Feature branch HDDS-4944 has been merged to master on May 29.
Git branch: https://github.com/apache/ozone/tree/HDDS-4944
Compare: https://github.com/apache/ozone/compare/master...HDDS-4944
For a quick intro to the S3 multi-tenancy feature, here is an excerpt from the documentation:
...
For more, please check out the full documentation. The doc has feature overview, setup guide, CLI guide and access control guide (best viewed locally rendered using huge hugo serve
command under ./hadoop-hdds/docs/
, as it is not published to the website yet).
...
Requirements to enable S3 multi-tenancy:
- Use Apache Ranger
- Enable Ozone security is enabled and uses use Kerberos authentication
To enable multi-tenancy (with Ranger Basic HTTP authentication), in addition to the requirements above, the following configs need to be added to Ozone Manager's ozone-site.xml
, as documented here in the doc as well:
Code Block | ||
---|---|---|
| ||
<property> <name>ozone.om.multitenancy.enabled</name> <value>true</value> </property> <property> <name>ozone.om.ranger.https-address</name> <value>https://RANGER_HOST:6182</value> </property> <property> <name>ozone.om.ranger.https.admin.api.user</name> <value>RANGER_ADMIN_USERNAME</value> </property> <property> <name>ozone.om.ranger.https.admin.api.passwd</name> <value>RANGER_ADMIN_PASSWORD</value> </property> |
With To enable multi-tenancy with Ranger Java client (pending
Jira | ||||||
---|---|---|---|---|---|---|
|
Code Block | ||
---|---|---|
| ||
<property> <name>ozone.om.multitenancy.enabled</name> <value>true</value> </property> <property> <name>ozone.om.ranger.https-address</name> <value>https://RANGER_HOST:6182</value> </property> |
`ozone.om.kerberos.principal` and `ozone.om.kerberos.keytab.file` should have been configured already.
NOTE: Ranger Java client patch is merged. BUT the authorizer implementation switch hasn't happened. Partially due to Ranger 2.3.0 hasn't been released yet. Therefore, as of now it can only use the Ranger Basic HTTP authentication approach. Further patch will be done to complete the switchaddress config might be needed.
1. builds/intermittent test failures
...