From 162565f25cae844c49ff476270b27372a61db685 Mon Sep 17 00:00:00 2001 From: Bharat Viswanadham Date: Fri, 16 Aug 2019 15:07:02 -0700 Subject: [PATCH 1/5] HDDS-1974. Implement OM CancelDelegationToken request to use Cache and DoubleBuffer. --- .../OzoneDelegationTokenSecretManager.java | 38 ++++-- .../OMCancelDelegationTokenRequest.java | 125 ++++++++++++++++++ .../security/OMGetDelegationTokenRequest.java | 18 +-- .../security/OMDelegationTokenResponse.java | 13 +- 4 files changed, 174 insertions(+), 20 deletions(-) create mode 100644 hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java index 1a6da6da940d2..30fe17eb9fad1 100644 --- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java +++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java @@ -287,18 +287,40 @@ public OzoneTokenIdentifier cancelToken(Token token, throw new AccessControlException(canceller + " is not authorized to cancel the token " + formatTokenId(id)); } - try { - store.removeToken(id); - } catch (IOException e) { - LOG.error("Unable to remove token " + id.getSequenceNumber(), e); - } - TokenInfo info = currentTokens.remove(id); - if (info == null) { - throw new InvalidToken("Token not found " + formatTokenId(id)); + + // For HA ratis will take care of removal. + // This check will be removed, when HA/Non-HA code is merged. + if (!isRatisEnabled) { + try { + store.removeToken(id); + } catch (IOException e) { + LOG.error("Unable to remove token " + id.getSequenceNumber(), e); + } + TokenInfo info = currentTokens.remove(id); + if (info == null) { + throw new InvalidToken("Token not found " + formatTokenId(id)); + } + } else { + // Check whether token is there in-memory map of tokens or not on the + // OM leader. + TokenInfo info = currentTokens.get(id); + if (info == null) { + throw new InvalidToken("Token not found in-memory map of tokens" + + formatTokenId(id)); + } } return id; } + /** + * Remove the expired token from in-memory map. + * @param ozoneTokenIdentifier + * @throws IOException + */ + public void removeToken(OzoneTokenIdentifier ozoneTokenIdentifier) { + currentTokens.remove(ozoneTokenIdentifier); + } + @Override public byte[] retrievePassword(OzoneTokenIdentifier identifier) throws InvalidToken { diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java new file mode 100644 index 0000000000000..88f5a0e16ae6d --- /dev/null +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java @@ -0,0 +1,125 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.om.request.security; + +import com.google.common.base.Optional; +import org.apache.hadoop.ozone.om.OMMetadataManager; +import org.apache.hadoop.ozone.om.OzoneManager; +import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; +import org.apache.hadoop.ozone.om.request.OMClientRequest; +import org.apache.hadoop.ozone.om.response.OMClientResponse; +import org.apache.hadoop.ozone.om.response.security.OMDelegationTokenResponse; +import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos; +import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest; +import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse; +import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.CancelDelegationTokenResponseProto; +import org.apache.hadoop.ozone.protocolPB.OMPBHelper; +import org.apache.hadoop.ozone.security.OzoneTokenIdentifier; +import org.apache.hadoop.security.proto.SecurityProtos; +import org.apache.hadoop.security.proto.SecurityProtos.CancelDelegationTokenRequestProto; +import org.apache.hadoop.security.token.Token; +import org.apache.hadoop.utils.db.cache.CacheKey; +import org.apache.hadoop.utils.db.cache.CacheValue; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; + +/** + * Handle CancelDelegationToken Request. + */ +public class OMCancelDelegationTokenRequest extends OMClientRequest { + + private static final Logger LOG = + LoggerFactory.getLogger(OMGetDelegationTokenRequest.class); + + public OMCancelDelegationTokenRequest(OMRequest omRequest) { + super(omRequest); + } + + @Override + public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { + + // Call OM to cancel token, this does check whether we can cancel token + // or not. This does not remove token from DB/in-memory. + ozoneManager.cancelDelegationToken(getToken()); + + return super.preExecute(ozoneManager); + } + + @Override + public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, + long transactionLogIndex, + OzoneManagerDoubleBufferHelper ozoneManagerDoubleBufferHelper) { + + OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager(); + + OMClientResponse omClientResponse = null; + OMResponse.Builder omResponse = + OMResponse.newBuilder() + .setCmdType(OzoneManagerProtocolProtos.Type.CancelDelegationToken) + .setStatus(OzoneManagerProtocolProtos.Status.OK) + .setSuccess(true); + OzoneTokenIdentifier ozoneTokenIdentifier = null; + try { + ozoneTokenIdentifier = + OzoneTokenIdentifier.readProtoBuf(getToken().getIdentifier()); + + // Remove token from in-memory. + ozoneManager.getDelegationTokenMgr().removeToken(ozoneTokenIdentifier); + + // Update Cache. + omMetadataManager.getDelegationTokenTable().addCacheEntry( + new CacheKey<>(ozoneTokenIdentifier), + new CacheValue<>(Optional.absent(), transactionLogIndex)); + + omClientResponse = + new OMDelegationTokenResponse(ozoneTokenIdentifier, -1L, + omResponse.setCancelDelegationTokenResponse( + CancelDelegationTokenResponseProto.newBuilder().setResponse( + SecurityProtos.CancelDelegationTokenResponseProto + .newBuilder())).build()); + } catch (IOException ex) { + LOG.error("Error in cancel DelegationToken {}", ozoneTokenIdentifier, ex); + omClientResponse = new OMDelegationTokenResponse(null, -1L, + createErrorOMResponse(omResponse, ex)); + } finally { + if (omClientResponse != null) { + omClientResponse.setFlushFuture( + ozoneManagerDoubleBufferHelper.add(omClientResponse, + transactionLogIndex)); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("Cancelled delegation token: {}", ozoneTokenIdentifier); + } + + return omClientResponse; + } + + + public Token getToken() { + CancelDelegationTokenRequestProto cancelDelegationTokenRequest = + getOmRequest().getCancelDelegationTokenRequest(); + + return OMPBHelper.convertToDelegationToken( + cancelDelegationTokenRequest.getToken()); + } +} diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMGetDelegationTokenRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMGetDelegationTokenRequest.java index 18d50e93899b4..eec6302fb5a25 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMGetDelegationTokenRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMGetDelegationTokenRequest.java @@ -65,13 +65,13 @@ public OMRequest preExecute(OzoneManager ozoneManager) throws IOException { .getDelegationToken(new Text(getDelegationTokenRequest.getRenewer())); - // Client issues GetDelegationToken request, when received by OM leader will - // it generate Token. Original GetDelegationToken request is converted to - // UpdateGetDelegationToken request with the generated token information. - // This updated request will be submitted to Ratis. In this way delegation - // token created by leader, will be replicated across all OMs. - // And also original GetDelegationToken request from client does not need - // any proto changes. + // Client issues GetDelegationToken request, when received by OM leader + // it will generate a token. Original GetDelegationToken request is + // converted to UpdateGetDelegationToken request with the generated token + // information. This updated request will be submitted to Ratis. In this + // way delegation token created by leader, will be replicated across all + // OMs. With this approach, original GetDelegationToken request from + // client does not need any proto changes. // Create UpdateGetDelegationTokenRequest with token response. OMRequest.Builder omRequest = OMRequest.newBuilder() @@ -134,7 +134,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, updateGetDelegationTokenRequest .getGetDelegationTokenResponse()).build()); } catch (IOException ex) { - LOG.error("Error in Updating DelegationToken {} to DB", + LOG.error("Error in Updating DelegationToken {}", ozoneTokenIdentifierToken, ex); omClientResponse = new OMDelegationTokenResponse(null, -1L, createErrorOMResponse(omResponse, ex)); @@ -147,7 +147,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, } if (LOG.isDebugEnabled()) { - LOG.debug("Updated delegation token to OM DB: {}", + LOG.debug("Updated delegation token in-memory map: {}", ozoneTokenIdentifierToken); } diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java index 71e3371495985..22449ef1f2cbf 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java @@ -24,6 +24,7 @@ import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse; import org.apache.hadoop.ozone.security.OzoneTokenIdentifier; import org.apache.hadoop.utils.db.BatchOperation; +import org.apache.hadoop.utils.db.Table; import java.io.IOException; @@ -44,10 +45,16 @@ public OMDelegationTokenResponse(OzoneTokenIdentifier ozoneTokenIdentifier, @Override public void addToDBBatch(OMMetadataManager omMetadataManager, BatchOperation batchOperation) throws IOException { - + Table table = omMetadataManager.getDelegationTokenTable(); if (getOMResponse().getStatus() == OzoneManagerProtocolProtos.Status.OK) { - omMetadataManager.getDelegationTokenTable().putWithBatch(batchOperation, - ozoneTokenIdentifier, renewTime); + if (OzoneManagerProtocolProtos.Type.GetDelegationToken == + getOMResponse().getCmdType()) { + table.putWithBatch(batchOperation, + ozoneTokenIdentifier, renewTime); + } else if (OzoneManagerProtocolProtos.Type.CancelDelegationToken == + getOMResponse().getCmdType()) { + table.deleteWithBatch(batchOperation, ozoneTokenIdentifier); + } } } } From 787aa4c426ce2d0beca21da54508a5f060dd9b43 Mon Sep 17 00:00:00 2001 From: Bharat Viswanadham Date: Fri, 16 Aug 2019 15:20:24 -0700 Subject: [PATCH 2/5] minor change. --- .../ozone/om/response/security/OMDelegationTokenResponse.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java index 22449ef1f2cbf..72846470594e7 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java @@ -49,8 +49,7 @@ public void addToDBBatch(OMMetadataManager omMetadataManager, if (getOMResponse().getStatus() == OzoneManagerProtocolProtos.Status.OK) { if (OzoneManagerProtocolProtos.Type.GetDelegationToken == getOMResponse().getCmdType()) { - table.putWithBatch(batchOperation, - ozoneTokenIdentifier, renewTime); + table.putWithBatch(batchOperation, ozoneTokenIdentifier, renewTime); } else if (OzoneManagerProtocolProtos.Type.CancelDelegationToken == getOMResponse().getCmdType()) { table.deleteWithBatch(batchOperation, ozoneTokenIdentifier); From 1d165c71ffe55d3e8a6218133d381ea084a315ac Mon Sep 17 00:00:00 2001 From: Bharat Viswanadham Date: Fri, 16 Aug 2019 15:26:33 -0700 Subject: [PATCH 3/5] few minor changes. --- .../security/OMCancelDelegationTokenRequest.java | 4 ++-- .../security/OMDelegationTokenResponse.java | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java index 88f5a0e16ae6d..1818da2f45591 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java @@ -90,14 +90,14 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, new CacheValue<>(Optional.absent(), transactionLogIndex)); omClientResponse = - new OMDelegationTokenResponse(ozoneTokenIdentifier, -1L, + new OMDelegationTokenResponse(ozoneTokenIdentifier, omResponse.setCancelDelegationTokenResponse( CancelDelegationTokenResponseProto.newBuilder().setResponse( SecurityProtos.CancelDelegationTokenResponseProto .newBuilder())).build()); } catch (IOException ex) { LOG.error("Error in cancel DelegationToken {}", ozoneTokenIdentifier, ex); - omClientResponse = new OMDelegationTokenResponse(null, -1L, + omClientResponse = new OMDelegationTokenResponse(null, createErrorOMResponse(omResponse, ex)); } finally { if (omClientResponse != null) { diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java index 72846470594e7..6081eb4532aa0 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java @@ -26,6 +26,7 @@ import org.apache.hadoop.utils.db.BatchOperation; import org.apache.hadoop.utils.db.Table; +import javax.annotation.Nonnull; import java.io.IOException; /** @@ -34,14 +35,23 @@ public class OMDelegationTokenResponse extends OMClientResponse { private OzoneTokenIdentifier ozoneTokenIdentifier; - private long renewTime; - public OMDelegationTokenResponse(OzoneTokenIdentifier ozoneTokenIdentifier, - long renewTime, OMResponse omResponse) { + private long renewTime = -1L; + + public OMDelegationTokenResponse( + @Nonnull OzoneTokenIdentifier ozoneTokenIdentifier, + long renewTime, @Nonnull OMResponse omResponse) { super(omResponse); this.ozoneTokenIdentifier = ozoneTokenIdentifier; this.renewTime = renewTime; } + public OMDelegationTokenResponse( + @Nonnull OzoneTokenIdentifier ozoneTokenIdentifier, + @Nonnull OMResponse omResponse) { + super(omResponse); + this.ozoneTokenIdentifier = ozoneTokenIdentifier; + } + @Override public void addToDBBatch(OMMetadataManager omMetadataManager, BatchOperation batchOperation) throws IOException { From e11e0176c2799174c19ef1703ab58de9d3e0de88 Mon Sep 17 00:00:00 2001 From: Bharat Viswanadham Date: Fri, 16 Aug 2019 16:51:48 -0700 Subject: [PATCH 4/5] fix offline discussin comments. --- .../request/bucket/OMBucketCreateRequest.java | 27 ++++++++- .../OMCancelDelegationTokenRequest.java | 6 +- .../security/OMGetDelegationTokenRequest.java | 6 +- .../OMCancelDelegationTokenResponse.java | 55 +++++++++++++++++++ ...java => OMGetDelegationTokenResponse.java} | 21 ++----- 5 files changed, 90 insertions(+), 25 deletions(-) create mode 100644 hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMCancelDelegationTokenResponse.java rename hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/{OMDelegationTokenResponse.java => OMGetDelegationTokenResponse.java} (72%) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java index ea2210d7e5860..9d77cebe98b0a 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java @@ -19,8 +19,12 @@ package org.apache.hadoop.ozone.om.request.bucket; import java.io.IOException; +import java.util.ArrayList; +import java.util.List; import com.google.common.base.Optional; +import org.apache.hadoop.ozone.OzoneAcl; +import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -137,7 +141,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, try { // check Acl if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, + checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.CREATE, volumeName, bucketName, null); } @@ -147,11 +151,15 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, acquiredBucketLock = metadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); //Check if the volume exists - if (metadataManager.getVolumeTable().get(volumeKey) == null) { + OmVolumeArgs omVolumeArgs = + metadataManager.getVolumeTable().get(volumeKey); + + if (omVolumeArgs == null) { LOG.debug("volume: {} not found ", volumeName); throw new OMException("Volume doesn't exist", OMException.ResultCodes.VOLUME_NOT_FOUND); } + //Check if bucket already exists if (metadataManager.getBucketTable().get(bucketKey) != null) { LOG.debug("bucket: {} already exists ", bucketName); @@ -159,6 +167,9 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMException.ResultCodes.BUCKET_ALREADY_EXISTS); } + // Add default acls from volume. + addDefaultAcls(omBucketInfo, omVolumeArgs); + // Update table cache. metadataManager.getBucketTable().addCacheEntry(new CacheKey<>(bucketKey), new CacheValue<>(Optional.of(omBucketInfo), transactionLogIndex)); @@ -203,6 +214,18 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, } } + private void addDefaultAcls(OmBucketInfo omBucketInfo, OmVolumeArgs omVolumeArgs) { + // Add default acls from volume. + List acls = new ArrayList<>(); + if (omBucketInfo.getAcls() != null) { + acls.addAll(omBucketInfo.getAcls()); + } + omVolumeArgs.getAclMap().getDefaultAclList().forEach( + defaultAcl -> acls.add( + OzoneAcl.fromProtobufWithAccessType(defaultAcl))); + omBucketInfo.setAcls(acls); + } + private BucketInfo getBucketInfoFromRequest() { CreateBucketRequest createBucketRequest = diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java index 1818da2f45591..b28090db72e25 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMCancelDelegationTokenRequest.java @@ -24,7 +24,7 @@ import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.om.request.OMClientRequest; import org.apache.hadoop.ozone.om.response.OMClientResponse; -import org.apache.hadoop.ozone.om.response.security.OMDelegationTokenResponse; +import org.apache.hadoop.ozone.om.response.security.OMCancelDelegationTokenResponse; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse; @@ -90,14 +90,14 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, new CacheValue<>(Optional.absent(), transactionLogIndex)); omClientResponse = - new OMDelegationTokenResponse(ozoneTokenIdentifier, + new OMCancelDelegationTokenResponse(ozoneTokenIdentifier, omResponse.setCancelDelegationTokenResponse( CancelDelegationTokenResponseProto.newBuilder().setResponse( SecurityProtos.CancelDelegationTokenResponseProto .newBuilder())).build()); } catch (IOException ex) { LOG.error("Error in cancel DelegationToken {}", ozoneTokenIdentifier, ex); - omClientResponse = new OMDelegationTokenResponse(null, + omClientResponse = new OMCancelDelegationTokenResponse(null, createErrorOMResponse(omResponse, ex)); } finally { if (omClientResponse != null) { diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMGetDelegationTokenRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMGetDelegationTokenRequest.java index eec6302fb5a25..df9400efc5b78 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMGetDelegationTokenRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMGetDelegationTokenRequest.java @@ -25,7 +25,7 @@ import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.apache.hadoop.ozone.om.request.OMClientRequest; import org.apache.hadoop.ozone.om.response.OMClientResponse; -import org.apache.hadoop.ozone.om.response.security.OMDelegationTokenResponse; +import org.apache.hadoop.ozone.om.response.security.OMGetDelegationTokenResponse; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetDelegationTokenResponseProto; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest; @@ -129,14 +129,14 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, new CacheValue<>(Optional.of(renewTime), transactionLogIndex)); omClientResponse = - new OMDelegationTokenResponse(ozoneTokenIdentifier, renewTime, + new OMGetDelegationTokenResponse(ozoneTokenIdentifier, renewTime, omResponse.setGetDelegationTokenResponse( updateGetDelegationTokenRequest .getGetDelegationTokenResponse()).build()); } catch (IOException ex) { LOG.error("Error in Updating DelegationToken {}", ozoneTokenIdentifierToken, ex); - omClientResponse = new OMDelegationTokenResponse(null, -1L, + omClientResponse = new OMGetDelegationTokenResponse(null, -1L, createErrorOMResponse(omResponse, ex)); } finally { if (omClientResponse != null) { diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMCancelDelegationTokenResponse.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMCancelDelegationTokenResponse.java new file mode 100644 index 0000000000000..3a658d5b02e58 --- /dev/null +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMCancelDelegationTokenResponse.java @@ -0,0 +1,55 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.om.response.security; + +import org.apache.hadoop.ozone.om.OMMetadataManager; +import org.apache.hadoop.ozone.om.response.OMClientResponse; +import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos; +import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse; +import org.apache.hadoop.ozone.security.OzoneTokenIdentifier; +import org.apache.hadoop.utils.db.BatchOperation; +import org.apache.hadoop.utils.db.Table; + +import javax.annotation.Nonnull; +import java.io.IOException; + +/** + * Handle response for CancelDelegationToken request. + */ +public class OMCancelDelegationTokenResponse extends OMClientResponse { + + private OzoneTokenIdentifier ozoneTokenIdentifier; + + public OMCancelDelegationTokenResponse( + @Nonnull OzoneTokenIdentifier ozoneTokenIdentifier, + @Nonnull OMResponse omResponse) { + super(omResponse); + this.ozoneTokenIdentifier = ozoneTokenIdentifier; + } + + @Override + public void addToDBBatch(OMMetadataManager omMetadataManager, + BatchOperation batchOperation) throws IOException { + Table table = omMetadataManager.getDelegationTokenTable(); + if (getOMResponse().getStatus() == OzoneManagerProtocolProtos.Status.OK) { + table.deleteWithBatch(batchOperation, ozoneTokenIdentifier); + } + } +} + diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMGetDelegationTokenResponse.java similarity index 72% rename from hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java rename to hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMGetDelegationTokenResponse.java index 6081eb4532aa0..38ed6e5ebf00a 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMDelegationTokenResponse.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMGetDelegationTokenResponse.java @@ -30,14 +30,14 @@ import java.io.IOException; /** - * Handle response for DelegationToken request. + * Handle response for GetDelegationToken request. */ -public class OMDelegationTokenResponse extends OMClientResponse { +public class OMGetDelegationTokenResponse extends OMClientResponse { private OzoneTokenIdentifier ozoneTokenIdentifier; private long renewTime = -1L; - public OMDelegationTokenResponse( + public OMGetDelegationTokenResponse( @Nonnull OzoneTokenIdentifier ozoneTokenIdentifier, long renewTime, @Nonnull OMResponse omResponse) { super(omResponse); @@ -45,25 +45,12 @@ public OMDelegationTokenResponse( this.renewTime = renewTime; } - public OMDelegationTokenResponse( - @Nonnull OzoneTokenIdentifier ozoneTokenIdentifier, - @Nonnull OMResponse omResponse) { - super(omResponse); - this.ozoneTokenIdentifier = ozoneTokenIdentifier; - } - @Override public void addToDBBatch(OMMetadataManager omMetadataManager, BatchOperation batchOperation) throws IOException { Table table = omMetadataManager.getDelegationTokenTable(); if (getOMResponse().getStatus() == OzoneManagerProtocolProtos.Status.OK) { - if (OzoneManagerProtocolProtos.Type.GetDelegationToken == - getOMResponse().getCmdType()) { - table.putWithBatch(batchOperation, ozoneTokenIdentifier, renewTime); - } else if (OzoneManagerProtocolProtos.Type.CancelDelegationToken == - getOMResponse().getCmdType()) { - table.deleteWithBatch(batchOperation, ozoneTokenIdentifier); - } + table.putWithBatch(batchOperation, ozoneTokenIdentifier, renewTime); } } } From 08b1397b92208d8afa84a0efe83f3af1ff5301f1 Mon Sep 17 00:00:00 2001 From: Bharat Viswanadham Date: Sat, 17 Aug 2019 21:47:34 -0700 Subject: [PATCH 5/5] fix jenkins and cleanup changes not related to this PR. --- .../request/bucket/OMBucketCreateRequest.java | 26 ++----------------- .../OMCancelDelegationTokenResponse.java | 3 ++- .../OMGetDelegationTokenResponse.java | 3 ++- 3 files changed, 6 insertions(+), 26 deletions(-) diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java index 9d77cebe98b0a..65a25acdf6003 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/bucket/OMBucketCreateRequest.java @@ -19,12 +19,8 @@ package org.apache.hadoop.ozone.om.request.bucket; import java.io.IOException; -import java.util.ArrayList; -import java.util.List; import com.google.common.base.Optional; -import org.apache.hadoop.ozone.OzoneAcl; -import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs; import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerDoubleBufferHelper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -141,7 +137,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, try { // check Acl if (ozoneManager.getAclsEnabled()) { - checkAcls(ozoneManager, OzoneObj.ResourceType.VOLUME, + checkAcls(ozoneManager, OzoneObj.ResourceType.BUCKET, OzoneObj.StoreType.OZONE, IAccessAuthorizer.ACLType.CREATE, volumeName, bucketName, null); } @@ -151,10 +147,7 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, acquiredBucketLock = metadataManager.getLock().acquireLock(BUCKET_LOCK, volumeName, bucketName); //Check if the volume exists - OmVolumeArgs omVolumeArgs = - metadataManager.getVolumeTable().get(volumeKey); - - if (omVolumeArgs == null) { + if (metadataManager.getVolumeTable().get(volumeKey) == null) { LOG.debug("volume: {} not found ", volumeName); throw new OMException("Volume doesn't exist", OMException.ResultCodes.VOLUME_NOT_FOUND); @@ -167,9 +160,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, OMException.ResultCodes.BUCKET_ALREADY_EXISTS); } - // Add default acls from volume. - addDefaultAcls(omBucketInfo, omVolumeArgs); - // Update table cache. metadataManager.getBucketTable().addCacheEntry(new CacheKey<>(bucketKey), new CacheValue<>(Optional.of(omBucketInfo), transactionLogIndex)); @@ -214,18 +204,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, } } - private void addDefaultAcls(OmBucketInfo omBucketInfo, OmVolumeArgs omVolumeArgs) { - // Add default acls from volume. - List acls = new ArrayList<>(); - if (omBucketInfo.getAcls() != null) { - acls.addAll(omBucketInfo.getAcls()); - } - omVolumeArgs.getAclMap().getDefaultAclList().forEach( - defaultAcl -> acls.add( - OzoneAcl.fromProtobufWithAccessType(defaultAcl))); - omBucketInfo.setAcls(acls); - } - private BucketInfo getBucketInfoFromRequest() { CreateBucketRequest createBucketRequest = diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMCancelDelegationTokenResponse.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMCancelDelegationTokenResponse.java index 3a658d5b02e58..d2092bd7a4b89 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMCancelDelegationTokenResponse.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMCancelDelegationTokenResponse.java @@ -27,6 +27,7 @@ import org.apache.hadoop.utils.db.Table; import javax.annotation.Nonnull; +import javax.annotation.Nullable; import java.io.IOException; /** @@ -37,7 +38,7 @@ public class OMCancelDelegationTokenResponse extends OMClientResponse { private OzoneTokenIdentifier ozoneTokenIdentifier; public OMCancelDelegationTokenResponse( - @Nonnull OzoneTokenIdentifier ozoneTokenIdentifier, + @Nullable OzoneTokenIdentifier ozoneTokenIdentifier, @Nonnull OMResponse omResponse) { super(omResponse); this.ozoneTokenIdentifier = ozoneTokenIdentifier; diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMGetDelegationTokenResponse.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMGetDelegationTokenResponse.java index 38ed6e5ebf00a..40b9a9689ad57 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMGetDelegationTokenResponse.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/response/security/OMGetDelegationTokenResponse.java @@ -27,6 +27,7 @@ import org.apache.hadoop.utils.db.Table; import javax.annotation.Nonnull; +import javax.annotation.Nullable; import java.io.IOException; /** @@ -38,7 +39,7 @@ public class OMGetDelegationTokenResponse extends OMClientResponse { private long renewTime = -1L; public OMGetDelegationTokenResponse( - @Nonnull OzoneTokenIdentifier ozoneTokenIdentifier, + @Nullable OzoneTokenIdentifier ozoneTokenIdentifier, long renewTime, @Nonnull OMResponse omResponse) { super(omResponse); this.ozoneTokenIdentifier = ozoneTokenIdentifier;