Versions Compared

Old Version 1

changes.mady.by.user Siyao Meng

Saved on

compared with

New Version Current

changes.mady.by.user Siyao Meng

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Feature branch HDDS-4944 has been merged to master on May 29.


Git branch: https://github.com/apache/ozone/tree/HDDS-4944Changeset: 

Compare: https://github.com/apache/ozone/compare/master...HDDS-4944


For a quick intro to the S3 multi-tenancy feature, here is an excerpt from the documentation:

Before Ozone multi-tenancy, all S3 access to Ozone (via S3 Gateway) are
confined to a single designated S3 volume (that is volume `s3v`, by default).

Ozone multi-tenancy allows multiple S3-accessible volumes to be created.
Each volume can be managed separately by their own tenant admins via CLI for user operations, and via Apache Ranger for access control.

For more, please see check out the full documentation. The doc has feature overview, setup guide, CLI guide and access control guide (best viewed locally rendered with huge serve , using hugo serve command under ./hadoop-hdds/docs/ , as it is not published to the website yet).


Requirements to enable S3 multi-tenancy:

  1. Use Apache Ranger
  2. Enable Ozone security and use Kerberos authentication


To enable Currently, to use multi-tenancy (with Ranger Basic HTTP authentication), Apache Ranger needs to be deployed, and these in addition to the requirements above, the following configs need to be added to Ozone Manager's ozone-site.xml, as documented here in the doc as well:

Code Block
languagexml
<property>
   <name>ozone.om.multitenancy.enabled</name>
   <value>true</value>
</property>
<property>
	<name>ozone.om.ranger.https-address</name>
	<value>https://RANGER_HOST:6182</value>
</property>
<property>
	<name>ozone.om.ranger.https.admin.api.user</name>
	<value>RANGER_ADMIN_USERNAME</value>
</property>
<property>
	<name>ozone.om.ranger.https.admin.api.passwd</name>
	<value>RANGER_ADMIN_PASSWORD</value>
</property>


With To enable multi-tenancy with Ranger Java client (pending

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyHDDS-5836
merge), only ozone), clear text Ranger admin user name and password will no longer be necessary. Rather the Ranger Java client (re)uses the existing OM Kerberos principal and keytab config when enabling Ozone security with Kerberos auth. Therefore, only two extra config keys are necessary to enable the feature:

Code Block
languagexml
<property>
   <name>ozone.om.multitenancy.enabled</name>
   <value>true</value>
</property>
<property>
	<name>ozone.om.ranger.https-address</name>
	<value>https://RANGER_HOST:6182</value>
</property>

`ozone.om.kerberos.principal` and `ozone.om.kerberos.keytab.file` should have been configured already.

NOTE: Ranger Java client patch is merged. BUT the authorizer implementation switch hasn't happened. Partially due to Ranger 2.3.0 hasn't been released yet. Therefore, as of now it can only use the Ranger Basic HTTP authentication approach. Further patch will be done to complete the switchaddress config might be needed.


1. builds/intermittent test failures

...