errose28 opened a new pull request #2805: URL: https://github.com/apache/ozone/pull/2805
## What changes were proposed in this pull request? Since more work is required before the Ranger client meets our use case, this PR defines a common interface for Ranger interaction that will be implemented by both the Ranger REST API and Ranger client when it is ready. This PR defines the interface and move the REST API implementation under it. The REST API implementation will be used for testing but is not intended to be used in the final version of the multi-tenancy feature. The existing REST implementation and interface has been left for compatibility until requests are moved to use this new interface. The interface has been greatly simplified compared to the original, since we now have a much better idea of the operations we need from Ranger. To simplify testing and implementation, this interface aims to implement only the features we need for multi tenancy, but be extensible if more Ranger features are required in the future. ## What is the link to the Apache JIRA HDDS-5942 ## How was this patch tested? Tested manually against a real Ranger instance. ## Example Usage ```java OzoneConfiguration conf = conf.set(OZONE_RANGER_HTTPS_ADDRESS_KEY, "https://ranger:6182";); // These configs will be removed when the Ranger client implementation is ready. conf.set(OZONE_OM_RANGER_HTTPS_ADMIN_API_USER, "user"); conf.set(OZONE_OM_RANGER_HTTPS_ADMIN_API_PASSWD, "password"); conf.set(OZONE_OM_RANGER_SERVICE, "ozone"); MultiTenantAccessController controller = new RangerRestMultiTenantAccessController(conf); Role role = new Role("role1"); role.addUser(new BasicUserPrincipal("user1")); role.setDescription("role1 description"); // Creates the role in Ranger. long roleID = controller.createRole(role); // Modifies the users in an existing role. controller.addUsersToRole(roleID, new BasicUserPrincipal("user2"), new BasicUserPrincipal("user3")); controller.removeUsersFromRole(roleID, new BasicUserPrincipal("user2")); // For Ozone, a valid policy must specify at least one volume. Policy policy1 = new Policy("policy1", "volume1"); policy1.addVolume("volume2"); policy1.addBuckets("bucket1", "bucket2"); policy1.addKey("*"); policy1.setDescription("policy1 description"); // Adds ACL to the role created above. policy1.addRoleAcls("role1", Acl.allow(IAccessAuthorizer.ACLType.READ_ACL)); // Creates a new role with this ACL when this policy is created. policy1.addRoleAcls("role2", Acl.deny(IAccessAuthorizer.ACLType.DELETE)); // Creates the policy in Ranger. controller.createPolicy(policy1); // Disables the policy in Ranger. controller.disablePolicy(policy1); ``` ## Known Issues Creating a deny ACL (`"isAllowed": false` in the json) as part of policy creation causes a 400 error from Ranger. Not sure if this is an issue with the request or a Ranger bug, since setting the value to `true` does not cause an issue. If deny ACLs are needed for multi-tenancy testing we can investigate further. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
