandLine.Parameters(description = "Tenant name", arity = "1..1")
private String tenantId;
+ // TODO: HDDS-6340. Add an option to print JSON result
+
@Override
protected void execute(OzoneClient client, OzoneAddress address)
throws IOException {
try {
client.getObjectStore().createTenant(tenantId);
- // TODO: Add return value and print volume name?
+ // Note: RpcClient#createTenant prints volume name in info level LOG
out().println("Created tenant '" + tenantId + "'.");
} catch (IOException e) {
// Throw exception to make client exit code non-zero
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantDeleteHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantDeleteHandler.java
index c14767f..0248578 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantDeleteHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantDeleteHandler.java
@@ -35,6 +35,8 @@ public class TenantDeleteHandler extends TenantHandler {
@CommandLine.Parameters(description = "Tenant name", arity = "1..1")
private String tenantId;
+ // TODO: HDDS-6340. Add an option to print JSON result
+
@Override
protected void execute(OzoneClient client, OzoneAddress address)
throws IOException {
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantGetSecretHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantGetSecretHandler.java
index e1a6f15..a700cdf 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantGetSecretHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantGetSecretHandler.java
@@ -28,7 +28,7 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
-import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.ACCESSID_NOT_FOUND;
+import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.ACCESS_ID_NOT_FOUND;
/**
* ozone tenant user get-secret.
@@ -66,7 +66,7 @@ public class TenantGetSecretHandler extends TenantHandler {
out().println(accessIdSecretKeyPair);
}
} catch (OMException omEx) {
- if (omEx.getResult().equals(ACCESSID_NOT_FOUND)) {
+ if (omEx.getResult().equals(ACCESS_ID_NOT_FOUND)) {
// Print to stderr here in order not to contaminate stdout just in
// case -e is specified.
err().println("AccessId '" + accessId + "' doesn't exist");
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantHandler.java
index a76ab74..e5a7a1e 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantHandler.java
@@ -36,6 +36,8 @@ public abstract class TenantHandler extends Handler {
" cluster")
private String omServiceID;
+ // TODO: HDDS-6340. Add an option to print JSON result
+
public String getOmServiceID() {
return omServiceID;
}
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantListHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantListHandler.java
index 45f6ccf..51d4fc1 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantListHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantListHandler.java
@@ -33,14 +33,6 @@ import java.io.IOException;
description = "List tenants")
public class TenantListHandler extends TenantHandler {
-// @CommandLine.Mixin
-// private ListOptions listOptions;
-
-// @CommandLine.Option(names = {"--json", "-j"},
-// description = "Print the result in JSON.")
-// private boolean printJson;
-
- // TODO: long == json later.
@CommandLine.Option(names = {"--long"},
// Not using -l here as it potentially collides with -l inside ListOptions
// if we do need pagination at some point.
@@ -51,6 +43,11 @@ public class TenantListHandler extends TenantHandler {
description = "Print header")
private boolean printHeader;
+ // TODO: HDDS-6340. Add an option to print JSON result
+// @CommandLine.Option(names = {"--json", "-j"},
+// description = "Print the result in JSON.")
+// private boolean printJson;
+
@Override
protected void execute(OzoneClient client, OzoneAddress address) {
final ObjectStore objStore = client.getObjectStore();
@@ -62,11 +59,9 @@ public class TenantListHandler extends TenantHandler {
out().format(longFormat ? "%-17s" : "%s%n",
"Tenant");
if (longFormat) {
- // TODO: rename these fields?
- // TODO: print JSON by default after rebase.
out().format("%-17s%-17s%-17s%s%n",
"BucketNS",
- "AccountNS", // == Volume name IIRC ?
+ "AccountNS",
"UserPolicy",
"BucketPolicy");
}
@@ -74,7 +69,7 @@ public class TenantListHandler extends TenantHandler {
tenantInfoList.getTenantInfoList().forEach(tenantInfo -> {
out().format(longFormat ? "%-17s" : "%s%n",
- tenantInfo.getTenantName());
+ tenantInfo.getTenantId());
if (longFormat) {
out().format("%-17s%-17s%-17s%s%n",
tenantInfo.getBucketNamespaceName(),
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantListUsersHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantListUsersHandler.java
index abe52e9..8b86f0d 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantListUsersHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantListUsersHandler.java
@@ -48,6 +48,8 @@ public class TenantListUsersHandler extends S3Handler {
description = "Filter users with this prefix.")
private String prefix;
+ // TODO: HDDS-6340. Add an option to print JSON result
+
@Override
protected void execute(OzoneClient client, OzoneAddress address) {
final ObjectStore objStore = client.getObjectStore();
@@ -60,7 +62,7 @@ public class TenantListUsersHandler extends S3Handler {
TenantUserList usersInTenant =
objStore.listUsersInTenant(tenantId, prefix);
for (TenantUserAccessId accessIdInfo : usersInTenant.getUserAccessIds()) {
- out().println("- User '" + accessIdInfo.getUser() +
+ out().println("- User '" + accessIdInfo.getUserPrincipal() +
"' with accessId '" + accessIdInfo.getAccessId() + "'");
}
} catch (IOException e) {
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantModifyHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantModifyHandler.java
deleted file mode 100644
index a3f1877..0000000
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantModifyHandler.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.ozone.shell.tenant;
-
-import org.apache.hadoop.ozone.client.OzoneClient;
-import org.apache.hadoop.ozone.shell.OzoneAddress;
-import picocli.CommandLine;
-
-/**
- * ozone s3 tenant modify.
- */
-@CommandLine.Command(name = "modify",
- description = "Modify a tenant")
-public class TenantModifyHandler extends TenantHandler {
-
- @Override
- protected void execute(OzoneClient client, OzoneAddress address) {
- out().println("Not Implemented.");
- }
-}
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantRevokeAdminHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantRevokeAdminHandler.java
index d318c06..40ce594 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantRevokeAdminHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantRevokeAdminHandler.java
@@ -44,13 +44,15 @@ public class TenantRevokeAdminHandler extends TenantHandler {
description = "Tenant name")
private String tenantId;
+ // TODO: HDDS-6340. Add an option to print JSON result
+
@Override
protected void execute(OzoneClient client, OzoneAddress address) {
final ObjectStore objStore = client.getObjectStore();
for (final String accessId : accessIds) {
try {
- // TODO: Make tenantRevokeAdmin return accessId, tenantName, user later.
+ // TODO: Make tenantRevokeAdmin return accessId, tenantId, user later.
objStore.tenantRevokeAdmin(accessId, tenantId);
err().println("Revoked admin role of '" + accessId +
(tenantId != null ? "' from tenant '" + tenantId + "'" : ""));
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantRevokeUserAccessIdHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantRevokeUserAccessIdHandler.java
index 66f2f8f..008a64c 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantRevokeUserAccessIdHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantRevokeUserAccessIdHandler.java
@@ -39,6 +39,8 @@ public class TenantRevokeUserAccessIdHandler extends TenantHandler {
@CommandLine.Parameters(description = "List of user accessIds", arity = "1..")
private List<String> accessIds = new ArrayList<>();
+ // TODO: HDDS-6340. Add an option to print JSON result
+
@Override
protected void execute(OzoneClient client, OzoneAddress address) {
final ObjectStore objStore = client.getObjectStore();
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantSetSecretHandler.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantSetSecretHandler.java
index 9c3e9ff..cec5373 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantSetSecretHandler.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantSetSecretHandler.java
@@ -26,7 +26,7 @@ import picocli.CommandLine;
import java.io.IOException;
-import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.ACCESSID_NOT_FOUND;
+import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.ACCESS_ID_NOT_FOUND;
/**
* ozone tenant user set-secret.
@@ -65,7 +65,7 @@ public class TenantSetSecretHandler extends TenantHandler {
out().println(accessIdSecretKeyPair);
}
} catch (OMException omEx) {
- if (omEx.getResult().equals(ACCESSID_NOT_FOUND)) {
+ if (omEx.getResult().equals(ACCESS_ID_NOT_FOUND)) {
// Print to stderr here in order not to contaminate stdout just in
// case -e is specified.
throw new IOException("AccessId '" + accessId + "' doesn't exist",
diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantShell.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantShell.java
index 2ca9cd6..42c60fb 100644
--- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantShell.java
+++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/shell/tenant/TenantShell.java
@@ -30,7 +30,6 @@ import java.util.function.Supplier;
description = "Shell for multi-tenant specific operations",
subcommands = {
TenantCreateHandler.class,
- TenantModifyHandler.class,
TenantDeleteHandler.class,
TenantListHandler.class,
TenantUserCommands.class,
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org