Google Git
Sign in
apache / ozone-site / 88c590269261990085e7d997e188f02299d837e6 / . / docs / edge / feature / s3-multi-tenancy-access-control.html
blob: 99e6658414bd8eda1d7ff02cd99790ad65c69a91 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Apache Ozone Documentation">
<title>Documentation for Apache Ozone</title>
<link href="../css/bootstrap.min.css" rel="stylesheet">
<link href="../css/ozonedoc.css" rel="stylesheet">
<link href="../swagger-resources/swagger-ui.css" rel="stylesheet">
<script>
var _paq = window._paq = window._paq || [];
_paq.push(['disableCookies']);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//analytics.apache.org/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '34']);
var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#sidebar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="../index.html" class="navbar-left ozone-logo">
<img src="../ozone-logo-small.png"/>
</a>
<a class="navbar-brand hidden-xs" href="../index.html">
Apache Ozone/HDDS Documentation
</a>
<a class="navbar-brand visible-xs-inline" href="#">Apache Ozone</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="https://github.com/apache/ozone">Source</a></li>
<li><a href="https://ozone.apache.org">Apache Ozone</a></li>
<li><a href="https://apache.org">ASF</a></li>
</ul>
</div>
</div>
</nav>
<div class="wrapper">
<div class="container-fluid">
<div class="row">
<div class="col-sm-2 col-md-2 sidebar" id="sidebar">
<ul class="nav nav-sidebar">
<li class="">
<a href="../index.html">
<span>Overview</span>
</a>
</li>
<li class="">
<a href="../start.html">
<span>Getting Started</span>
</a>
</li>
<li class="">
<a href="../concept.html">
<span>Architecture</span>
</a>
<ul class="nav">
<li class="">
<a href="../concept/overview.html">Overview</a>
</li>
<li class="">
<a href="../concept/ozonemanager.html">Ozone Manager</a>
</li>
<li class="">
<a href="../concept/storagecontainermanager.html">Storage Container Manager</a>
</li>
<li class="">
<a href="../concept/containers.html">Containers</a>
</li>
<li class="">
<a href="../concept/datanodes.html">Datanodes</a>
</li>
<li class="">
<a href="../concept/recon.html">Recon</a>
</li>
</ul>
</li>
<li class="">
<a href="../feature.html">
<span>Features</span>
</a>
<ul class="nav">
<li class="">
<a href="../feature/decommission.html">Decommissioning</a>
</li>
<li class="">
<a href="../feature/om-ha.html">OM High Availability</a>
</li>
<li class="">
<a href="../feature/erasurecoding.html">Ozone Erasure Coding</a>
</li>
<li class="">
<a href="../feature/snapshot.html">Ozone Snapshot</a>
</li>
<li class="">
<a href="../feature/scm-ha.html">SCM High Availability</a>
</li>
<li class="">
<a href="../feature/streaming-write-pipeline.html">Streaming Write Pipeline</a>
</li>
<li class="">
<a href="../feature/dn-merge-rocksdb.html">Merge Container RocksDB in DN</a>
</li>
<li class="">
<a href="../feature/prefixfso.html">Prefix based File System Optimization</a>
</li>
<li class="">
<a href="../feature/topology.html">Topology awareness</a>
</li>
<li class="">
<a href="../feature/quota.html">Quota in Ozone</a>
</li>
<li class="">
<a href="../feature/recon.html">Recon Server</a>
</li>
<li class="">
<a href="../feature/observability.html">Observability</a>
</li>
<li class="">
<a href="../feature/nonrolling-upgrade.html">Non-Rolling Upgrades and Downgrades</a>
</li>
<li class="">
<a href="../feature/s3-multi-tenancy.html">
<span>S3 Multi-Tenancy</span>
</a>
<ul class="nav">
<li class="">
<a href="../feature/s3-multi-tenancy-setup.html">Setup</a>
</li>
<li class="">
<a href="../feature/s3-tenant-commands.html">Tenant commands</a>
</li>
<li class="active">
<a href="../feature/s3-multi-tenancy-access-control.html">Access Control</a>
</li>
</ul>
</li>
<li class="">
<a href="../feature/reconfigurability.html">Reconfigurability</a>
</li>
</ul>
</li>
<li class="">
<a href="../interface.html">
<span>Client Interfaces</span>
</a>
<ul class="nav">
<li class="">
<a href="../interface/ofs.html">Ofs (Hadoop compatible)</a>
</li>
<li class="">
<a href="../interface/o3fs.html">O3fs (Hadoop compatible)</a>
</li>
<li class="">
<a href="../interface/s3.html">S3 Protocol</a>
</li>
<li class="">
<a href="../interface/cli.html">Command Line Interface</a>
</li>
<li class="">
<a href="../interface/reconapi.html">Recon API</a>
</li>
<li class="">
<a href="../interface/javaapi.html">Java API</a>
</li>
<li class="">
<a href="../interface/csi.html">CSI Protocol</a>
</li>
<li class="">
<a href="../interface/httpfs.html">HttpFS Gateway</a>
</li>
</ul>
</li>
<li class="">
<a href="../security.html">
<span>Security</span>
</a>
<ul class="nav">
<li class="">
<a href="../security/secureozone.html">Securing Ozone</a>
</li>
<li class="">
<a href="../security/securingtde.html">Transparent Data Encryption</a>
</li>
<li class="">
<a href="../security/gdpr.html">GDPR in Ozone</a>
</li>
<li class="">
<a href="../security/securingdatanodes.html">Securing Datanodes</a>
</li>
<li class="">
<a href="../security/securingozonehttp.html">Securing HTTP</a>
</li>
<li class="">
<a href="../security/securings3.html">Securing S3</a>
</li>
<li class="">
<a href="../security/securityacls.html">Ozone ACLs</a>
</li>
<li class="">
<a href="../security/securitywithranger.html">Apache Ranger</a>
</li>
</ul>
</li>
<li class="">
<a href="../tools.html">
<span>Tools</span>
</a>
</li>
<li class="">
<a href="../recipe.html">
<span>Recipes</span>
</a>
</li>
<li><a href="../design.html"><span><b>Design docs</b></span></a></li>
<li class="visible-xs"><a href="#">References</a>
<ul class="nav">
<li><a href="https://github.com/apache/ozone"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Source</a></li>
<li><a href="https://ozone.apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Apache Ozone</a></li>
<li><a href="https://apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> ASF</a></li>
</ul></li>
</ul>
</div>
<div class="col-sm-10 col-sm-offset-2 col-md-10 col-md-offset-2 main-content">
<div class="col-md-9">
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item"><a href="../index.html">Home</a></li>
<li class="breadcrumb-item" aria-current="page"><a href="../feature.html">Features</a></li>
<li class="breadcrumb-item active" aria-current="page">Access Control</li>
</ol>
</nav>
<div class="pull-right">
</div>
<div class="col-md-9">
<h1>Access Control</h1>
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<h3 id="ranger-policies">Ranger Policies</h3>
<p>When a tenant is created, Ozone will create a set of Ranger policies on the tenant&rsquo;s volume which allow the following:</p>
<ol>
<li>All users are able to create new buckets;</li>
<li>Only the bucket owner (i.e. the user that creates the bucket) and tenant admins can access the bucket content.
<ul>
<li>Note: For Ozone admins, typically there would be other Ranger policies that grants them full access to the cluster, if this is case they should be able to access the buckets as well. Though it is still possible to create new Ranger policies to explicitly deny them access to buckets.</li>
</ul>
</li>
</ol>
<p>Ranger admin is responsible for manually adding new policies to grant or deny any other access patterns. For example:</p>
<ul>
<li>Allow all users in a tenant read-only access to a bucket.
<ul>
<li>Corresponding Ranger policy Allow Condition: <code>Roles = tenantName-UserRole, Permissions = READ,LIST</code></li>
</ul>
</li>
</ul>
<p>It is recommended to add new policies instead of editing the default tenant policies created by Ozone. <strong>DO NOT</strong> remove the <strong>Policy Label</strong> on those default tenant policies, or else the Ozone Manager might fail to sync with Ranger for those policies.</p>
<h3 id="ranger-roles">Ranger Roles</h3>
<p>These new Ranger policies would have the corresponding <strong>Ranger roles</strong> added in their <strong>Allow Conditions</strong>.</p>
<p>Namely, <code>tenantName-UserRole</code> and <code>tenantName-AdminRole</code> Ranger roles are created when a tenant is created by an Ozone administrator under the CLI.</p>
<p><code>tenantName-UserRole</code> contains a list of all user names that are assigned to this tenant.</p>
<p><code>tenantName-AdminRole</code> contains a list of all tenant admins that are assigned to this tenant.</p>
<p>We leverage Ranger roles mainly for the advantage of easier user management in a tenant:</p>
<ol>
<li>When new users are assigned to a tenant, Ozone Manager simply adds the new user to <code>tenantName-UserRole</code> Ranger role.</li>
<li>When new tenant admins are assigned, Ozone Manager simply adds the user name to <code>tenantName-AdminRole</code> Ranger role. Delegated tenant admins will have the &ldquo;Role Admin&rdquo; checkbox checked, while non-delegated tenant admins won&rsquo;t.
<ul>
<li>Role admins in a Ranger role has the permission to edit that Ranger role.</li>
</ul>
</li>
<li>And because <code>tenantName-AdminRole</code> is the &ldquo;Role Admin&rdquo; of <code>tenantName-UserRole</code>, whichever user in the <code>tenantName-AdminRole</code> automatically has the permission to add new users to the tenant, meaning all tenant admins (whether delegated or not) has the permission to assign and revoke users in this tenant.</li>
</ol>
<ul>
<li><strong>DO NOT</strong> manually edit any Ranger roles created by Ozone. Any changes to them will be overwritten by the Ozone Manager&rsquo;s Ranger sync thread. Changes in tenant membership should be done using <a href="../feature/s3-tenant-commands.html">Multi-Tenancy CLI commands</a>.</li>
</ul>
<h3 id="ranger-sync">Ranger Sync</h3>
<p>A Ranger Sync thread has been implemented to keep the Ranger policy and role states in-sync with Ozone Manager database in case of Ozone Manager crashes during tenant administrative operations.</p>
<p>The Ranger Sync thread does the following:</p>
<ol>
<li>Cleans up any default tenant policies if a tenant is already deleted.</li>
<li>Checks if default tenant roles are out-of-sync (could be caused by OM crash during user assign/revoke operation). Overwrites them if this is the case.</li>
<li>Performs all Ranger update (write) operations queued by Ozone tenant commands from the last sync, if any.
<ul>
<li>This implies there will be a delay before Ranger policies and roles are updated for any tenant write operations (tenant create/delete, tenant user assign/revoke/assignadmin/revokeadmin, etc.).</li>
</ul>
</li>
</ol>
<h2 id="adding-new-bucket-policies-when-sharing-a-bucket">Adding new bucket policies when sharing a bucket</h2>
<p>By default, only the bucket owners have full access to the buckets they created. Other regular users won&rsquo;t be able to access the content of buckets they don&rsquo;t own.</p>
<p>So in order to share a bucket with other users without relaxing the default bucket policy (e.g. allow all tenant users LIST and READ access to all buckets),
a cluster admin or tenant admin will needs to manually create a new Ozone policy in Ranger for that bucket.</p>
<p>Further, if a cluster admin or tenant admin wants the bucket owner (who is a regular tenant user without any superuser privileges) to be able to edit that bucket&rsquo;s policy,
when manually creating a new Ozone policy in Ranger for that bucket,
an admin will need to explicitly grant the bucket owner user ALL permission on the bucket AND tick the bucket owner user&rsquo;s &ldquo;Delegated Admin&rdquo; checkbox for that policy.</p>
<p>Note:</p>
<ol>
<li>An actual user name (e.g. <code>hive</code>) need to be specified here. The flexible <code>{OWNER}</code> tag will not work with Ranger&rsquo;s &ldquo;Delegated Admin&rdquo; checkbox. For more Technical details:</li>
</ol>
<ul>
<li>The <code>{OWNER}</code> tag is only meaningful when Ozone Manager (OM) is performing a permission check. And in that permission check process OM fills in what this <code>{OWNER}</code> tag actually stands for.
<ul>
<li>For example, <code>{OWNER}</code> will become user <code>hive</code> during a bucket list permission check in OM, assuming <code>hive</code> is the bucket owner;
<ul>
<li>Bonus: because of OM&rsquo;s hierarchical permission check, right before the bucket permission check, <code>{OWNER}</code> will become user <code>om</code> during a volume read permission check before this bucket permission check, assuming <code>om</code> is the bucket&rsquo;s parent volume&rsquo;s owner.</li>
</ul>
</li>
</ul>
</li>
</ul>
<ol start="2">
<li>Do not confuse the &ldquo;Delegated Admin&rdquo; checkbox in Ranger Web UI with tenant delegated admin. They are conceptually similar (have extra privilege), but different.</li>
</ol>
<ul>
<li>With Ranger policies' &ldquo;Delegated Admin&rdquo; checkbox in a policy rule. That <strong>user</strong>, or users in that <strong>group</strong>, or users in that <strong>role</strong> will be able to edit that policy as long as the user can log in to Ranger Web UI.</li>
<li>Tenant delegated admin has the permission to assign and revoke tenant admins from a tenant.</li>
</ul>
<p>With this new Ranger policy, as long as the bucket owners can log in to the Ranger Web UI,
they could edit the bucket policies on their own, for example, to share the bucket with others without an administrator&rsquo;s manual intervention.</p>
<a class="btn btn-success btn-lg" href="../feature/faircallqueue.html">Next >></a>
</div>
</div>
</div>
</div>
</div>
<div class="push"></div>
</div>
<footer class="footer">
<div class="container">
<span class="small text-muted">
Version: 1.5.0-SNAPSHOT, Last Modified: February 27, 2024 <a class="hide-child link primary-color" href="https://github.com/apache/ozone/commit/7939faf7d6c904bf1e4ad32baa5d6d0c1de19003">7939faf</a>
</span>
</div>
</footer>
<script src="../js/jquery-3.5.1.min.js"></script>
<script src="../js/ozonedoc.js"></script>
<script src="../js/bootstrap.min.js"></script>
</body>
</html>