This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new a1e75131889 HDDS-13361. Attempt to delete non-empty tenant fails after
revoke (#8776)
a1e75131889 is described below
commit a1e751318896bafe45ea7e0b63e2fccdd90ed89d
Author: Gargi Jaiswal <[email protected]>
AuthorDate: Sat Jul 12 14:57:43 2025 +0530
HDDS-13361. Attempt to delete non-empty tenant fails after revoke (#8776)
---
.../src/main/compose/ozonesecure-ha/docker-config | 2 ++
.../{upgrade/lib.robot => admincli/lib.resource} | 34 ----------------------
.../smoketest/security/ozone-secure-tenant.robot | 17 ++++++-----
.../dist/src/main/smoketest/upgrade/lib.robot | 16 +---------
.../request/s3/tenant/OMTenantDeleteRequest.java | 21 ++++++-------
5 files changed, 23 insertions(+), 67 deletions(-)
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
index a4f2b16b81d..4fabf7b8cc7 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
@@ -164,6 +164,8 @@ OZONE_LOG_DIR=/var/log/hadoop
no_proxy=om,scm,recon,s3g,kdc,localhost,127.0.0.1
+OM_SERVICE_ID=omservice
+
# Explicitly enable filesystem snapshot feature for this Docker compose cluster
OZONE-SITE.XML_ozone.filesystem.snapshot.enabled=true
diff --git a/hadoop-ozone/dist/src/main/smoketest/upgrade/lib.robot
b/hadoop-ozone/dist/src/main/smoketest/admincli/lib.resource
similarity index 56%
copy from hadoop-ozone/dist/src/main/smoketest/upgrade/lib.robot
copy to hadoop-ozone/dist/src/main/smoketest/admincli/lib.resource
index 02769462137..4bb4ec767ed 100644
--- a/hadoop-ozone/dist/src/main/smoketest/upgrade/lib.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/admincli/lib.resource
@@ -14,9 +14,7 @@
# limitations under the License.
*** Settings ***
-Documentation Keywords for Upgrade Tests
Library OperatingSystem
-Resource ../lib/os.robot
*** Keywords ***
Get OM Service ID
@@ -32,35 +30,3 @@ Get OM Service Param
ELSE
RETURN --service-id '${service_id}'
END
-
-
-OM Finalization Status
- ${param} = Get OM Service Param
- ${result} = Execute ozone admin om finalizationstatus ${param}
- Log ${result}
- RETURN ${result}
-
-
-Finalize OM
- ${param} = Get OM Service Param
- ${result} = Execute ozone admin om finalizeupgrade ${param}
- Log ${result}
- RETURN ${result}
-
-
-Prepare OM
- ${param} = Get OM Service Param
- ${result} = Execute ozone admin om prepare ${param}
- Should contain ${result} OM Preparation successful!
-
-
-SCM Finalization Status
- ${result} = Execute ozone admin scm finalizationstatus
- Log ${result}
- RETURN ${result}
-
-
-Finalize SCM
- ${result} = Execute ozone admin scm finalizeupgrade
- Log ${result}
- RETURN ${result}
diff --git
a/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-tenant.robot
b/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-tenant.robot
index e3a74bd3e36..ad6821491ce 100644
--- a/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-tenant.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-tenant.robot
@@ -20,6 +20,7 @@ Library String
Library BuiltIn
Resource ../commonlib.robot
Resource ../s3/commonawslib.robot
+Resource ../admincli/lib.resource
Test Timeout 5 minutes
*** Variables ***
@@ -108,14 +109,14 @@ Delete Bucket 1 Success With Newly Set SecretKey via S3
API
Execute aws configure set
aws_secret_access_key 'somesecret1'
${output} = Execute aws s3api --endpoint-url
${S3G_ENDPOINT_URL} delete-bucket --bucket bucket-test1
-# see HDDS-13361
-#Delete Tenant Failure Tenant Not Empty
-# ${rc} ${output} = Run And Return Rc And Output ozone tenant delete
${TENANT}
-# Should contain ${output} TENANT_NOT_EMPTY
Tenant '${TENANT}' is not empty. All accessIds associated to this tenant must
be revoked before the tenant can be deleted. See `ozone tenant user revoke`
-#
-#Trigger and wait for background Sync to recover Policies and Roles in
Authorizer
-# ${rc} ${output} = Run And Return Rc And Output ozone admin om
updateranger ${OM_HA_PARAM}
-# Should contain ${output} Operation
completed successfully
+Delete Tenant Failure Tenant Not Empty
+ ${rc} ${output} = Run And Return Rc And Output ozone tenant delete
${TENANT}
+ Should contain ${output} TENANT_NOT_EMPTY
Tenant '${TENANT}' is not empty. All accessIds associated to this tenant must
be revoked before the tenant can be deleted. See `ozone tenant user revoke`
+
+Trigger and wait for background Sync to recover Policies and Roles in
Authorizer
+ ${om_param}= Get OM Service Param
+ ${rc} ${output} = Run And Return Rc And Output ozone admin om
updateranger ${om_param}
+ Should contain ${output} Operation completed
successfully
Create Tenant Failure with Regular User
Run Keyword Kinit test user testuser2 testuser2.keytab
diff --git a/hadoop-ozone/dist/src/main/smoketest/upgrade/lib.robot
b/hadoop-ozone/dist/src/main/smoketest/upgrade/lib.robot
index 02769462137..25c71c7ff88 100644
--- a/hadoop-ozone/dist/src/main/smoketest/upgrade/lib.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/upgrade/lib.robot
@@ -17,23 +17,9 @@
Documentation Keywords for Upgrade Tests
Library OperatingSystem
Resource ../lib/os.robot
+Resource ../admincli/lib.resource
*** Keywords ***
-Get OM Service ID
- ${service_id} = Get Environment Variable OM_SERVICE_ID ${EMPTY}
- RETURN ${service_id}
-
-
-Get OM Service Param
- ${service_id} = Get OM Service ID
-
- IF '${service_id}' == ''
- RETURN --service-host om
- ELSE
- RETURN --service-id '${service_id}'
- END
-
-
OM Finalization Status
${param} = Get OM Service Param
${result} = Execute ozone admin om finalizationstatus ${param}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
index d469fe56627..bcb7e010bf8 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantDeleteRequest.java
@@ -82,6 +82,17 @@ public OMRequest preExecute(OzoneManager ozoneManager)
throws IOException {
final String tenantId = omRequest.getDeleteTenantRequest().getTenantId();
Preconditions.checkNotNull(tenantId);
+ // Check if there are any accessIds in the tenant.
+ // This must be done before we attempt to delete policies from Ranger.
+ if (!multiTenantManager.isTenantEmpty(tenantId)) {
+ LOG.warn("tenant: '{}' is not empty. Unable to delete the tenant",
+ tenantId);
+ throw new OMException("Tenant '" + tenantId + "' is not empty. " +
+ "All accessIds associated to this tenant must be revoked before " +
+ "the tenant can be deleted. See `ozone tenant user revoke`",
+ TENANT_NOT_EMPTY);
+ }
+
// Get tenant object by tenant name
final Tenant tenantObj = multiTenantManager.getTenantFromDBById(tenantId);
@@ -149,16 +160,6 @@ public OMClientResponse
validateAndUpdateCache(OzoneManager ozoneManager, Execut
VOLUME_LOCK, volumeName));
acquiredVolumeLock = getOmLockDetails().isLockAcquired();
- // Check if there are any accessIds in the tenant
- if (!ozoneManager.getMultiTenantManager().isTenantEmpty(tenantId)) {
- LOG.warn("tenant: '{}' is not empty. Unable to delete the tenant",
- tenantId);
- throw new OMException("Tenant '" + tenantId + "' is not empty. " +
- "All accessIds associated to this tenant must be revoked before " +
- "the tenant can be deleted. See `ozone tenant user revoke`",
- TENANT_NOT_EMPTY);
- }
-
// Invalidate cache entry
omMetadataManager.getTenantStateTable().addCacheEntry(
new CacheKey<>(tenantId),
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
