Skip to content
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions hadoop-hdds/docs/content/feature/Multi-Tenancy-Setup.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
---
title: "Setup"
weight: 1
menu:
main:
parent: "Multi-Tenancy"
summary: Preparing Ozone clusters to enable Multi-Tenancy feature
---
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->

Steps to enable Multi-Tenancy feature in Ozone clusters.
Comment thread
smengcl marked this conversation as resolved.
Outdated


### Setting up Multi-Tenancy with Apache Ranger (For production)

First make sure ACL is enabled, and `RangerOzoneAuthorizer` is the effective ACL authorizer implementation in-use for Ozone.
If that is not the case, [follow this]({{< ref "security/SecurityWithRanger.md" >}}).

Then simply add the following configs to `ozone-site.xml`:

```xml
<property>
<name>ozone.om.ranger.https-address</name>
<value>https://RANGER_HOSTNAME:6182</value>
</property>
<property>
<name>ozone.om.ranger.https.admin.api.user</name>
<value>RANGER_ADMIN_USERNAME</value>
</property>
<property>
<name>ozone.om.ranger.https.admin.api.passwd</name>
<value>RANGER_ADMIN_PASSWORD</value>
</property>
```

Finally restart all OzoneManagers to apply the new configs.

Now you can follow the [Multi-Tenancy CLI command guide]({{< ref "interface/Tenant.md" >}}) to try the commands.


### Try in a Docker Compose cluster (For developers)

Developers are encouraged to try out the CLI commands inside the `./compose/ozonesecure/docker-compose.yaml` cluster environment that ships with Ozone.

The Docker Compose cluster has Kerberos and security pre-configured.
But note it differs from an actual production cluster that Ranger has been replaced with a mock server. And OzoneManager does **not** use Ranger for ACL.

Because the mock server does not mock all Ranger endpoints, some operations that works for a real Ranger deployment will not work by default. e.g. assigning users to a tenant other than `tenantone`.
But one can add new custom endpoints in `./compose/ozonesecure/mockserverInitialization.json` as needed.

To launch the Docker Compose cluster locally, from Ozone distribution root:

```shell
cd compose/ozonesecure
docker-compose up -d --scale datanode=3
docker-compose exec scm bash
```

It might be necessary to run the following command first before testing the tenant commands in the `compose/ozonesecure` Docker environment
in order to workaround a Docker-specific DNS issue when first contacting Ranger.

```shell
bash-4.2$ curl -k https://ranger:6182/
{}
```

Then all subsequent requests to Ranger (mock server) should work as expected.

Otherwise you might see such DNS error:

```shell
bash-4.2$ ozone tenant create tenantone
2022-02-16 00:00:00,000 [main] INFO rpc.RpcClient: Creating Tenant: 'tenantone', with new volume: 'tenantone'
INTERNAL_ERROR No subject alternative DNS name matching ranger found.
```


Operations requiring Ozone cluster administrator privilege are run as `om/om` user:

```shell
kinit -kt /etc/security/keytabs/om.keytab om/om@EXAMPLE.COM
```
74 changes: 74 additions & 0 deletions hadoop-hdds/docs/content/feature/Multi-Tenancy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
---
title: "Multi-Tenancy"
Comment thread
smengcl marked this conversation as resolved.
Outdated
weight: 1
menu:
main:
parent: Features
summary: Ozone Multi-Tenancy that allows multiple tenants to share the same Ozone cluster. Compatible with S3 API.
---
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->

Before Ozone multi-tenancy, all S3 access to Ozone (via [S3 Gateway]({{< ref "interface/S3.md" >}})) are
confined to a **single** designated S3 volume (that is volume `s3v`, by default).

Ozone multi-tenancy allows **multiple** S3-accessible volumes to be created.
Each volume can be managed separately by their own tenant admins via CLI for user operations, and via Apache Ranger for access control.

The concept **tenant** is introduced to Ozone by multi-tenancy.
Each tenant has its own designated volume.
Each user assigned to a tenant will be able to access the associated volume with an _Access ID & Secret Key_ pair
generated when an Ozone cluster admin or tenant admin assigns the user to the tenant using CLI.

> This multi-tenant feature allows Ozone resources to be compartmentalized in different isolation zones (tenants).

> This multi-tenant support will also allow users to access Ozone volumes over AWS S3 APIs (without any modifications to the APIs).

## Basics

1. Initial tenant creation has to be done by an Ozone cluster admin under the CLI.
2. The Ozone cluster admin will have to assign the first user of a tenant. Once assigned, an _Access ID & Secret Key_ pair will be generated for that user for access via S3 Gateway.
Comment thread
smengcl marked this conversation as resolved.
Outdated
3. The Ozone cluster admin can then assign tenant admin roles to that user.
4. Tenant admin are able to assign new users to the tenant.
- They can even assign new tenant admins in their tenant, if they are delegated tenant admins, which is the default. See the usage below for more details.
- Note that tenant admins still need to use Ozone tenant CLI to assign new users to the tenant.
- On a Kerberized cluster, once tenant admins get the Kerberos TGT (via `kinit`), they can run `user assign` command to assign new users. OzoneManager will recognize that they are the tenant admins and allow the user to do so in their tenants.
Comment thread
smengcl marked this conversation as resolved.
Outdated
5. After that, users can use handy S3-compatible tools (awscli, Python boto3 library, etc.) to access the buckets in the tenant volume via S3 Gateway using the generated _Access ID & Secret Key_ pairs.


## Access Control

Ozone multi-tenancy relies on [Apache Ranger]({{< ref "security/SecurityWithRanger.md" >}}) to enforce access control to resources.

By default, a group of Ranger policies are created when a tenant is created on the tenant volume:

1. All users are able to create new buckets;
2. Only the bucket owner (i.e. the user that creates the bucket) and tenant admins can access the bucket content.
- Note: For Ozone admins, there typically are independent Ranger policies that grants them full access to the cluster, so they should be able to access the buckets as well. But it is still possible to create new policies to explicitly deny them access to buckets.


## Setup

See [Multi-Tenancy Setup]({{< ref "Multi-Tenancy-Setup.md" >}}) page.

## Usage

See [Tenant Subcommands]({{< ref "interface/Tenant.md" >}}) page.

## References

* For developers: check out the upstream jira [HDDS-4944](https://issues.apache.org/jira/browse/HDDS-4944) and the attached design docs.
Loading