Feature branch HDDS-4944 has been merged to master on May 29.
Git branch: https://github.com/apache/ozone/tree/HDDS-4944Changeset:
Compare: https://github.com/apache/ozone/compare/master...HDDS-4944
For a quick intro to the S3 multi-tenancy feature, here is an excerpt from the documentation:
Before Ozone multi-tenancy, all S3 access to Ozone (via S3 Gateway) are
confined to a single designated S3 volume (that is volume `s3v`, by default).Ozone multi-tenancy allows multiple S3-accessible volumes to be created.
Each volume can be managed separately by their own tenant admins via CLI for user operations, and via Apache Ranger for access control.
For more, please see check out the full documentation. The doc has feature overview, setup guide, CLI guide and access control guide (best viewed locally rendered with huge serve
, using hugo serve
command under ./hadoop-hdds/docs/
, as it is not published to the website yet).
Requirements to enable S3 multi-tenancy:
- Use Apache Ranger
- Enable Ozone security and use Kerberos authentication
To enable Currently, to use multi-tenancy (with Ranger Basic HTTP authentication), Apache Ranger needs to be deployed, and these in addition to the requirements above, the following configs need to be added to Ozone Manager's ozone-site.xml
, as documented here in the doc as well:
Code Block | ||
---|---|---|
| ||
<property> <name>ozone.om.multitenancy.enabled</name> <value>true</value> </property> <property> <name>ozone.om.ranger.https-address</name> <value>https://RANGER_HOST:6182</value> </property> <property> <name>ozone.om.ranger.https.admin.api.user</name> <value>RANGER_ADMIN_USERNAME</value> </property> <property> <name>ozone.om.ranger.https.admin.api.passwd</name> <value>RANGER_ADMIN_PASSWORD</value> </property> |
With To enable multi-tenancy with Ranger Java client (pending
Jira | ||||||
---|---|---|---|---|---|---|
|
Code Block | ||
---|---|---|
| ||
<property> <name>ozone.om.multitenancy.enabled</name> <value>true</value> </property> <property> <name>ozone.om.ranger.https-address</name> <value>https://RANGER_HOST:6182</value> </property> |
`ozone.om.kerberos.principal` and `ozone.om.kerberos.keytab.file` should have been configured already.
NOTE: Ranger Java client patch is merged. BUT the authorizer implementation switch hasn't happened. Partially due to Ranger 2.3.0 hasn't been released yet. Therefore, as of now it can only use the Ranger Basic HTTP authentication approach. Further patch will be done to complete the switchaddress config might be needed.
1. builds/intermittent test failures
...