Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HDDS-5645. Chroot S3 requests for a tenant to their corresponding volume. #2697

Merged
merged 23 commits into from Oct 13, 2021
Merged

HDDS-5645. Chroot S3 requests for a tenant to their corresponding volume. #2697

merged 23 commits into from Oct 13, 2021

Conversation

errose28
Copy link
Contributor

@errose28 errose28 commented Sep 30, 2021
edited

What changes were proposed in this pull request?

  • Direct requests from S3 gateway to corresponding Ozone volume based on the tenant corresponding to the given access ID.
  • Refactor usages of access ID/user principal/group principal to better reflect which is required for each method call.
    • The OMMultitenantPrincipal class has been removed.
    • When an access ID is required, it is passed as a String.
    • When a user's Kerberos principal is required, it is passed as a BasicUserPrincipal instance.
    • Ranger group principals derive from the new OzoneTenantGroupPrincipal class.
      • OzoneTenantAdminGroup represents the admins of a tenant.
      • OzoneTenantUserGroup represents the users in a tenant.

What is the link to the Apache JIRA

HDDS-5645

How was this patch tested?

  • Integration test for object store added.
  • Manual testing with s3 gateway

TODO

  • Determine best way to retrieve access ID from s3 gateway.

    • The ideal solution will be to pass the access ID from s3g to OM in the transport layer using the changes in HDDS-4440.
    • Until HDDS-4440 is merged, a workaround is used where the ObjectStore is aware of the access ID and passes it to the OM when querying which volume to direct S3 requests to.

  • Fix integration issues observed when manually testing in ozonesecure docker cluster.

    • Issue was caused by interaction of assign user to tenant with the mock ranger server. These things will be handled in follow up issues but are not related to these changes.

@errose28
Update deprecated use of replication configuration
b62285b
@errose28
Initial change to implement bucket chroot
45804ad
@errose28
Fixes after initial manual testing
02e6260 
Tenant's bucket is still created in the s3v volume incorrectly.
@errose28
Initial integration test with mocked ranger plugin
240c3c6
@errose28
Merge branch 'HDDS-4944' into HDDS-5645
96e7ce3 
* HDDS-4944: (81 commits)
  HDDS-5750. [Multi-Tenant] GetS3Secret should retrieve secret from new tables as well (apache#2649)
  HDDS-5476. [Multi-Tenant] Support Ozone s3 authentication with arbitrary accessId that is not same as the kerberos ID (apache#2635)
  HDDS-5770. Silent failures of k3s install are difficult to debug (apache#2667)
  HDDS-5759. Bump aspectj version (apache#2658)
  HDDS-5773. Avoid code duplication for mini cluster without datanodes (apache#2669)
  HDDS-5691. Restrict Recon NSSummaryEndpoint and ContainerEndpoint to admins. (apache#2638)
  HDDS-5771. Speed up TestDatanodeHddsVolumeFailureToleration by reducing dead interval (apache#2668)
  HDDS-5767. Unit check may timeout (apache#2664)
  HDDS-5765. Test cluster provider possibly returns null (apache#2663)
  HDDS-5768. Skip safemode check in TestOzoneManagerRocksDBLogging (apache#2665)
  HDDS-5766. Speed up some OM tests by skipping SCM safemode check (apache#2662)
  HDDS-5761. should not shutdown om when setting a bigger bucket quota  than volume quota (apache#2659)
  HDDS-5758. Speed up TestKeyInputStream and TestChunkInputStream by combining some tests (apache#2656)
  HDDS-5607. remove container manager v1 code (apache#2525)
  HDDS-5753. Split parts of misc suite (apache#2654)
  HDDS-5751. Use Mini Cluster Provider to speed up TestHDDSUpgrade (apache#2650)
  HDDS-5728. ContainerBalancer should use remaining space to calculate utilization. (apache#2625)
  HDDS-5402 Support list node based on NodeOperationalState and NodeState options in printTopology CLI (apache#2645)
  HDDS-5749. Reuse mini-clusters in TestOzoneFsHAURLs (apache#2647)
  HDDS-5717. Refactor TestOzoneManagerListVolumes to reuse mini-ozone clusters (apache#2615)
  ...
@errose28
Update test to use mock ranger instance and no datanodes
c2319ef 
Still need to fix access ID having the tenant added to the beginning.
@errose28
Refactor to remove principal and pass in access ID
74401ec
@errose28
Merge branch 'HDDS-5645-refactor-principal' into HDDS-5645
5a37b17 
* HDDS-5645-refactor-principal:
  Refactor to remove principal and pass in access ID
@errose28
Use mini ozone cluster provider for test
a6f9a4e
@errose28
Fix rat and checkstyle
c687559
@errose28
Minor fixes for draft PR
33a699e
@errose28
Get username for access ID in assign user to tenant
74b8cdb
@errose28 errose28 marked this pull request as draft September 30, 2021 20:33
@errose28 errose28 marked this pull request as ready for review October 6, 2021 22:27
prashantpogde
prashantpogde approved these changes Oct 9, 2021
View reviewed changes
Copy link
Contributor

@prashantpogde prashantpogde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@avijayanhwx
Copy link
Contributor

@errose28 Can you take a look at the failing Unit tests? The failures seem related.

@errose28
Copy link
Contributor Author

Yes failing cases need some mocks updated since I changed the internals a bit. Will get them fixed soon.

@errose28
Copy link
Contributor Author

All tests s3gateway module passing locally now.

@smengcl
Retrigger CI
7b106b0 
Change-Id: Idb3db398ce74b2685943e8bda15402d7bf5b0e0f
@errose28 errose28 merged commit 7d63fe2 into apache:HDDS-4944 Oct 13, 2021
@errose28
Copy link
Contributor Author

Thanks for reviews @avijayanhwx @prashantpogde

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prashantpogde prashantpogde prashantpogde approved these changes

@avijayanhwx avijayanhwx avijayanhwx approved these changes

@smengcl smengcl Awaiting requested review from smengcl

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@errose28 @avijayanhwx @prashantpogde @smengcl