Versions Compared

Old Version 5

changes.mady.by.user Siyao Meng

Saved on

compared with

New Version Current

changes.mady.by.user Siyao Meng

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Feature branch HDDS-4944 has been merged to master on May 29.


Git branch: https://github.com/apache/ozone/tree/HDDS-4944

Compare: https://github.com/apache/ozone/compare/master...HDDS-4944


For a quick intro to the S3 multi-tenancy feature, here is an excerpt from the documentation:

...

For more, please check out the full documentation. The doc has feature overview, setup guide, CLI command guide and Ranger access control guide guide (best viewed locally rendered using huge hugo serve command under ./hadoop-hdds/docs/ , as it is not published to the website yet).

...

Requirements to enable S3 multi-tenancy:

  1. Use Apache Ranger
  2. Enable Ozone security is enabled and uses use Kerberos authentication


To enable multi-tenancy (with Ranger Basic HTTP authentication), in addition to the requirements above, the following configs need to be added to Ozone Manager's ozone-site.xml, as documented here in the doc as well:

Code Block
languagexml
<property>
   <name>ozone.om.multitenancy.enabled</name>
   <value>true</value>
</property>
<property>
	<name>ozone.om.ranger.https-address</name>
	<value>https://RANGER_HOST:6182</value>
</property>
<property>
	<name>ozone.om.ranger.https.admin.api.user</name>
	<value>RANGER_ADMIN_USERNAME</value>
</property>
<property>
	<name>ozone.om.ranger.https.admin.api.passwd</name>
	<value>RANGER_ADMIN_PASSWORD</value>
</property>


With To enable multi-tenancy with Ranger Java client (pending

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyHDDS-5836
merge), only ozone), clear text Ranger admin user name and password will no longer be necessary. Rather the Ranger Java client (re)uses the existing OM Kerberos principal and keytab config when enabling Ozone security with Kerberos auth. Therefore, only two extra config keys are necessary to enable the feature:

Code Block
languagexml
<property>
   <name>ozone.om.multitenancy.enabled</name>
   <value>true</value>
</property>
<property>
	<name>ozone.om.ranger.https-address</name>
	<value>https://RANGER_HOST:6182</value>
</property>

`ozone.om.kerberos.principal` and `ozone.om.kerberos.keytab.file` should have been configured already.

NOTE: Ranger Java client patch is merged. BUT the authorizer implementation switch hasn't happened. Partially due to Ranger 2.3.0 hasn't been released yet. Therefore, as of now it can only use the Ranger Basic HTTP authentication approach. Further patch will be done to complete the switchaddress config might be needed.


1. builds/intermittent test failures

...