feat: Add support for OPA authorizer

CHANGELOG.md

@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file.
 - More CRD documentation ([#433]).
 - Support for exposing HDFS clusters to clients outside of Kubernetes ([#450]).
 - Helm: support labels in values.yaml ([#460]).
+- Add support for OPA authorizer ([#474]).
 
 ### Changed
 
@@ -32,6 +33,7 @@ All notable changes to this project will be documented in this file.
 [#458]: https://github.com/stackabletech/hdfs-operator/pull/458
 [#460]: https://github.com/stackabletech/hdfs-operator/pull/460
 [#462]: https://github.com/stackabletech/hdfs-operator/pull/462
+[#474]: https://github.com/stackabletech/hdfs-operator/pull/474
 [#475]: https://github.com/stackabletech/hdfs-operator/pull/475
 
 ## [23.11.0] - 2023-11-24

deploy/helm/hdfs-operator/crds/crds.yaml

@@ -51,6 +51,26 @@ spec:
                       required:
                         - kerberos
                       type: object
+                    authorization:
+                      description: Authorization options for HDFS. Learn more in the [HDFS authorization usage guide](https://docs.stackable.tech/home/nightly/hdfs/usage-guide/security#authorization).
+                      nullable: true
+                      properties:
+                        opa:
+                          description: Configure the OPA stacklet [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) and the name of the Rego package containing your authorization rules. Consult the [OPA authorization documentation](https://docs.stackable.tech/home/nightly/concepts/opa) to learn how to deploy Rego authorization rules with OPA.
+                          properties:
+                            configMapName:
+                              description: The [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for the OPA stacklet that should be used for authorization requests.
+                              type: string
+                            package:
+                              description: The name of the Rego package containing the Rego rules for the product.
+                              nullable: true
+                              type: string
+                          required:
+                            - configMapName
+                          type: object
+                      required:
+                        - opa
+                      type: object
                     dfsReplication:
                       default: 3
                       description: '`dfsReplication` is the factor of how many times a file will be replicated to different data nodes. The default is 3. You need at least the same amount of data nodes so each file can be replicated correctly, otherwise a warning will be printed.'

docs/modules/hdfs/examples/usage-guide/hdfs-regorules.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hdfs-regorules
+  labels:
+    opa.stackable.tech/bundle: "true"
+data:
+  hdfs.rego: |
+    package hdfs
+
+    import rego.v1
+
+    default allow = true

docs/modules/hdfs/pages/usage-guide/operations/rack-awareness.adoc

@@ -87,8 +87,6 @@ spec:
     configOverrides:
       core-site.xml:
         net.topology.node.switch.mapping.impl: tech.stackable.hadoop.StackableTopologyProvider
-    envOverrides:
-      HADOOP_CLASSPATH: "/stackable/hadoop/share/hadoop/tools/lib/topology-provider-0.1.0.jar"
 ----
 
 This instructs the namenode to use the topology tool for looking up information from Kubernetes.
@@ -115,6 +113,5 @@ spec:
       core-site.xml:
         net.topology.node.switch.mapping.impl: tech.stackable.hadoop.StackableTopologyProvider
     envOverrides:
-      HADOOP_CLASSPATH: "/stackable/hadoop/share/hadoop/tools/lib/topology-provider-0.1.0.jar"
       TOPOLOGY_LABELS: "node:topology.kubernetes.io/zone;pod:app.kubernetes.io/role-group"
 ----

docs/modules/hdfs/pages/usage-guide/security.adoc

@@ -54,25 +54,61 @@ In case you want to access your HDFS it is recommended to start up a client Pod
 We have an https://github.com/stackabletech/hdfs-operator/blob/main/tests/templates/kuttl/kerberos/20-access-hdfs.yaml.j2[integration test] for this exact purpose, where you can see how to connect and get a valid keytab.
 
 == Authorization
-We currently don't support authorization yet.
-In the future support will be added by writing an opa-authorizer to match our general xref:home:concepts:opa.adoc[] mechanisms.
+For authorization we developed https://github.com/stackabletech/hdfs-utils[hdfs-utils], which contains an OPA authorizer and group mapper.
+This matches our general xref:home:concepts:opa.adoc[] mechanisms.
 
-In the meantime a very basic level of authorization can be reached by using `configOverrides` to set the `hadoop.user.group.static.mapping.overrides` property.
-In thew following example the `dr.who=;nn=;nm=;jn=;` part is needed for HDFS internal operations and the user `testuser` is granted admin permissions.
+IMPORTANT: It is recommended to enable Kerberos when doing Authorization, as otherwise you don't have any security measures at all.
+There still might be cases where you want authorization on top of a cluster without authentication, as you don't want to accidentally drop files and therefore use different users for different use-cases.
+
+In order to use the authorizer you need a ConfigMap containing a rego rule and reference that in your HDFS cluster.
+In addition to this you need a OpaCluster that serves the rego rules - this guide assumes it's called `opa`.
+
+[source,rego]
+----
+include::example$usage-guide/hdfs-regorules.yaml[]
+----
+
+This rego rule is intended for demonstration purposes and allows every operation.
+For a production setup you probably want to take a look at our integration tests for a more secure set of rego rules.
+Reference the rego rule as follows in your HdfsCluster:
 
 [source,yaml]
 ----
 spec:
-  nameNodes:
-    configOverrides: &configOverrides
-      core-site.xml:
-        hadoop.user.group.static.mapping.overrides: "dr.who=;nn=;nm=;jn=;testuser=supergroup;"
-  dataNodes:
-    configOverrides: *configOverrides
-  journalNodes:
-    configOverrides: *configOverrides
+  clusterConfig:
+    authorization:
+      opa:
+        configMapName: opa
+        package: hdfs
 ----
 
+=== How it works
+WARNING: Take all your knowledge about HDFS authorization and throw it in the bin.
+The approach we are taking for our authorization paradigm departs significantly from traditional Hadoop patterns and POSIX-style permissions.
+
+In short, the current rego rules ignore the file ownership, permissions, ACLs and all other attributes files can have.
+All of this is state in HDFS and clashes with the infrastructure-as-code approach (IaC).
+
+Instead, HDFS will send a request detailing who (e.g. `alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL`) is trying to do what (e.g. `open`, `create`, `delete` or `append`) on what file (e.g. `/foo/bar`).
+OPA then makes a decision if this action is allowed or not.
+
+Instead of `chown`-ing a directory to a different user to assign write permissions, you should go to your IaC Git repository and add a rego rule entry specifying that the user is allowed to read and write to that directory.
+
+=== Group memberships
+We encountered several challenges while implementing the group mapper, the most serious of which being that the `GroupMappingServiceProvider` interface only passes the `shortUsername` when https://github.com/apache/hadoop/blob/a897e745f598ef05fc0c253b2a776100e48688d2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/GroupMappingServiceProvider.java#L45[asking for group memberships].
+This does not allow us to differentiate between e.g. `hbase/hbase-prod.prod-namespace.svc.cluster.local@CLUSTER.LOCAL` and `hbase/hbase-dev.dev-namespace.svc.cluster.local@CLUSTER.LOCAL`, as the GroupMapper will get asked for `hbase` group memberships in both cases.
+
+Users could work around this to assign unique shortNames by using https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/SecureMode.html#Mapping_from_Kerberos_principals_to_OS_user_accounts[`hadoop.security.auth_to_local`].
+This is however a potentially complex and error-prone process.
+We also tried mapping the principals from Kerberos 1:1 to the HDFS `shortUserName`, so the GroupMapper has access to the full `userName`.
+However, this did not work, as HDFS only allows "simple usernames", https://github.com/apache/hadoop/blob/8378ab9f92c72dc6164b62f7be71826fd750dba4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L348[which are not allowed to contain a `/` or `@`].
+
+Because of these issues we do not use a custom GroupMapper and only rely on the authorizer, which in turn receives a complete `UserGroupInformation` object, including the `shortUserName` and the precious full `userName`.
+This has the downside that the group memberships used in OPA for authorization are not known to HDFS.
+The implication is thus that you cannot add users to the `superuser` group, which is needed for certain administrative actions in HDFS.
+We have decided that this is an acceptable approach as normal operations will not be affected.
+In case you really need users to be part of the `superusers` group, you can use a configOverride on `hadoop.user.group.static.mapping.overrides` for that.
+
 == Wire encryption
 In case Kerberos is enabled, `Privacy` mode is used for best security.
 Wire encryption without Kerberos as well as https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/SecureMode.html#Data_confidentiality[other wire encryption modes] are *not* supported.

rust/crd/src/lib.rs

@@ -8,6 +8,7 @@ use std::{
 
 use futures::future::try_join_all;
 use product_config::types::PropertyNameKind;
+use security::AuthorizationConfig;
 use serde::{Deserialize, Serialize};
 use snafu::{OptionExt, ResultExt, Snafu};
 use stackable_operator::{
@@ -146,7 +147,7 @@ pub struct HdfsClusterSpec {
     pub journal_nodes: Option<Role<JournalNodeConfigFragment>>,
 }
 
-#[derive(Clone, Debug, Deserialize, Eq, Hash, JsonSchema, PartialEq, Serialize)]
+#[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct HdfsClusterConfig {
     /// `dfsReplication` is the factor of how many times a file will be replicated to different data nodes.
@@ -169,6 +170,11 @@ pub struct HdfsClusterConfig {
     /// Settings related to user [authentication](DOCS_BASE_URL_PLACEHOLDER/usage-guide/security).
     pub authentication: Option<AuthenticationConfig>,
 
+    /// Authorization options for HDFS.
+    /// Learn more in the [HDFS authorization usage guide](DOCS_BASE_URL_PLACEHOLDER/hdfs/usage-guide/security#authorization).
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub authorization: Option<AuthorizationConfig>,
+
     // Scheduled for removal in v1alpha2, see https://github.com/stackabletech/issues/issues/504
     /// Deprecated, please use `.spec.nameNodes.config.listenerClass` and `.spec.dataNodes.config.listenerClass` instead.
     #[serde(default)]
@@ -801,6 +807,10 @@ impl HdfsCluster {
             .map(|k| k.tls_secret_class.as_str())
     }
 
+    pub fn has_authorization_enabled(&self) -> bool {
+        self.spec.cluster_config.authorization.is_some()
+    }
+
     pub fn num_datanodes(&self) -> u16 {
         self.spec
             .data_nodes

rust/crd/src/security.rs

@@ -1,5 +1,8 @@
 use serde::{Deserialize, Serialize};
-use stackable_operator::schemars::{self, JsonSchema};
+use stackable_operator::{
+    commons::opa::OpaConfig,
+    schemars::{self, JsonSchema},
+};
 
 #[derive(Clone, Debug, Deserialize, Eq, Hash, JsonSchema, PartialEq, Serialize)]
 #[serde(rename_all = "camelCase")]
@@ -21,3 +24,10 @@ pub struct KerberosConfig {
     /// Name of the SecretClass providing the keytab for the HDFS services.
     pub secret_class: String,
 }
+
+#[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct AuthorizationConfig {
+    // No doc - it's in the struct.
+    pub opa: OpaConfig,
+}

rust/operator-binary/src/discovery.rs

@@ -13,7 +13,7 @@ use stackable_operator::{
 use crate::{
     build_recommended_labels,
     config::{CoreSiteConfigBuilder, HdfsSiteConfigBuilder},
-    kerberos,
+    security::kerberos,
 };
 
 type Result<T, E = Error> = std::result::Result<T, E>;

rust/operator-binary/src/hdfs_controller.rs

@@ -52,16 +52,15 @@ use strum::{EnumDiscriminants, IntoStaticStr};
 use crate::{
     build_recommended_labels,
     config::{CoreSiteConfigBuilder, HdfsSiteConfigBuilder},
-    container::{self, ContainerConfig},
-    container::{TLS_STORE_DIR, TLS_STORE_PASSWORD},
+    container::{self, ContainerConfig, TLS_STORE_DIR, TLS_STORE_PASSWORD},
     discovery::{self, build_discovery_configmap},
     event::{build_invalid_replica_message, publish_event},
-    kerberos,
     operations::{
         graceful_shutdown::{self, add_graceful_shutdown_config},
         pdb::add_pdbs,
     },
     product_logging::{extend_role_group_config_map, resolve_vector_aggregator_address},
+    security::{self, kerberos, opa::HdfsOpaConfig},
     OPERATOR_NAME,
 };
 
@@ -227,6 +226,9 @@ pub enum Error {
 
     #[snafu(display("failed to build security config"))]
     BuildSecurityConfig { source: kerberos::Error },
+
+    #[snafu(display("invalid OPA configuration"))]
+    InvalidOpaConfig { source: security::opa::Error },
 }
 
 impl ReconcilerError for Error {
@@ -305,6 +307,15 @@ pub async fn reconcile_hdfs(hdfs: Arc<HdfsCluster>, ctx: Arc<Ctx>) -> HdfsOperat
         .await
         .context(ApplyRoleBindingSnafu)?;
 
+    let hdfs_opa_config = match &hdfs.spec.cluster_config.authorization {
+        Some(opa_config) => Some(
+            HdfsOpaConfig::from_opa_config(client, &hdfs, opa_config)
+                .await
+                .context(InvalidOpaConfigSnafu)?,
+        ),
+        None => None,
+    };
+
     let dfs_replication = hdfs.spec.cluster_config.dfs_replication;
     let mut ss_cond_builder = StatefulSetConditionBuilder::default();
 
@@ -344,6 +355,7 @@ pub async fn reconcile_hdfs(hdfs: Arc<HdfsCluster>, ctx: Arc<Ctx>) -> HdfsOperat
                 &journalnode_podrefs,
                 &resolved_product_image,
                 &merged_config,
+                &hdfs_opa_config,
                 vector_aggregator_address.as_deref(),
             )?;
 
@@ -506,6 +518,7 @@ fn rolegroup_config_map(
     journalnode_podrefs: &[HdfsPodRef],
     resolved_product_image: &ResolvedProductImage,
     merged_config: &AnyNodeConfig,
+    hdfs_opa_config: &Option<HdfsOpaConfig>,
     vector_aggregator_address: Option<&str>,
 ) -> HdfsOperatorResult<ConfigMap> {
     tracing::info!("Setting up ConfigMap for {:?}", rolegroup_ref);
@@ -538,8 +551,8 @@ fn rolegroup_config_map(
                 // This caused a deadlock with no namenode becoming active during a startup after
                 // HDFS was completely down for a while.
 
-                let mut builder = HdfsSiteConfigBuilder::new(hdfs_name.to_string());
-                builder
+                let mut hdfs_site = HdfsSiteConfigBuilder::new(hdfs_name.to_string());
+                hdfs_site
                     .dfs_namenode_name_dir()
                     .dfs_datanode_data_dir(
                         merged_config
@@ -567,22 +580,28 @@ fn rolegroup_config_map(
                     .add("dfs.datanode.registered.port", "${env.DATA_PORT}")
                     .add("dfs.datanode.registered.ipc.port", "${env.IPC_PORT}");
                 if hdfs.has_https_enabled() {
-                    builder.add("dfs.datanode.registered.https.port", "${env.HTTPS_PORT}");
+                    hdfs_site.add("dfs.datanode.registered.https.port", "${env.HTTPS_PORT}");
                 } else {
-                    builder.add("dfs.datanode.registered.http.port", "${env.HTTP_PORT}");
+                    hdfs_site.add("dfs.datanode.registered.http.port", "${env.HTTP_PORT}");
+                }
+                if let Some(hdfs_opa_config) = hdfs_opa_config {
+                    hdfs_opa_config.add_hdfs_site_config(&mut hdfs_site);
                 }
                 // the extend with config must come last in order to have overrides working!!!
-                hdfs_site_xml = builder.extend(config).build_as_xml();
+                hdfs_site_xml = hdfs_site.extend(config).build_as_xml();
             }
             PropertyNameKind::File(file_name) if file_name == CORE_SITE_XML => {
-                core_site_xml = CoreSiteConfigBuilder::new(hdfs_name.to_string())
+                let mut core_site = CoreSiteConfigBuilder::new(hdfs_name.to_string());
+                core_site
                     .fs_default_fs()
                     .ha_zookeeper_quorum()
                     .security_config(hdfs)
-                    .context(BuildSecurityConfigSnafu)?
-                    // the extend with config must come last in order to have overrides working!!!
-                    .extend(config)
-                    .build_as_xml();
+                    .context(BuildSecurityConfigSnafu)?;
+                if let Some(hdfs_opa_config) = hdfs_opa_config {
+                    hdfs_opa_config.add_core_site_config(&mut core_site);
+                }
+                // the extend with config must come last in order to have overrides working!!!
+                core_site_xml = core_site.extend(config).build_as_xml();
             }
             PropertyNameKind::File(file_name) if file_name == HADOOP_POLICY_XML => {
                 // We don't add any settings here, the main purpose is to have a configOverride for users.

rust/operator-binary/src/main.rs

@@ -25,9 +25,9 @@ mod container;
 mod discovery;
 mod event;
 mod hdfs_controller;
-mod kerberos;
 mod operations;
 mod product_logging;
+mod security;
 
 mod built_info {
     include!(concat!(env!("OUT_DIR"), "/built.rs"));

rust/operator-binary/src/kerberos.rs → rust/operator-binary/src/security/kerberos.rs

@@ -88,13 +88,18 @@ impl CoreSiteConfigBuilder {
                 .add(
                     "dfs.namenode.kerberos.principal.pattern",
                     format!("nn/{principal_host_part}"),
-                )
-                // Otherwise we fail with `java.io.IOException: No groups found for user nn`
-                // Default value is `dr.who=`, so we include that here
-                .add(
+                );
+
+            if !hdfs.has_authorization_enabled() {
+                // In case *no* OPA authorizer is used, we got the following error message:
+                // java.io.IOException: No groups found for user nn
+                // In case the OPA authorizer is used everything seems to be fine.
+                // The default value is `dr.who=`, so we include that here.
+                self.add(
                     "hadoop.user.group.static.mapping.overrides",
                     "dr.who=;nn=;nm=;jn=;",
                 );
+            }
 
             self.add_wire_encryption_settings();
         }

rust/operator-binary/src/security/mod.rs

@@ -0,0 +1,2 @@
+pub mod kerberos;
+pub mod opa;