HDDS-1462. Fix content and format of Ozone documentation. Contributed by Elek, Marton. (#767)

This commit is contained in:
Elek, Márton 2019-04-29 22:28:19 +02:00 committed by Ajay Yadav
parent 5bca062d0e
commit 59816dff94
17 changed files with 162 additions and 88 deletions

View File

@ -2,8 +2,8 @@
title: Bucket Commands
menu:
main:
parent: Client
weight: 3
parent: OzoneShell
weight: 2
---
<!---
Licensed to the Apache Software Foundation (ASF) under one or more

View File

@ -35,12 +35,11 @@ the ozone build command. This instruction assumes that you have all the
dependencies to build Hadoop on your build machine. If you need instructions
on how to build Hadoop, please look at the Apache Hadoop Website.
{{< highlight bash >}}
mvn clean package -DskipTests=true -Dmaven.javadoc.skip=true -Phdds -Pdist -Dtar -DskipShade
{{< /highlight >}}
```bash
mvn -f pom.ozone.xml clean package -DskipTests=true
```
This will build an ozone-\<version\>.tar.gz in your target directory.
This will build an ozone-\<version\>.tar.gz in your `hadoop-ozone/dist/target` directory.
You can copy this tarball and use this instead of binary artifacts that are
provided along with the official release.
@ -48,7 +47,20 @@ provided along with the official release.
## How to test the build
You can run the acceptance tests in the hadoop-ozone directory to make sure
that your build is functional. To launch the acceptance tests, please follow
the instructions in the **README.md** in the
```$hadoop_src/hadoop-ozone/acceptance-test``` directory. Acceptance tests
the instructions in the **README.md** in the `smoketest` directory.
```bash
cd smoketest
./test.sh
```
You can also execute only a minimal subset of the tests:
```bash
cd smoketest
./test.sh --env ozone basic
```
Acceptance tests
will start a small ozone cluster and verify that ozone shell and ozone file
system is fully functional.

View File

@ -4,6 +4,7 @@ menu:
main:
parent: Client
weight: 1
identifier: OzoneShell
---
<!---
Licensed to the Apache Software Foundation (ASF) under one or more

View File

@ -2,7 +2,7 @@
title: Key Commands
menu:
main:
parent: Client
parent: OzoneShell
weight: 3
---
<!---

View File

@ -87,18 +87,41 @@ hdfs dfs -ls o3fs://bucket.volume.om-host.example.com:5678/key
{{< /highlight >}}
## Legacy mode
## Supporting older Hadoop version (Legacy jar, BasicOzoneFilesystem)
There are two ozonefs files which includes all the dependencies:
There are two ozonefs files, both of them include all the dependencies:
* share/ozone/lib/hadoop-ozone-filesystem-lib-current-VERSION.jar
* share/ozone/lib/hadoop-ozone-filesystem-lib-legacy-VERSION.jar
The first one contains all the required dependency to use ozonefs with a
compatible hadoop version (hadoop 3.2 / 3.1).
The first one contains all the required dependency to use ozonefs with a
compatible hadoop version (hadoop 3.2).
The second one contains all the dependency in an internal, separated directory,
The second one contains all the dependency in an internal, separated directory,
and a special class loader is used to load all the classes from the location.
With this method the hadoop-ozone-filesystem-lib-legacy.jar can be used from
any older hadoop version (eg. hadoop 3.1, hadoop 2.7 or spark+hadoop 2.7)
Similar to the dependency jar, there are two OzoneFileSystem implementation.
For hadoop 3.0 and newer, you can use `org.apache.hadoop.fs.ozone.OzoneFileSystem`
which is a full implementation of the Hadoop compatible File System API.
For Hadoop 2.x you should use the Basic version: `org.apache.hadoop.fs.ozone.BasicOzoneFileSystem`.
This is the same implementation but doesn't include the features/dependencies which are added with
Hadoop 3.0. (eg. FS statistics, encryption zones).
### Summary
The following table summarize which jar files and implementation should be used:
Hadoop version | Required jar | OzoneFileSystem implementation
---------------|-------------------------|----------------------------------------------------
3.2 | filesystem-lib-current | org.apache.hadoop.fs.ozone.OzoneFileSystem
3.1 | filesystem-lib-legacy | org.apache.hadoop.fs.ozone.OzoneFileSystem
2.9 | filesystem-lib-legacy | org.apache.hadoop.fs.ozone.BasicOzoneFileSystem
2.7 | filesystem-lib-legacy | org.apache.hadoop.fs.ozone.BasicOzoneFileSystem
With this method the hadoop-ozone-filesystem-lib-legacy.jar can be used from
any older hadoop version (eg. hadoop 2.7 or spark+hadoop 2.7)

View File

@ -32,6 +32,7 @@ Starting with badlands release (ozone-0.4.0-alpha) ozone cluster can be secured
4. Transparent Data Encryption (TDE)
## Authentication ##
### Kerberos ###
Similar to hadoop, Ozone allows kerberos-based authentication. So one way to setup identities for all the daemons and clients is to create kerberos keytabs and configure it like any other service in hadoop.
@ -39,53 +40,71 @@ Similar to hadoop, Ozone allows kerberos-based authentication. So one way to set
Tokens are widely used in Hadoop to achieve lightweight authentication without compromising on security. Main motivation for using tokens inside Ozone is to prevent the unauthorized access while keeping the protocol lightweight and without sharing secret over the wire. Ozone utilizes three types of token:
#### Delegation token ####
Once client establishes their identity via kerberos they can request a delegation token from OzoneManager. This token can be used by a client to prove its identity until the token expires. Like Hadoop delegation tokens, an Ozone delegation token has 3 important fields:
Renewer: User responsible for renewing the token.
Issue date: Time at which token was issued.
Max date: Time after which token cant be renewed.
1. **Renewer**: User responsible for renewing the token.
2. **Issue date**: Time at which token was issued.
3. **Max date**: Time after which token cant be renewed.
Token operations like get, renew and cancel can only be performed over an Kerberos authenticated connection. Clients can use delegation token to establish connection with OzoneManager and perform any file system/object store related operations like, listing the objects in a bucket or creating a volume etc.
#### Block Tokens ####
Block tokens are similar to delegation tokens in sense that they are signed by OzoneManager. Block tokens are created by OM (OzoneManager) when a client request involves interaction with DataNodes such as read/write Ozone keys. Unlike delegation tokens there is no client API to request block tokens. Instead, they are handed transparently to client along with key/block locations. Block tokens are validated by Datanodes when receiving read/write requests from clients. Block token can't be renewed explicitly by client. Client with expired block token will need to refetch the key/block locations to get new block tokens.
Block tokens are similar to delegation tokens in sense that they are signed by OzoneManager. Block tokens are created by OM (OzoneManager) when a client request involves interaction with DataNodes such as read/write Ozone keys.
Unlike delegation tokens there is no client API to request block tokens. Instead, they are handed transparently to client along with key/block locations. Block tokens are validated by Datanodes when receiving read/write requests from clients. Block token can't be renewed explicitly by client. Client with expired block token will need to refetch the key/block locations to get new block tokens.
#### S3Token ####
Like block tokens S3Tokens are handled transparently for clients. It is signed by S3secret created by client. S3Gateway creates this token for every s3 client request. To create an S3Token user must have a S3 secret.
### Certificates ###
Apart from kerberos and tokens Ozone utilizes certificate based authentication for Ozone service components. To enable this, SCM (StorageContainerManager) bootstraps itself as an Certificate Authority when security is enabled. This allows all daemons inside Ozone to have an SCM signed certificate. Below is brief descriptions of steps involved:
Datanodes and OzoneManagers submits a CSR (certificate signing request) to SCM.
SCM verifies identity of DN (Datanode) or OM via Kerberos and generates a certificate.
This certificate is used by OM and DN to prove their identities.
Datanodes use OzoneManager certificate to validate block tokens. This is possible because both of them trust SCM signed certificates. (i.e OzoneManager and Datanodes)
1. Datanodes and OzoneManagers submits a CSR (certificate signing request) to SCM.
2. SCM verifies identity of DN (Datanode) or OM via Kerberos and generates a certificate.
3. This certificate is used by OM and DN to prove their identities.
4. Datanodes use OzoneManager certificate to validate block tokens. This is possible because both of them trust SCM signed certificates. (i.e OzoneManager and Datanodes)
## Authorization ##
Ozone provides a pluggable API to control authorization of all client related operations. Default implementation allows every request. Clearly it is not meant for production environments. To configure a more fine grained policy one may configure Ranger plugin for Ozone. Since it is a pluggable module clients can also implement their own custom authorization policy and configure it using [ozone.acl.authorizer.class].
Ozone provides a pluggable API to control authorization of all client related operations. Default implementation allows every request. Clearly it is not meant for production environments. To configure a more fine grained policy one may configure Ranger plugin for Ozone. Since it is a pluggable module clients can also implement their own custom authorization policy and configure it using `ozone.acl.authorizer.class`.
## Audit ##
Ozone provides ability to audit all read & write operations to OM, SCM and Datanodes. Ozone audit leverages the Marker feature which enables user to selectively audit only READ or WRITE operations by a simple config change without restarting the service(s).
To enable/disable audit of READ operations, set filter.read.onMatch to NEUTRAL or DENY respectively. Similarly, the audit of WRITE operations can be controlled using filter.write.onMatch.
Generating audit logs is only half the job, so Ozone also provides AuditParser - a sqllite based command line utility to parse/query audit logs with predefined templates(ex. Top 5 commands) and options for custom query. Once the log file has been loaded to AuditParser, one can simply run a template as shown below:
ozone auditparser <path to db file> template top5cmds
Similarly, users can also execute custom query using:
```bash
ozone auditparser <path to db file> query "select * from audit where level=='FATAL'"
```
## Transparent Data Encryption ##
Ozone TDE setup process and usage are very similar to HDFS TDE. The major difference is that Ozone TDE is enabled at Ozone bucket level when a bucket is created.
To create an encrypted bucket, client need to
* Create a bucket encryption key with hadoop key CLI (same as you do for HDFS encryption zone key)
```
```bash
hadoop key create key1
```
* Create an encrypted bucket with -k option
```
```bash
ozone sh bucket create -k key1 /vol1/ez1
```
After that the usage will be transparent to the client and end users, i.e., all data written to encrypted bucket are encrypted at datanodes.
To know more about how to setup a secure Ozone cluster refer to [How to setup secure Ozone cluster]("SetupSecureOzone.md")
To know more about how to setup a secure Ozone cluster refer to [How to setup secure Ozone cluster]({{< ref "SetupSecureOzone.md" >}})
Ozone [security architecture document](https://issues.apache.org/jira/secure/attachment/12911638/HadoopStorageLayerSecurity.pdf) can be referred for a deeper dive into Ozone Security architecture.

View File

@ -21,7 +21,7 @@ menu:
limitations under the License.
-->
[Prometheus](https://prometheus.io/) is an open-source monitoring server developed under under the [Cloud Native Foundation](Cloud Native Foundation).
[Prometheus](https://prometheus.io/) is an open-source monitoring server developed under under the [Cloud Native Computing Foundation](https://www.cncf.io/).
Ozone supports Prometheus out of the box. The servers start a prometheus
compatible metrics endpoint where all the available hadoop metrics are published in prometheus exporter format.
@ -75,14 +75,14 @@ prometheus
http://localhost:9090/targets
![Prometheus target page example](../../prometheus.png)
![Prometheus target page example](prometheus.png)
(6) Check any metrics on the prometheus web ui. For example:
http://localhost:9090/graph?g0.range_input=1h&g0.expr=om_metrics_num_key_allocate&g0.tab=1
![Prometheus target page example](../../prometheus-key-allocate.png)
![Prometheus target page example](prometheus-key-allocate.png)
## Note

View File

@ -44,16 +44,16 @@ including the data nodes and ozone services.
ozone instance on your machine.
{{< highlight bash >}}
cd ozone-0.2.1-SNAPSHOT/compose/ozone/
cd compose/ozone/
docker-compose up -d
{{< /highlight >}}
To verify that ozone is working as expected, let us log into a data node and
run _freon_, the load generator for Ozone. The ```exec datanode bash``` command
will open a bash shell on the datanode. The ozone freon command is executed
within the datanode container. You can quit freon via CTRL-C any time. The
will open a bash shell on the datanode.
The `ozone freon` command is executed within the datanode container. You can quit freon via CTRL-C any time. The
```rk``` profile instructs freon to generate random keys.
{{< highlight bash >}}

View File

@ -83,16 +83,37 @@ Endpoint | Status | Notes
------------------------------------|-----------------|---------------
PUT Object | implemented |
GET Object | implemented | Range headers are not supported
Multipart Uplad | not implemented |
Multipart Uplad | implemented |Except the listing of the current MultiPartUploads.
DELETE Object | implemented |
HEAD Object | implemented |
## Security
Security is not yet implemented, you can *use* any AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
If security is not enabled, you can *use* **any** AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
Note: Ozone has a notion for 'volumes' which is missing from the S3 Rest endpoint. Under the hood S3 bucket names are mapped to Ozone 'volume/bucket' locations (depending on the given authentication information).
If security is enabled, you can get the key and the secret with the `ozone s3 getsecret` command (*kerberos based authentication is required).
```
/etc/security/keytabs/testuser.keytab testuser/scm@EXAMPLE.COM
ozone s3 getsecret
awsAccessKey=testuser/scm@EXAMPLE.COM
awsSecret=c261b6ecabf7d37d5f9ded654b1c724adac9bd9f13e247a235e567e8296d2999
```
Now, you can use the key and the secret to access the S3 endpoint:
```
export AWS_ACCESS_KEY_ID=testuser/scm@EXAMPLE.COM
export AWS_SECRET_ACCESS_KEY=c261b6ecabf7d37d5f9ded654b1c724adac9bd9f13e247a235e567e8296d2999
aws s3api --endpoint http://localhost:9878 create-bucket --bucket bucket1
```
## S3 bucket name mapping to Ozone buckets
**Note**: Ozone has a notion for 'volumes' which is missing from the S3 Rest endpoint. Under the hood S3 bucket names are mapped to Ozone 'volume/bucket' locations (depending on the given authentication information).
To show the storage location of a S3 bucket, use the `ozone s3 path <bucketname>` command.

View File

@ -1,41 +0,0 @@
---
title: S3 Commands
menu:
main:
parent: Client
weight: 3
---
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
Ozone shell supports the following S3 commands.
* [getsecret](#get secret)
### Get Secret
User should get the kerberos ticket before using this option.
{{< highlight bash >}}
ozone s3 getsecret
{{< /highlight >}}
Prints the AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID for the current user.
You can try out these commands from the docker instance of the [Alpha
Cluster](runningviadocker.html).

View File

@ -71,7 +71,7 @@ Here is an example,
{{< highlight xml >}}
<property>
<name>ozone.enabled</name>
<value>True</value>
<value>true</value>
</property>
{{< /highlight >}}

View File

@ -25,8 +25,10 @@ weight: 11
# Setup secure ozone cluster #
To enable security in ozone cluster **ozone.security.enabled** should be set to true.
ozone.security.enabled| true
Property|Value
----------------------|------
ozone.security.enabled| true
## Kerberos ##
Configuration for service daemons:
@ -45,20 +47,28 @@ ozone.s3g.authentication.kerberos.principal|S3 Gateway principal. Ex HTTP/_HOST@
## Tokens ##
## Delegation token ##
Delegation tokens are enabled by default when security is enabled.
## Block Tokens ##
hdds.block.token.enabled | true
Property|Value
-----------------------------|------
hdds.block.token.enabled | true
## S3Token ##
S3 token are enabled by default when security is enabled.
To use S3 tokens users need to perform following steps:
* S3 clients should get the secret access id and user secret from OzoneManager.
```
ozone s3 getsecret
```
* Setup secret in aws configs:
```
aws configure set default.s3.signature_version s3v4
aws configure set aws_access_key_id ${accessId}
@ -67,18 +77,22 @@ aws configure set region us-west-1
```
## Certificates ##
Certificates are used internally inside Ozone. Its enabled be default when security is enabled.
## Authorization ##
Default access authorizer for Ozone approves every request. It is not suitable for production environments. It is recommended that clients use ranger plugin for Ozone to manage authorizations.
Property|Description
Property|Value
--------|------------------------------------------------------------
ozone.acl.enabled | true
ozone.acl.authorizer.class| org.apache.ranger.authorization.ozone.authorizer.RangerOzoneAuthorizer
## TDE ##
To use TDE clients must set KMS URI.
hadoop.security.key.provider.path | KMS uri. Ex kms://http@kms-host:9600/kms
Property|Value
-----------------------------------|-----------------------------------------
hadoop.security.key.provider.path | KMS uri. Ex kms://http@kms-host:9600/kms

View File

@ -2,8 +2,8 @@
title: Volume Commands
menu:
main:
parent: Client
weight: 2
parent: OzoneShell
weight: 1
---
<!---
Licensed to the Apache Software Foundation (ASF) under one or more

Binary file not shown.

After

Width:  |  Height:  |  Size: 50 KiB

BIN
hadoop-hdds/docs/static/prometheus.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 38 KiB

View File

@ -21,6 +21,14 @@
{{ range .Site.Menus.main }}
{{ if .HasChildren }}
<li class="{{ if $currentPage.IsMenuCurrent "main" . }}active{{ end }}">
<a href="{{ .URL }}">
{{ .Pre }}
<span>{{ .Name }}</span>
</a>
<ul class="nav">
{{ range .Children }}
<li class="{{ if $currentPage.IsMenuCurrent "main" . }}active{{ end }}">
{{ if .HasChildren }}
<a href="{{ .URL }}">
{{ .Pre }}
<span>{{ .Name }}</span>
@ -32,6 +40,12 @@
</li>
{{ end }}
</ul>
{{ else }}
<a href="{{ .URL }}">{{ .Name }}</a>
{{ end }}
</li>
{{ end }}
</ul>
</li>
{{ else }}
<li class="{{ if $currentPage.IsMenuCurrent "main" . }}active{{ end }}">

View File

@ -92,6 +92,10 @@ a:hover {
padding-right: 40px;
padding-left: 40px;
}
.nav-sidebar > li > ul > li > ul > li > a {
padding-right: 60px;
padding-left: 60px;
}
.nav-sidebar .active > a,
.nav-sidebar .active > a:hover,
.nav-sidebar .active > a:focus {
@ -136,3 +140,10 @@ a:hover {
display: inline-block;
border-radius: 50%;
}
h4 {
font-weight: bold;
}