hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/MultiTenantAccessAuthorizer.java - ozone - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with this
  * work for additional information regarding copyright ownership.  The ASF
  * licenses this file to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  * License for the specific language governing permissions and limitations under
  * the License.
  */
 package org.apache.hadoop.ozone.om.multitenant;

 import java.io.IOException;
 import java.util.HashSet;
 import java.util.List;

 import org.apache.commons.lang3.tuple.Pair;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hdds.annotation.InterfaceAudience;
 import org.apache.hadoop.hdds.annotation.InterfaceStability;
 import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
 import org.apache.hadoop.ozone.security.acl.IOzoneObj;
 import org.apache.hadoop.ozone.security.acl.RequestContext;
 import org.apache.http.auth.BasicUserPrincipal;

 /**
  * Public API for Ozone MultiTenant Gatekeeper. Security providers providing
  * support for Ozone MultiTenancy should implement this.
  */
 @InterfaceAudience.LimitedPrivate({"HDFS", "Yarn", "Ranger", "Hive", "HBase"})
 @InterfaceStability.Evolving
 public interface MultiTenantAccessAuthorizer extends IAccessAuthorizer {

   /**
    * Initialize the MultiTenantGateKeeper. Initialize any external state.
    *
    * @param configuration
    * @throws IOException
    */
   void init(Configuration configuration) throws IOException;

   /**
    * Shutdown for the MultiTenantGateKeeper.
    * @throws IOException
    */
   void shutdown() throws IOException;

   /**
    * Assign user to an existing role in the Authorizer.
    *
    * @param userPrincipal user principal
    * @param existingRole  A JSON String representation of the existing role
    *                      returned from the Authorizer (Ranger).
    * @param isAdmin true if tenant admin
    * @return unique and opaque userID that can be used to refer to the user in
    * MultiTenantGateKeeperplugin Implementation. E.g. a Ranger
    * based Implementation can return some ID thats relevant for it.
    */
   String assignUserToRole(String userPrincipal, String existingRole,
       boolean isAdmin) throws IOException;

   /**
    * Update the exising role details and push the changes to Ranger.
    *
    * @param userPrincipal user name that exists in Ranger (internal / external).
    * @param existingRole  An existing role's JSON response String from Ranger.
    * @return roleId (not useful for now)
    * @throws IOException
    */
   String revokeUserFromRole(String userPrincipal, String existingRole)
       throws IOException;

   /**
    * Assign all the users to an existing role.
    * @param users list of user principals
    * @param existingRole roleName
    */
   String assignAllUsers(HashSet<String> users, String existingRole)
       throws IOException;

   /**
    * @param userPrincipal
    * @return Unique userID maintained by the authorizer plugin.
    * @throws IOException
    */
   String getUserId(String userPrincipal) throws IOException;

   /**
    * @param principal
    * @return Unique groupID maintained by the authorizer plugin.
    * @throws IOException
    */
   String getRole(OzoneTenantRolePrincipal principal)
       throws IOException;

   /**
    * Returs the details of a role, given the rolename.
    * @param roleName
    * @return
    * @throws IOException
    */
   String getRole(String roleName)
       throws IOException;

   /**
    * Delete the user userID in MultiTenantGateKeeper plugin.
    * @param opaqueUserID : unique ID that was returned by
    *                    MultiTenantGatekeeper in
    *               createUser().
    */
   void deleteUser(String opaqueUserID) throws IOException;

   /**
    * Create Role entity for MultiTenantGatekeeper plugin.
    * @param role
    * @param adminRoleName (Optional) admin role name that will be added to
    *                      manage this role.
    * @return unique groupID that can be used to refer to the role in
    * MultiTenantGateKeeper plugin Implementation e.g. corresponding ID on the
    * Ranger end for a ranger based implementation .
    */
   String createRole(String role, String adminRoleName)
       throws IOException;

   /**
    * Creates a new user.
    * @param userName
    * @param password
    * @return
    * @throws IOException
    */
   String createUser(String userName, String password)
       throws IOException;

   /**
    * Delete the group groupID in MultiTenantGateKeeper plugin.
    * @param groupID : unique opaque ID that was returned by
    *                MultiTenantGatekeeper in createGroup().
    */
   void deleteRoleById(String groupID) throws IOException;

   /**
    * Create access policy with the given parameters in the authorizer
    * (e.g. Ranger).
    *
    * @param policy AccessPolicy
    * @return unique and opaque policy ID that is maintained by the plugin.
    * @throws IOException
    */
   String createAccessPolicy(AccessPolicy policy) throws IOException;

   /**
    * Get AccessPolicy by policy name.
    *
    * @param policyName policy name
    * @return AccessPolicy
    * @throws IOException
    */
   AccessPolicy getAccessPolicyByName(String policyName) throws IOException;

   /**
    * Given a policy Id, returns the policy.
    *
    * @param policyId
    * @return
    * @throws IOException
    */
   AccessPolicy getAccessPolicyById(String policyId) throws IOException;

   /**
    * Delete policy by policy ID.
    *
    * @param policyId ID that was returned earlier by createAccessPolicy().
    * @throws IOException
    */
   void deletePolicyById(String policyId) throws IOException;

   /**
    * Delete policy by policy name.
    *
    * @param policyName policy name
    * @throws IOException
    */
   void deletePolicyByName(String policyName) throws IOException;

   /**
    * Delete role by role name.
    *
    * @param roleName role name
    * @throws IOException
    */
   void deleteRoleByName(String roleName) throws IOException;

   /**
    * Grant user aclType access to bucketNameSpace.
    * @param bucketNameSpace
    * @param user
    * @param aclType
    */
   void grantAccess(BucketNameSpace bucketNameSpace,
                    BasicUserPrincipal user, ACLType aclType);

   /**
    * Revoke from user aclType access from bucketNameSpace.
    * @param bucketNameSpace
    * @param user
    * @param aclType
    */
   void revokeAccess(BucketNameSpace bucketNameSpace,
                     BasicUserPrincipal user, ACLType aclType);

   /**
    * Grant user aclType access to accountNameSpace.
    * @param accountNameSpace
    * @param user
    * @param aclType
    */
   void grantAccess(AccountNameSpace accountNameSpace,
                    BasicUserPrincipal user,
                    ACLType aclType);

   /**
    * Revoke from user aclType access from bucketNameSpace.
    * @param accountNameSpace
    * @param user
    * @param aclType
    */
   void revokeAccess(AccountNameSpace accountNameSpace,
                     BasicUserPrincipal user, ACLType aclType);

   /**
    * Return all bucketnamespace accesses granted to user.
    * @param user
    * @return list of access
    */
   List<Pair<BucketNameSpace, ACLType>> getAllBucketNameSpaceAccesses(
       BasicUserPrincipal user);

   /**
    * Checks if the user has access to bucketNameSpace.
    * @param bucketNameSpace
    * @param user
    * @return true if access is granted, false otherwise.
    */
   boolean checkAccess(BucketNameSpace bucketNameSpace,
                       BasicUserPrincipal user);

   /**
    * Checks if the user has access to accountNameSpace.
    * @param accountNameSpace
    * @param user
    * @return true if access is granted, false otherwise.
    */
   boolean checkAccess(AccountNameSpace accountNameSpace,
                       BasicUserPrincipal user);

   /**
    * Check access for given ozoneObject. Access for the object would be
    * checked in the context of a MultiTenant environment.
    *
    * @param ozoneObject object for which access needs to be checked.
    * @param context Context object encapsulating all user related information.
    * @throws org.apache.hadoop.ozone.om.exceptions.OMException
    * @return true if user has access else false.
    */
   @Override
   boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
       throws OMException;

   long getLatestOzoneServiceVersion() throws IOException;

   String getAllMultiTenantPolicies() throws IOException;

   MultiTenantAccessController getMultiTenantAccessController();
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with this
	* work for additional information regarding copyright ownership. The ASF
	* licenses this file to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	* License for the specific language governing permissions and limitations under
	* the License.
	*/
	package org.apache.hadoop.ozone.om.multitenant;

	import java.io.IOException;
	import java.util.HashSet;
	import java.util.List;

	import org.apache.commons.lang3.tuple.Pair;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.hdds.annotation.InterfaceAudience;
	import org.apache.hadoop.hdds.annotation.InterfaceStability;
	import org.apache.hadoop.ozone.om.exceptions.OMException;
	import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
	import org.apache.hadoop.ozone.security.acl.IOzoneObj;
	import org.apache.hadoop.ozone.security.acl.RequestContext;
	import org.apache.http.auth.BasicUserPrincipal;

	/**
	* Public API for Ozone MultiTenant Gatekeeper. Security providers providing
	* support for Ozone MultiTenancy should implement this.
	*/
	@InterfaceAudience.LimitedPrivate({"HDFS", "Yarn", "Ranger", "Hive", "HBase"})
	@InterfaceStability.Evolving
	public interface MultiTenantAccessAuthorizer extends IAccessAuthorizer {

	/**
	* Initialize the MultiTenantGateKeeper. Initialize any external state.
	*
	* @param configuration
	* @throws IOException
	*/
	void init(Configuration configuration) throws IOException;

	/**
	* Shutdown for the MultiTenantGateKeeper.
	* @throws IOException
	*/
	void shutdown() throws IOException;

	/**
	* Assign user to an existing role in the Authorizer.
	*
	* @param userPrincipal user principal
	* @param existingRole A JSON String representation of the existing role
	* returned from the Authorizer (Ranger).
	* @param isAdmin true if tenant admin
	* @return unique and opaque userID that can be used to refer to the user in
	* MultiTenantGateKeeperplugin Implementation. E.g. a Ranger
	* based Implementation can return some ID thats relevant for it.
	*/
	String assignUserToRole(String userPrincipal, String existingRole,
	boolean isAdmin) throws IOException;

	/**
	* Update the exising role details and push the changes to Ranger.
	*
	* @param userPrincipal user name that exists in Ranger (internal / external).
	* @param existingRole An existing role's JSON response String from Ranger.
	* @return roleId (not useful for now)
	* @throws IOException
	*/
	String revokeUserFromRole(String userPrincipal, String existingRole)
	throws IOException;

	/**
	* Assign all the users to an existing role.
	* @param users list of user principals
	* @param existingRole roleName
	*/
	String assignAllUsers(HashSet<String> users, String existingRole)
	throws IOException;

	/**
	* @param userPrincipal
	* @return Unique userID maintained by the authorizer plugin.
	* @throws IOException
	*/
	String getUserId(String userPrincipal) throws IOException;

	/**
	* @param principal
	* @return Unique groupID maintained by the authorizer plugin.
	* @throws IOException
	*/
	String getRole(OzoneTenantRolePrincipal principal)
	throws IOException;

	/**
	* Returs the details of a role, given the rolename.
	* @param roleName
	* @return
	* @throws IOException
	*/
	String getRole(String roleName)
	throws IOException;

	/**
	* Delete the user userID in MultiTenantGateKeeper plugin.
	* @param opaqueUserID : unique ID that was returned by
	* MultiTenantGatekeeper in
	* createUser().
	*/
	void deleteUser(String opaqueUserID) throws IOException;

	/**
	* Create Role entity for MultiTenantGatekeeper plugin.
	* @param role
	* @param adminRoleName (Optional) admin role name that will be added to
	* manage this role.
	* @return unique groupID that can be used to refer to the role in
	* MultiTenantGateKeeper plugin Implementation e.g. corresponding ID on the
	* Ranger end for a ranger based implementation .
	*/
	String createRole(String role, String adminRoleName)
	throws IOException;

	/**
	* Creates a new user.
	* @param userName
	* @param password
	* @return
	* @throws IOException
	*/
	String createUser(String userName, String password)
	throws IOException;

	/**
	* Delete the group groupID in MultiTenantGateKeeper plugin.
	* @param groupID : unique opaque ID that was returned by
	* MultiTenantGatekeeper in createGroup().
	*/
	void deleteRoleById(String groupID) throws IOException;

	/**
	* Create access policy with the given parameters in the authorizer
	* (e.g. Ranger).
	*
	* @param policy AccessPolicy
	* @return unique and opaque policy ID that is maintained by the plugin.
	* @throws IOException
	*/
	String createAccessPolicy(AccessPolicy policy) throws IOException;

	/**
	* Get AccessPolicy by policy name.
	*
	* @param policyName policy name
	* @return AccessPolicy
	* @throws IOException
	*/
	AccessPolicy getAccessPolicyByName(String policyName) throws IOException;

	/**
	* Given a policy Id, returns the policy.
	*
	* @param policyId
	* @return
	* @throws IOException
	*/
	AccessPolicy getAccessPolicyById(String policyId) throws IOException;

	/**
	* Delete policy by policy ID.
	*
	* @param policyId ID that was returned earlier by createAccessPolicy().
	* @throws IOException
	*/
	void deletePolicyById(String policyId) throws IOException;

	/**
	* Delete policy by policy name.
	*
	* @param policyName policy name
	* @throws IOException
	*/
	void deletePolicyByName(String policyName) throws IOException;

	/**
	* Delete role by role name.
	*
	* @param roleName role name
	* @throws IOException
	*/
	void deleteRoleByName(String roleName) throws IOException;

	/**
	* Grant user aclType access to bucketNameSpace.
	* @param bucketNameSpace
	* @param user
	* @param aclType
	*/
	void grantAccess(BucketNameSpace bucketNameSpace,
	BasicUserPrincipal user, ACLType aclType);

	/**
	* Revoke from user aclType access from bucketNameSpace.
	* @param bucketNameSpace
	* @param user
	* @param aclType
	*/
	void revokeAccess(BucketNameSpace bucketNameSpace,
	BasicUserPrincipal user, ACLType aclType);

	/**
	* Grant user aclType access to accountNameSpace.
	* @param accountNameSpace
	* @param user
	* @param aclType
	*/
	void grantAccess(AccountNameSpace accountNameSpace,
	BasicUserPrincipal user,
	ACLType aclType);

	/**
	* Revoke from user aclType access from bucketNameSpace.
	* @param accountNameSpace
	* @param user
	* @param aclType
	*/
	void revokeAccess(AccountNameSpace accountNameSpace,
	BasicUserPrincipal user, ACLType aclType);

	/**
	* Return all bucketnamespace accesses granted to user.
	* @param user
	* @return list of access
	*/
	List<Pair<BucketNameSpace, ACLType>> getAllBucketNameSpaceAccesses(
	BasicUserPrincipal user);

	/**
	* Checks if the user has access to bucketNameSpace.
	* @param bucketNameSpace
	* @param user
	* @return true if access is granted, false otherwise.
	*/
	boolean checkAccess(BucketNameSpace bucketNameSpace,
	BasicUserPrincipal user);

	/**
	* Checks if the user has access to accountNameSpace.
	* @param accountNameSpace
	* @param user
	* @return true if access is granted, false otherwise.
	*/
	boolean checkAccess(AccountNameSpace accountNameSpace,
	BasicUserPrincipal user);

	/**
	* Check access for given ozoneObject. Access for the object would be
	* checked in the context of a MultiTenant environment.
	*
	* @param ozoneObject object for which access needs to be checked.
	* @param context Context object encapsulating all user related information.
	* @throws org.apache.hadoop.ozone.om.exceptions.OMException
	* @return true if user has access else false.
	*/
	@Override
	boolean checkAccess(IOzoneObj ozoneObject, RequestContext context)
	throws OMException;

	long getLatestOzoneServiceVersion() throws IOException;

	String getAllMultiTenantPolicies() throws IOException;

	MultiTenantAccessController getMultiTenantAccessController();
	}