HDDS-11041. Add admin request filter for S3 requests and UGI support for GrpcOmTransport

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/ha/GrpcOMFailoverProxyProvider.java

@@ -23,6 +23,8 @@
 import org.apache.hadoop.hdds.conf.ConfigurationSource;
 import org.apache.hadoop.hdds.HddsUtils;
 import org.apache.hadoop.hdds.utils.LegacyHadoopConfigurationSource;
+import org.apache.hadoop.io.retry.RetryPolicies;
+import org.apache.hadoop.io.retry.RetryPolicy;
 import org.apache.hadoop.ipc.RPC;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.ozone.OmUtils;
@@ -41,6 +43,7 @@
 import java.util.Optional;
 import java.util.OptionalInt;
 import io.grpc.StatusRuntimeException;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -59,10 +62,14 @@ public class GrpcOMFailoverProxyProvider<T> extends
   public static final Logger LOG =
       LoggerFactory.getLogger(GrpcOMFailoverProxyProvider.class);
 
+  private final UserGroupInformation ugi;
+
   public GrpcOMFailoverProxyProvider(ConfigurationSource configuration,
+                                     UserGroupInformation ugi,
                                      String omServiceId,
                                      Class<T> protocol) throws IOException {
     super(configuration, omServiceId, protocol);
+    this.ugi = ugi;
   }
 
   @Override
@@ -118,7 +125,20 @@ private T createOMProxy() throws IOException {
     InetSocketAddress addr = new InetSocketAddress(0);
     Configuration hadoopConf =
         LegacyHadoopConfigurationSource.asHadoopConfiguration(getConf());
-    return (T) RPC.getProxy(getInterface(), 0, addr, hadoopConf);
+
+    // Ensure we do not attempt retry on the same OM in case of exceptions
+    RetryPolicy connectionRetryPolicy = RetryPolicies.failoverOnNetworkException(0);
+
+    return (T) RPC.getProtocolProxy(
+      getInterface(),
+      0,
+      addr,
+      ugi,
+      hadoopConf,
+      NetUtils.getDefaultSocketFactory(hadoopConf),
+      (int) OmUtils.getOMClientRpcTimeOut(getConf()),
+      connectionRetryPolicy
+    ).getProxy();
   }
 
   /**

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/GrpcOmTransport.java

@@ -121,6 +121,7 @@ public GrpcOmTransport(ConfigurationSource conf,
 
     omFailoverProxyProvider = new GrpcOMFailoverProxyProvider(
         conf,
+        ugi,
         omServiceId,
         OzoneManagerProtocolPB.class);
 

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneConfigUtil.java

@@ -49,7 +49,7 @@ private OzoneConfigUtil() {
    * If ozone.s3.administrators value is empty string or unset,
    * defaults to ozone.administrators value.
    */
-  static Collection<String> getS3AdminsFromConfig(OzoneConfiguration conf)
+  public static Collection<String> getS3AdminsFromConfig(OzoneConfiguration conf)
           throws IOException {
     Collection<String> ozAdmins =
             conf.getTrimmedStringCollection(OZONE_S3_ADMINISTRATORS);
@@ -63,7 +63,7 @@ static Collection<String> getS3AdminsFromConfig(OzoneConfiguration conf)
     return ozAdmins;
   }
 
-  static Collection<String> getS3AdminsGroupsFromConfig(
+  public static Collection<String> getS3AdminsGroupsFromConfig(
       OzoneConfiguration conf) {
     Collection<String> s3AdminsGroup =
             conf.getTrimmedStringCollection(OZONE_S3_ADMINISTRATORS_GROUPS);

hadoop-ozone/s3gateway/pom.xml

@@ -231,6 +231,10 @@
       <groupId>org.apache.ozone</groupId>
       <artifactId>ozone-client</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.ozone</groupId>
+      <artifactId>ozone-manager</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.ozone</groupId>
       <artifactId>hdds-docs</artifactId>

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3AdminEndpoint.java

@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ */
+
+package org.apache.hadoop.ozone.s3secret;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.ws.rs.NameBinding;
+
+/**
+ * Annotation to only allow admin users to access the endpoint.
+ */
+@NameBinding
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.TYPE, ElementType.METHOD})
+public @interface S3AdminEndpoint {
+}

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretAdminFilter.java

@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ */
+
+package org.apache.hadoop.ozone.s3secret;
+
+
+import javax.inject.Inject;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.Provider;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.server.OzoneAdmins;
+import org.apache.hadoop.ozone.om.OzoneConfigUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.Collections;
+
+/**
+ * Filter that only allows admin to access endpoints annotated with {@link S3AdminEndpoint}.
+ * Condition is based on the value of the configuration keys for:
+ * <ul>
+ *   <li>ozone.administrators</li>
+ *   <li>ozone.administrators.groups</li>
+ * </ul>
+ */
+@S3AdminEndpoint
+@Provider
+public class S3SecretAdminFilter implements ContainerRequestFilter {
+
+  @Inject
+  private OzoneConfiguration conf;
+
+  @Override
+  public void filter(ContainerRequestContext requestContext) throws IOException {
+    final Principal userPrincipal = requestContext.getSecurityContext().getUserPrincipal();
+    if (null != userPrincipal) {
+      UserGroupInformation user = UserGroupInformation.createRemoteUser(userPrincipal.getName());
+      if (!isAdmin(user)) {
+        requestContext.abortWith(Response.status(403)
+            .entity("Non-Admin user accessing endpoint")
+            .build());
+      }
+    }
+  }
+
+  /**
+   * Checks if the user that is passed is an Admin.
+   * @param user Stores the user to filter
+   * @return true if the user is admin else false
+   */
+  private boolean isAdmin(UserGroupInformation user) {
+    Collection<String> s3Admins;
+    try {
+      s3Admins = OzoneConfigUtil.getS3AdminsFromConfig(conf);
+    } catch (IOException ie) {
+      // We caught an exception while trying to log in using the UGI user
+      // Refer to UserGroupInformation.getCurrentUser() in getS3AdminsFromConfig
+      s3Admins = Collections.<String>emptyList();
+    }
+    Collection<String> s3AdminGroups =
+        OzoneConfigUtil.getS3AdminsGroupsFromConfig(conf);
+    // If there are no admins or admin groups specified, return false
+    if (s3Admins.isEmpty() || s3AdminGroups.isEmpty()) {
+      return false;
+    }
+    return new OzoneAdmins(s3Admins, s3AdminGroups).isAdmin(user);
+  }
+}

hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3secret/S3SecretManagementEndpoint.java

@@ -41,6 +41,7 @@
  */
 @Path("/secret")
 @S3SecretEnabled
+@S3AdminEndpoint
 public class S3SecretManagementEndpoint extends S3SecretEndpointBase {
   private static final Logger LOG =
       LoggerFactory.getLogger(S3SecretManagementEndpoint.class);
@@ -54,8 +55,7 @@ public Response generate() throws IOException {
   @Path("/{username}")
   public Response generate(@PathParam("username") String username)
       throws IOException {
-    // TODO: It is a temporary solution. To be removed after HDDS-11041 is done.
-    return Response.status(METHOD_NOT_ALLOWED).build();
+    return generateInternal(username);
   }
 
   private Response generateInternal(@Nullable String username) throws IOException {