HDDS-6366. [Multi-Tenant] Disallow specifying custom accessId in OzoneManager

hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/multitenant/TestMultiTenantVolume.java

@@ -58,7 +58,7 @@ public class TestMultiTenantVolume {
   private static final String TENANT_ID = "tenant";
   private static final String USER_PRINCIPAL = "username";
   private static final String BUCKET_NAME = "bucket";
-  private static final String ACCESS_ID = UUID.randomUUID().toString();
+  private static final String ACCESS_ID = "tenant$username";
 
   @BeforeClass
   public static void initClusterProvider() throws Exception {

hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneTenantShell.java

@@ -556,16 +556,30 @@ public void testOzoneTenantBasicOperations() throws IOException {
     checkOutput(err, "Assigned 'bob' to 'research' with accessId"
         + " 'research$bob'.\n", true);
 
-    // Attempt to assign the user to the same tenant under another accessId,
-    //  should fail.
+    // Attempt to assign the user to the tenant again
+    executeHA(tenantShell, new String[] {
+        "user", "assign", "bob", "--tenant=research",
+        "--accessId=research$bob"});
+    checkOutput(out, "", false);
+    checkOutput(err, "Failed to assign 'bob' to 'research': "
+        + "accessId 'research$bob' already exists!\n", true);
+
+    // Attempt to assign the user to the tenant with a custom accessId
     executeHA(tenantShell, new String[] {
         "user", "assign", "bob", "--tenant=research",
         "--accessId=research$bob42"});
     checkOutput(out, "", false);
+    // HDDS-6366: Disallow specifying custom accessId.
+    checkOutput(err, "Failed to assign 'bob' to 'research': "
+        + "Invalid accessId 'research$bob42'. "
+        + "Specifying a custom access ID disallowed. "
+        + "Expected accessId to be assigned is 'research$bob'\n", true);
+    /*  Once HDDS-6366 is lifted, the following check should be used instead
     checkOutput(err, "Failed to assign 'bob' to 'research': "
         + "The same user is not allowed to be assigned to the same tenant "
         + "more than once. User 'bob' is already assigned to tenant 'research' "
         + "with accessId 'research$bob'.\n", true);
+    */
 
     executeHA(tenantShell, new String[] {"list"});
     checkOutput(out, "dev\nfinance\nresearch\n", true);

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManager.java

@@ -144,6 +144,14 @@ void removeUserAccessIdFromCache(String accessId, String userPrincipal,
    */
   String getUserNameGivenAccessId(String accessId);
 
+  /**
+   * Get the default Access ID string given tenant name and user name.
+   * @param tenantId tenant name
+   * @param userPrincipal user name
+   * @return access ID in the form of tenantName$username
+   */
+  String getDefaultAccessId(String tenantId, String userPrincipal);
+
   /**
    * Given a user, return their S3-Secret Key.
    * @param accessID

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.java

@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.ozone.om;
 
+import static org.apache.hadoop.ozone.OzoneConsts.TENANT_ID_USERNAME_DELIMITER;
 import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_ACCESS_ID;
 import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TENANT_AUTHORIZER_ERROR;
 import static org.apache.hadoop.ozone.om.multitenant.AccessPolicy.AccessGrantType.ALLOW;
@@ -355,6 +356,10 @@ public String getUserNameGivenAccessId(String accessId) {
     return null;
   }
 
+  public String getDefaultAccessId(String tenantId, String userPrincipal) {
+    return tenantId + TENANT_ID_USERNAME_DELIMITER + userPrincipal;
+  }
+
   @Override
   public String getUserSecret(String accessID) throws IOException {
     return "";

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.java

@@ -138,6 +138,16 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
           OMException.ResultCodes.INVALID_TENANT_ID);
     }
 
+    // HDDS-6366: Disallow specifying custom accessId.
+    final String expectedAccessId = ozoneManager.getMultiTenantManager()
+        .getDefaultAccessId(tenantId, userPrincipal);
+    if (!accessId.equals(expectedAccessId)) {
+      throw new OMException("Invalid accessId '" + accessId + "'. "
+          + "Specifying a custom access ID disallowed. "
+          + "Expected accessId to be assigned is '" + expectedAccessId + "'",
+          OMException.ResultCodes.INVALID_ACCESS_ID);
+    }
+
     // Check accessId validity.
     if (accessId.contains(SERIALIZATION_SPLIT_KEY)) {
       throw new OMException("Invalid accessId '" + accessId +

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3GetSecretRequest.java

@@ -359,6 +359,12 @@ public void testGetSecretWithTenant() throws IOException {
 
     // 2. AssignUserToTenantRequest: Assign "[email protected]" to "finance".
     ++txLogIndex;
+
+    // Additional mock setup needed for pass accessId check
+    when(ozoneManager.getMultiTenantManager()).thenReturn(omMultiTenantManager);
+    when(omMultiTenantManager.getDefaultAccessId(TENANT_ID, USER_BOB))
+        .thenReturn(ACCESS_ID_BOB);
+
     // Run preExecute
     OMTenantAssignUserAccessIdRequest omTenantAssignUserAccessIdRequest =
         new OMTenantAssignUserAccessIdRequest(