HDDS-15232. Reduce duplication in ozonesecure env#10239
Conversation
priyeshkaratha
left a comment
priyeshkaratha
left a comment
There was a problem hiding this comment.
Thanks @adoroszlai for the patch. Please check the inline comment?
| - ../_keytabs:/etc/security/keytabs | ||
| - ./krb5.conf:/etc/krb5.conf | ||
| env_file: | ||
| - docker-config |
There was a problem hiding this comment.
Is it recommended ./docker-config or docker-config?
There was a problem hiding this comment.
./ is required for volumes in the current directory ("to avoid ambiguities with named volumes, relative paths should always begin with . or .."). There is no such ambiguity with env_file, so the form docker-config is recommended for simplicity.
dombizita
left a comment
dombizita
left a comment
There was a problem hiding this comment.
Thanks for working on this @adoroszlai, I have two small questions about merging ozonesecure-mr into ozonesecure, otherwise it looks good to me!
| OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer | ||
| OZONE-SITE.XML_ozone.administrators="testuser,recon,om" | ||
| OZONE-SITE.XML_ozone.s3.administrators="testuser,recon,om" | ||
| OZONE-SITE.XML_ozone.administrators="testuser,recon,om,hadoop" |
There was a problem hiding this comment.
Just to make sure I understand: the only difference in the ozonesecure-mr and ozonesecure (other than the below change around hadoop configs) was that the hadoop user was added as ozone admin? The ozone.s3.administrators can be removed, as it's by default the same as ozone.administrators, which is good for this suite?
| CORE-SITE.XML_hadoop.security.authorization=true | ||
| HADOOP-POLICY.XML_ozone.om.security.client.protocol.acl=* | ||
| HADOOP-POLICY.XML_hdds.security.client.datanode.container.protocol.acl=* | ||
| HADOOP-POLICY.XML_hdds.security.client.scm.container.protocol.acl=* | ||
| HADOOP-POLICY.XML_hdds.security.client.scm.block.protocol.acl=* | ||
| HADOOP-POLICY.XML_hdds.security.client.scm.certificate.protocol.acl=* | ||
| HADOOP-POLICY.XML_ozone.security.reconfigure.protocol.acl=* |
There was a problem hiding this comment.
I believe the hadoop policy changes are the default values, so it's not needed to be here.
But why is that the hadoop.security.authorization is not needed to be set in the core-site.xml? One idea I had it that the hadoop-secure.yaml has it via security.conf, which is added in hadoop-test.sh that is used by test-hadoop.sh, so the moved ozonesecure-mr stuff has it via this extra compose file. In this case this is not needed for the ozonesecure suite and it was unnecessary before?
3 participants
What changes were proposed in this pull request?
Reduce duplication in non-HA secure docker-compose environments:
ozonesecure-mrintoozonesecureozonesecurehttps://issues.apache.org/jira/browse/HDDS-15232
How was this patch tested?
https://github.com/adoroszlai/ozone/actions/runs/25675964314
ozonesecure/test-hadoop.shpassed in:https://github.com/adoroszlai/ozone/actions/runs/25675964314/job/75379224808