HDDS-11041. Add admin request filter for S3 requests and UGI support for GrpcOmTransport

hadoop-ozone/common/pom.xml

@@ -65,6 +65,10 @@ https://maven.apache.org/xsd/maven-4.0.0.xsd">
       <groupId>org.apache.ozone</groupId>
       <artifactId>hdds-config</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.ozone</groupId>
+      <artifactId>hdds-server-framework</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.ozone</groupId>
       <artifactId>hdds-interface-client</artifactId>

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/conf/OzoneS3ConfigUtils.java

@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ */
+
+package org.apache.hadoop.ozone.conf;
+
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.server.OzoneAdmins;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_GROUPS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_S3_ADMINISTRATORS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_S3_ADMINISTRATORS_GROUPS;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import jakarta.annotation.Nullable;
+
+import java.io.IOException;
+import java.util.Collection;
+
+/**
+ * Config based utilities for Ozone S3.
+ */
+public final class OzoneS3ConfigUtils {
+  private static final Logger LOG = LoggerFactory.getLogger(OzoneS3ConfigUtils.class);
+
+  private OzoneS3ConfigUtils() { }
+
+  /**
+   * Get the list of S3 administrators from Ozone config.
+   *
+   * @param conf An instance of {@link OzoneConfiguration} being used
+   * @return A {@link Collection} of the S3 administrator users
+   *
+   * If ozone.s3.administrators value is empty string or unset,
+   * defaults to ozone.administrators value.
+   */
+  public static Collection<String> getS3AdminsFromConfig(OzoneConfiguration conf) throws IOException {
+    Collection<String> ozoneAdmins = conf.getTrimmedStringCollection(OZONE_S3_ADMINISTRATORS);
+
+    if (ozoneAdmins == null || ozoneAdmins.isEmpty()) {
+      ozoneAdmins = conf.getTrimmedStringCollection(OZONE_ADMINISTRATORS);
+    }
+    String omSPN = UserGroupInformation.getCurrentUser().getShortUserName();
+    if (!ozoneAdmins.contains(omSPN)) {
+      ozoneAdmins.add(omSPN);
+    }
+
+    return ozoneAdmins;
+  }
+
+  /**
+   * Get the list of the groups that are a part S3 administrators from Ozone config.
+   *
+   * @param conf An instance of {@link OzoneConfiguration} being used
+   * @return A {@link Collection} of the S3 administrator groups
+   *
+   * If ozone.s3.administrators.groups value is empty or unset,
+   * defaults to the ozone.administrators.groups value
+   */
+  public static Collection<String> getS3AdminsGroupsFromConfig(OzoneConfiguration conf) {
+    Collection<String> s3AdminsGroup = conf.getTrimmedStringCollection(OZONE_S3_ADMINISTRATORS_GROUPS);
+
+    if (s3AdminsGroup.isEmpty() && conf.getTrimmedStringCollection(OZONE_S3_ADMINISTRATORS).isEmpty()) {
+      s3AdminsGroup = conf.getTrimmedStringCollection(OZONE_ADMINISTRATORS_GROUPS);
+    }
+
+    return s3AdminsGroup;
+  }
+
+  /**
+   * Get the users and groups that are a part of S3 administrators.
+   * @param conf  Stores an instance of {@link OzoneConfiguration} being used
+   * @return an instance of {@link OzoneAdmins} containing the S3 admin users and groups
+   */
+  public static OzoneAdmins getS3Admins(OzoneConfiguration conf) {
+    Collection<String> s3Admins;
+    try {
+      s3Admins = getS3AdminsFromConfig(conf);
+    } catch (IOException ie) {
+      s3Admins = null;
+    }
+    Collection<String> s3AdminGroups = getS3AdminsGroupsFromConfig(conf);
+
+    if (LOG.isDebugEnabled()) {
+      if (null == s3Admins) {
+        LOG.debug("S3 Admins are not set in configuration");
+      }
+      if (null == s3AdminGroups) {
+        LOG.debug("S3 Admin Groups are not set in configuration");
+      }
+    }
+    return new OzoneAdmins(s3Admins, s3AdminGroups);
+  }
+
+  /**
+   * Check if the provided user is an S3 administrator.
+   * @param user An instance of {@link UserGroupInformation} with information about the user to verify
+   * @param s3Admins An instance of {@link OzoneAdmins} containing information
+   *                 of the S3 administrator users and groups in the system
+   * @return {@code true} if the provided user is an S3 administrator else {@code false}
+   */
+  public static boolean isS3Admin(@Nullable UserGroupInformation user, OzoneAdmins s3Admins) {
+    return null != user && s3Admins.isAdmin(user);
+  }
+
+  /**
+   * Check if the provided user is an S3 administrator.
+   * @param user An instance of {@link UserGroupInformation} with information about the user to verify
+   * @param conf An instance of {@link OzoneConfiguration} being used
+   * @return {@code true} if the provided user is an S3 administrator else {@code false}
+   */
+  public static boolean isS3Admin(@Nullable UserGroupInformation user, OzoneConfiguration conf) {
+    OzoneAdmins s3Admins = getS3Admins(conf);
+    return isS3Admin(user, s3Admins);
+  }
+}

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/ha/GrpcOMFailoverProxyProvider.java

@@ -23,6 +23,9 @@
 import org.apache.hadoop.hdds.conf.ConfigurationSource;
 import org.apache.hadoop.hdds.HddsUtils;
 import org.apache.hadoop.hdds.utils.LegacyHadoopConfigurationSource;
+import org.apache.hadoop.io.retry.RetryPolicies;
+import org.apache.hadoop.io.retry.RetryPolicy;
+import org.apache.hadoop.ipc.ProtobufRpcEngine;
 import org.apache.hadoop.ipc.RPC;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.ozone.OmUtils;
@@ -41,6 +44,7 @@
 import java.util.Optional;
 import java.util.OptionalInt;
 import io.grpc.StatusRuntimeException;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -59,10 +63,16 @@ public class GrpcOMFailoverProxyProvider<T> extends
   public static final Logger LOG =
       LoggerFactory.getLogger(GrpcOMFailoverProxyProvider.class);
 
+  private final UserGroupInformation ugi;
+  private final long protocolVer;
+
   public GrpcOMFailoverProxyProvider(ConfigurationSource configuration,
+                                     UserGroupInformation ugi,
                                      String omServiceId,
                                      Class<T> protocol) throws IOException {
     super(configuration, omServiceId, protocol);
+    this.ugi = ugi;
+    this.protocolVer = RPC.getProtocolVersion(protocol);
   }
 
   @Override
@@ -116,9 +126,35 @@ protected void loadOMClientConfigs(ConfigurationSource config, String omSvcId)
 
   private T createOMProxy() throws IOException {
     InetSocketAddress addr = new InetSocketAddress(0);
+    return createOmProxy(addr);
+  }
+
+  /**
+   * Get the protocol proxy for provided address.
+   * @param address An instance of {@link InetSocketAddress} which contains the address to connect
+   * @return the proxy connection to the address and the set of methods supported by the server at the address
+   * @throws IOException if any error occurs while trying to get the proxy
+   */
+  private T createOmProxy(InetSocketAddress address) throws IOException {
     Configuration hadoopConf =
         LegacyHadoopConfigurationSource.asHadoopConfiguration(getConf());
-    return (T) RPC.getProxy(getInterface(), 0, addr, hadoopConf);
+
+    // TODO: Post upgrade to Protobuf 3.x we need to use ProtobufRpcEngine2
+    RPC.setProtocolEngine(hadoopConf, getInterface(), ProtobufRpcEngine.class);
+
+    // Ensure we do not attempt retry on the same OM in case of exceptions
+    RetryPolicy connectionRetryPolicy = RetryPolicies.failoverOnNetworkException(0);
+
+    return (T) RPC.getProtocolProxy(
+        getInterface(),
+        protocolVer,
+        address,
+        ugi,
+        hadoopConf,
+        NetUtils.getDefaultSocketFactory(hadoopConf),
+        (int) OmUtils.getOMClientRpcTimeOut(getConf()),
+        connectionRetryPolicy
+    ).getProxy();
   }
 
   /**

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/GrpcOmTransport.java

@@ -121,6 +121,7 @@ public GrpcOmTransport(ConfigurationSource conf,
 
     omFailoverProxyProvider = new GrpcOMFailoverProxyProvider(
         conf,
+        ugi,
         omServiceId,
         OzoneManagerProtocolPB.class);
 

hadoop-ozone/common/src/test/java/org/apache/hadoop/ozone/conf/TestOzoneS3ConfigUtils.java

@@ -0,0 +1,159 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ */
+
+package org.apache.hadoop.ozone.conf;
+
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.server.OzoneAdmins;
+import org.apache.hadoop.ozone.OzoneConfigKeys;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.util.Arrays;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * This class is to test S3 configuration based utils.
+ */
+class TestOzoneS3ConfigUtils {
+
+  @Test
+  void testS3AdminExtraction() throws IOException {
+    OzoneConfiguration configuration = new OzoneConfiguration();
+    configuration.set(OzoneConfigKeys.OZONE_S3_ADMINISTRATORS, "alice,bob");
+
+    assertThat(OzoneS3ConfigUtils.getS3AdminsFromConfig(configuration))
+        .containsAll(Arrays.asList("alice", "bob"));
+  }
+
+  @Test
+  void testS3AdminExtractionWithFallback() throws IOException {
+    OzoneConfiguration configuration = new OzoneConfiguration();
+    configuration.set(OzoneConfigKeys.OZONE_ADMINISTRATORS, "alice,bob");
+
+    assertThat(OzoneS3ConfigUtils.getS3AdminsFromConfig(configuration))
+        .containsAll(Arrays.asList("alice", "bob"));
+  }
+
+  @Test
+  void testS3AdminGroupExtraction() {
+    OzoneConfiguration configuration = new OzoneConfiguration();
+    configuration.set(OzoneConfigKeys.OZONE_S3_ADMINISTRATORS_GROUPS,
+        "test1, test2");
+
+    assertThat(OzoneS3ConfigUtils.getS3AdminsGroupsFromConfig(configuration))
+        .containsAll(Arrays.asList("test1", "test2"));
+  }
+
+  @Test
+  void testS3AdminGroupExtractionWithFallback() {
+    OzoneConfiguration configuration = new OzoneConfiguration();
+    configuration.set(OzoneConfigKeys.OZONE_ADMINISTRATORS_GROUPS,
+        "test1, test2");
+
+    assertThat(OzoneS3ConfigUtils.getS3AdminsGroupsFromConfig(configuration))
+        .containsAll(Arrays.asList("test1", "test2"));
+  }
+
+  @Test
+  void testGetS3AdminsWhenS3AdminPresent() {
+    // When there is S3 admin present
+    OzoneConfiguration configuration = new OzoneConfiguration();
+    configuration.set(OzoneConfigKeys.OZONE_S3_ADMINISTRATORS, "alice");
+    configuration.set(OzoneConfigKeys.OZONE_S3_ADMINISTRATORS_GROUPS, "test_group");
+
+    OzoneAdmins admins = OzoneS3ConfigUtils.getS3Admins(configuration);
+    UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+        "alice", new String[] {"test_group"});
+
+    assertThat(admins.isAdmin(ugi)).isEqualTo(true);
+
+    // Test that when a user is present in an admin group but not an Ozone Admin
+    UserGroupInformation ugiGroupOnly = UserGroupInformation.createUserForTesting(
+        "bob", new String[] {"test_group"});
+    assertThat(admins.isAdmin(ugiGroupOnly)).isEqualTo(true);
+  }
+  @Test
+  void testGetS3AdminsWhenNoS3AdminPresent() {
+    // When there is no S3 admin, but Ozone admins present
+    OzoneConfiguration configuration = new OzoneConfiguration();
+    configuration.set(OzoneConfigKeys.OZONE_ADMINISTRATORS, "alice");
+    configuration.set(OzoneConfigKeys.OZONE_ADMINISTRATORS_GROUPS, "test_group");
+
+    OzoneAdmins admins = OzoneS3ConfigUtils.getS3Admins(configuration);
+    UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+        "alice", new String[] {"test_group"});
+
+    assertThat(admins.isAdmin(ugi)).isEqualTo(true);
+
+    // Test that when a user is present in an admin group but not an Ozone Admin
+    UserGroupInformation ugiGroupOnly = UserGroupInformation.createUserForTesting(
+        "bob", new String[] {"test_group"});
+    assertThat(admins.isAdmin(ugiGroupOnly)).isEqualTo(true);
+  }
+
+  @Test
+  void testGetS3AdminsWithNoAdmins() {
+    OzoneAdmins admins = OzoneS3ConfigUtils.getS3Admins(new OzoneConfiguration());
+    UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+        "alice", new String[] {"test_group"});
+    assertThat(admins.isAdmin(ugi)).isEqualTo(false);
+  }
+
+  @Test
+  void testIsS3AdminForS3AdminUser() {
+    OzoneConfiguration configuration = new OzoneConfiguration();
+    configuration.set(OzoneConfigKeys.OZONE_S3_ADMINISTRATORS, "alice");
+    configuration.set(OzoneConfigKeys.OZONE_S3_ADMINISTRATORS_GROUPS, "test_group");
+
+    UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+        "alice", new String[] {"test_group"});
+    // Scenario when user is present in an admin group but not an Ozone Admin
+    UserGroupInformation ugiGroupOnly = UserGroupInformation.createUserForTesting(
+        "bob", new String[] {"test_group"});
+
+    assertThat(OzoneS3ConfigUtils.isS3Admin(ugi, configuration)).isEqualTo(true);
+    assertThat(OzoneS3ConfigUtils.isS3Admin(ugiGroupOnly, configuration)).isEqualTo(true);
+  }
+
+  @Test
+  void testIsS3AdminForAdminUser() {
+    // When there is no S3 admin, but Ozone admins present
+    OzoneConfiguration configuration = new OzoneConfiguration();
+    configuration.set(OzoneConfigKeys.OZONE_ADMINISTRATORS, "alice");
+    configuration.set(OzoneConfigKeys.OZONE_ADMINISTRATORS_GROUPS, "test_group");
+
+    OzoneAdmins admins = OzoneS3ConfigUtils.getS3Admins(configuration);
+    UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+        "alice", new String[] {"test_group"});
+    // Test that when a user is present in an admin group but not an Ozone Admin
+    UserGroupInformation ugiGroupOnly = UserGroupInformation.createUserForTesting(
+        "bob", new String[] {"test_group"});
+
+    assertThat(admins.isAdmin(ugi)).isEqualTo(true);
+    assertThat(admins.isAdmin(ugiGroupOnly)).isEqualTo(true);
+  }
+
+  @Test
+  void testIsS3AdminForNoUser() {
+    OzoneConfiguration configuration = new OzoneConfiguration();
+    assertThat(OzoneS3ConfigUtils.isS3Admin(null, configuration)).isEqualTo(false);
+  }
+}