HDDS-11041. Add admin request filter for S3 requests and UGI support for GrpcOmTransport

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/ha/GrpcOMFailoverProxyProvider.java

@@ -23,6 +23,8 @@
 import org.apache.hadoop.hdds.conf.ConfigurationSource;
 import org.apache.hadoop.hdds.HddsUtils;
 import org.apache.hadoop.hdds.utils.LegacyHadoopConfigurationSource;
+import org.apache.hadoop.io.retry.RetryPolicies;
+import org.apache.hadoop.io.retry.RetryPolicy;
 import org.apache.hadoop.ipc.RPC;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.ozone.OmUtils;
@@ -41,6 +43,7 @@
 import java.util.Optional;
 import java.util.OptionalInt;
 import io.grpc.StatusRuntimeException;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -59,10 +62,14 @@ public class GrpcOMFailoverProxyProvider<T> extends
   public static final Logger LOG =
       LoggerFactory.getLogger(GrpcOMFailoverProxyProvider.class);
 
+  private final UserGroupInformation ugi;
+
   public GrpcOMFailoverProxyProvider(ConfigurationSource configuration,
+                                     UserGroupInformation ugi,
                                      String omServiceId,
                                      Class<T> protocol) throws IOException {
     super(configuration, omServiceId, protocol);
+    this.ugi = ugi;
   }
 
   @Override
@@ -118,7 +125,20 @@ private T createOMProxy() throws IOException {
     InetSocketAddress addr = new InetSocketAddress(0);
     Configuration hadoopConf =
         LegacyHadoopConfigurationSource.asHadoopConfiguration(getConf());
-    return (T) RPC.getProxy(getInterface(), 0, addr, hadoopConf);
+
+    // Ensure we do not attempt retry on the same OM in case of exceptions
+    RetryPolicy connectionRetryPolicy = RetryPolicies.failoverOnNetworkException(0);
+
+    return (T) RPC.getProtocolProxy(
+      getInterface(),
+      0,
+      addr,
+      ugi,
+      hadoopConf,
+      NetUtils.getDefaultSocketFactory(hadoopConf),
+      (int) OmUtils.getOMClientRpcTimeOut(getConf()),
+      connectionRetryPolicy
+    ).getProxy();
   }
 
   /**

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/GrpcOmTransport.java

@@ -121,6 +121,7 @@ public GrpcOmTransport(ConfigurationSource conf,
 
     omFailoverProxyProvider = new GrpcOMFailoverProxyProvider(
         conf,
+        ugi,
         omServiceId,
         OzoneManagerProtocolPB.class);
 

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/common/OmUserUtils.java

@@ -0,0 +1,87 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.hadoop.ozone.common;
+
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.server.OzoneAdmins;
+
+import org.apache.hadoop.ozone.om.OzoneConfigUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Collection;
+
+/**
+ * Utility class to store User related utilities.
+ */
+public final class OmUserUtils {
+  private static final Logger LOG =
+      LoggerFactory.getLogger(OmUserUtils.class);
+
+  private OmUserUtils() { }
+
+  /**
+   * Get the users and groups that are S3 admin.
+   * @param conf  Stores the Ozone configuration being used
+   * @return an instance of {@link OzoneAdmins} containing the S3 admin users and groups
+   */
+  public static OzoneAdmins getS3Admins(OzoneConfiguration conf) {
+    Collection<String> s3Admins;
+    try {
+      s3Admins = OzoneConfigUtil.getS3AdminsFromConfig(conf);
+    } catch (IOException ie) {
+      s3Admins = null;
+    }
+    Collection<String> s3AdminGroups =
+        OzoneConfigUtil.getS3AdminsGroupsFromConfig(conf);
+    if (LOG.isDebugEnabled()) {
+      if (null == s3Admins) {
+        LOG.debug("S3 Admins are not set in configuration");
+      }
+      if (null == s3AdminGroups) {
+        LOG.debug("S3 Admin Groups are not set in configuration");
+      }
+    }
+    return new OzoneAdmins(s3Admins, s3AdminGroups);
+  }
+
+  /**
+   * Check if the provided user is a part of the S3 admins.
+   * @param user Stores the user to verify
+   * @param conf Stores the Ozone configuration being used
+   * @return true if the provided user is an S3 admin else false
+   */
+  public static boolean isS3Admin(UserGroupInformation user,
+                                  OzoneConfiguration conf) {
+    OzoneAdmins s3Admins = getS3Admins(conf);
+    return null != user && s3Admins.isAdmin(user);
+  }
+
+  /**
+   * Check if the provided user is a part of the S3 admins.
+   * @param user Stores the user to verify
+   * @param s3Admins Stores the users and groups that are admins
+   * @return true if the provided user is an S3 admin else false
+   */
+  public static boolean isS3Admin(UserGroupInformation user,
+                                  OzoneAdmins s3Admins) {
+    return null != user && s3Admins.isAdmin(user);
+  }
+}

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneConfigUtil.java

@@ -49,7 +49,7 @@ private OzoneConfigUtil() {
    * If ozone.s3.administrators value is empty string or unset,
    * defaults to ozone.administrators value.
    */
-  static Collection<String> getS3AdminsFromConfig(OzoneConfiguration conf)
+  public static Collection<String> getS3AdminsFromConfig(OzoneConfiguration conf)
           throws IOException {
     Collection<String> ozAdmins =
             conf.getTrimmedStringCollection(OZONE_S3_ADMINISTRATORS);
@@ -63,7 +63,7 @@ static Collection<String> getS3AdminsFromConfig(OzoneConfiguration conf)
     return ozAdmins;
   }
 
-  static Collection<String> getS3AdminsGroupsFromConfig(
+  public static Collection<String> getS3AdminsGroupsFromConfig(
       OzoneConfiguration conf) {
     Collection<String> s3AdminsGroup =
             conf.getTrimmedStringCollection(OZONE_S3_ADMINISTRATORS_GROUPS);

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java

@@ -151,6 +151,7 @@
 import org.apache.hadoop.ozone.audit.AuditMessage;
 import org.apache.hadoop.ozone.audit.Auditor;
 import org.apache.hadoop.ozone.audit.OMAction;
+import org.apache.hadoop.ozone.common.OmUserUtils;
 import org.apache.hadoop.ozone.common.Storage.StorageState;
 import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes;
@@ -704,11 +705,7 @@ private OzoneManager(OzoneConfiguration conf, StartupOption startupOption)
     // Get read only admin list
     readOnlyAdmins = OzoneAdmins.getReadonlyAdmins(conf);
 
-    Collection<String> s3AdminUsernames =
-            OzoneConfigUtil.getS3AdminsFromConfig(configuration);
-    Collection<String> s3AdminGroups =
-            OzoneConfigUtil.getS3AdminsGroupsFromConfig(configuration);
-    s3OzoneAdmins = new OzoneAdmins(s3AdminUsernames, s3AdminGroups);
+    s3OzoneAdmins = OmUserUtils.getS3Admins(conf);
     instantiateServices(false);
 
     // Create special volume s3v which is required for S3G.
@@ -4338,7 +4335,7 @@ private void checkAdminUserPrivilege(String operation) throws IOException {
   }
 
   public boolean isS3Admin(UserGroupInformation callerUgi) {
-    return callerUgi != null && s3OzoneAdmins.isAdmin(callerUgi);
+    return OmUserUtils.isS3Admin(callerUgi, s3OzoneAdmins);
   }
 
   @VisibleForTesting

hadoop-ozone/s3gateway/pom.xml

@@ -231,6 +231,10 @@
       <groupId>org.apache.ozone</groupId>
       <artifactId>ozone-client</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.ozone</groupId>
+      <artifactId>ozone-manager</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.ozone</groupId>
       <artifactId>hdds-docs</artifactId>

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3AdminEndpoint.java

@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ */
+
+package org.apache.hadoop.ozone.s3secret;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.ws.rs.NameBinding;
+
+/**
+ * Annotation to only allow admin users to access the endpoint.
+ */
+@NameBinding
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.TYPE, ElementType.METHOD})
+public @interface S3AdminEndpoint {
+}

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java

@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ */
+
+package org.apache.hadoop.ozone.s3secret;
+
+
+import javax.inject.Inject;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+import javax.ws.rs.ext.Provider;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.ozone.common.OmUserUtils;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import java.io.IOException;
+import java.security.Principal;
+
+/**
+ * Filter that only allows admin to access endpoints annotated with {@link S3AdminEndpoint}.
+ * Condition is based on the value of the configuration keys for:
+ * <ul>
+ *   <li>ozone.administrators</li>
+ *   <li>ozone.administrators.groups</li>
+ * </ul>
+ */
+@S3AdminEndpoint
+@Provider
+public class S3SecretAdminFilter implements ContainerRequestFilter {
+
+  @Inject
+  private OzoneConfiguration conf;
+
+  @Override
+  public void filter(ContainerRequestContext requestContext) throws IOException {
+    final Principal userPrincipal = requestContext.getSecurityContext().getUserPrincipal();
+    if (null != userPrincipal) {
+      UserGroupInformation user = UserGroupInformation.createRemoteUser(userPrincipal.getName());
+      if (!OmUserUtils.isS3Admin(user, conf)) {
+        requestContext.abortWith(Response.status(Status.FORBIDDEN).build());
+      }
+    }
+  }
+}

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretManagementEndpoint.java

@@ -41,6 +41,7 @@
  */
 @Path("/secret")
 @S3SecretEnabled
+@S3AdminEndpoint
 public class S3SecretManagementEndpoint extends S3SecretEndpointBase {
   private static final Logger LOG =
       LoggerFactory.getLogger(S3SecretManagementEndpoint.class);
@@ -54,8 +55,7 @@ public Response generate() throws IOException {
   @Path("/{username}")
   public Response generate(@PathParam("username") String username)
       throws IOException {
-    // TODO: It is a temporary solution. To be removed after HDDS-11041 is done.
-    return Response.status(METHOD_NOT_ALLOWED).build();
+    return generateInternal(username);
   }
 
   private Response generateInternal(@Nullable String username) throws IOException {