HDDS-1462. Fix content and format of Ozone documentation. Contributed by Elek, Marton. (#767)

(cherry picked from commit 59816df)

Author: elek

hadoop-hdds/docs/content/BucketCommands.md

@@ -2,8 +2,8 @@
 title: Bucket Commands
 menu:
    main:
-      parent: Client
-      weight: 3
+      parent: OzoneShell
+      weight: 2
 ---
 <!---
   Licensed to the Apache Software Foundation (ASF) under one or more

hadoop-hdds/docs/content/BuildingSources.md

@@ -35,20 +35,32 @@ the ozone build command. This instruction assumes that you have all the
 dependencies to build Hadoop on your build machine. If you need instructions
 on how to build Hadoop, please look at the Apache Hadoop Website.
 
-{{< highlight bash >}}
-mvn clean package -DskipTests=true -Dmaven.javadoc.skip=true -Phdds -Pdist -Dtar -DskipShade
-{{< /highlight >}}
+```bash
+mvn -f pom.ozone.xml clean package -DskipTests=true
+```
 
-
-This will build an ozone-\<version\>.tar.gz in your target directory.
+This will build an ozone-\<version\>.tar.gz in your `hadoop-ozone/dist/target` directory.
 
 You can copy this tarball and use this instead of binary artifacts that are
 provided along with the official release.
 
 ## How to test the build
 You can run the acceptance tests in the hadoop-ozone directory to make sure
 that  your build is functional. To launch the acceptance tests, please follow
- the instructions in the **README.md** in the
- ```$hadoop_src/hadoop-ozone/acceptance-test``` directory. Acceptance tests
+ the instructions in the **README.md** in the `smoketest` directory. 
+
+```bash
+cd smoketest
+./test.sh
+```
+
+ You can also execute only a minimal subset of the tests:
+
+```bash
+cd smoketest
+./test.sh --env ozone basic
+```
+
+Acceptance tests
  will start a small ozone cluster and verify that ozone shell and ozone file
- system is fully functional.
+ system is fully functional.

hadoop-hdds/docs/content/CommandShell.md

@@ -4,6 +4,7 @@ menu:
    main:
       parent: Client
       weight: 1
+      identifier: OzoneShell
 ---
 <!---
   Licensed to the Apache Software Foundation (ASF) under one or more

hadoop-hdds/docs/content/KeyCommands.md

@@ -2,7 +2,7 @@
 title: Key Commands
 menu:
    main:
-      parent: Client
+      parent: OzoneShell
       weight: 3
 ---
 <!---

hadoop-hdds/docs/content/OzoneFS.md

@@ -87,18 +87,41 @@ hdfs dfs -ls o3fs://bucket.volume.om-host.example.com:5678/key
 {{< /highlight >}}
 
 
-## Legacy mode
+## Supporting older Hadoop version (Legacy jar, BasicOzoneFilesystem)
 
-There are two ozonefs files which includes all the dependencies:
+There are two ozonefs files, both of them include all the dependencies:
 
  * share/ozone/lib/hadoop-ozone-filesystem-lib-current-VERSION.jar
  * share/ozone/lib/hadoop-ozone-filesystem-lib-legacy-VERSION.jar
 
- The first one contains all the required dependency to use ozonefs with a
- compatible hadoop version (hadoop 3.2 / 3.1).
+The first one contains all the required dependency to use ozonefs with a
+ compatible hadoop version (hadoop 3.2).
 
- The second one contains all the dependency in an internal, separated directory,
+The second one contains all the dependency in an internal, separated directory,
  and a special class loader is used to load all the classes from the location.
 
+With this method the hadoop-ozone-filesystem-lib-legacy.jar can be used from
+ any older hadoop version (eg. hadoop 3.1, hadoop 2.7 or spark+hadoop 2.7)
+ 
+Similar to the dependency jar, there are two OzoneFileSystem implementation.
+ 
+For hadoop 3.0 and newer, you can use `org.apache.hadoop.fs.ozone.OzoneFileSystem` 
+ which is a full implementation of the Hadoop compatible File System API.
+ 
+For Hadoop 2.x you should use the Basic version: `org.apache.hadoop.fs.ozone.BasicOzoneFileSystem`.
+ 
+This is the same implementation but doesn't include the features/dependencies which are added with 
+ Hadoop 3.0. (eg. FS statistics, encryption zones).
+ 
+### Summary
+ 
+The following table summarize which jar files and implementation should be used:
+ 
+Hadoop version | Required jar            | OzoneFileSystem implementation
+---------------|-------------------------|----------------------------------------------------
+3.2            | filesystem-lib-current  | org.apache.hadoop.fs.ozone.OzoneFileSystem
+3.1            | filesystem-lib-legacy   | org.apache.hadoop.fs.ozone.OzoneFileSystem
+2.9            | filesystem-lib-legacy   | org.apache.hadoop.fs.ozone.BasicOzoneFileSystem
+2.7            | filesystem-lib-legacy   | org.apache.hadoop.fs.ozone.BasicOzoneFileSystem
  With this method the hadoop-ozone-filesystem-lib-legacy.jar can be used from
  any older hadoop version (eg. hadoop 2.7 or spark+hadoop 2.7)

hadoop-hdds/docs/content/OzoneSecurityArchitecture.md

@@ -32,60 +32,79 @@ Starting with badlands release (ozone-0.4.0-alpha) ozone cluster can be secured
 4. Transparent Data Encryption (TDE)
 
 ## Authentication ##
+
 ### Kerberos ###
 Similar to hadoop, Ozone allows kerberos-based authentication. So one way to setup identities for all the daemons and clients is to create kerberos keytabs and configure it like any other service in hadoop.
 
 ### Tokens ###
 Tokens are widely used in Hadoop to achieve lightweight authentication without compromising on security. Main motivation for using tokens inside Ozone is to prevent the unauthorized access while keeping the protocol lightweight and without sharing secret over the wire. Ozone utilizes three types of token:
 
 #### Delegation token ####
+
 Once client establishes their identity via kerberos they can request a delegation token from OzoneManager. This token can be used by a client to prove its identity until the token expires. Like Hadoop delegation tokens, an Ozone delegation token has 3 important fields:
 
-Renewer:    User responsible for renewing the token.
-Issue date:  Time at which token was issued.
-Max date:    Time after which token can’t be renewed.
+  1. **Renewer**: User responsible for renewing the token.
+  2. **Issue date**:  Time at which token was issued.
+  3. **Max date**:    Time after which token can’t be renewed.
 
 Token operations like get, renew and cancel can only be performed over an Kerberos authenticated connection. Clients can use delegation token to establish connection with OzoneManager and perform any file system/object store related operations like, listing the objects in a bucket or creating a volume etc.
 
 #### Block Tokens ####
-Block tokens are similar to delegation tokens in sense that they are signed by OzoneManager. Block tokens are created by OM (OzoneManager) when a client request involves interaction with DataNodes such as read/write Ozone keys. Unlike delegation tokens there is no client API to request block tokens. Instead, they are handed transparently to client along with key/block locations. Block tokens are validated by Datanodes when receiving read/write requests from clients. Block token can't be renewed explicitly by client. Client with expired block token will need to refetch the key/block locations to get new block tokens.
+
+Block tokens are similar to delegation tokens in sense that they are signed by OzoneManager. Block tokens are created by OM (OzoneManager) when a client request involves interaction with DataNodes such as read/write Ozone keys.
+
+Unlike delegation tokens there is no client API to request block tokens. Instead, they are handed transparently to client along with key/block locations. Block tokens are validated by Datanodes when receiving read/write requests from clients. Block token can't be renewed explicitly by client. Client with expired block token will need to refetch the key/block locations to get new block tokens.
+
 #### S3Token ####
+
 Like block tokens S3Tokens are handled transparently for clients. It is signed by S3secret created by client. S3Gateway creates this token for every s3 client request. To create an S3Token user must have a S3 secret.
 
 ### Certificates ###
 Apart from kerberos and tokens Ozone utilizes certificate based authentication for Ozone service components. To enable this, SCM (StorageContainerManager) bootstraps itself as an Certificate Authority when security is enabled. This allows all daemons inside Ozone to have an SCM signed certificate. Below is brief descriptions of steps involved:
-Datanodes and OzoneManagers submits a CSR (certificate signing request) to SCM.
-SCM verifies identity of DN (Datanode) or OM via Kerberos and generates a certificate.
-This certificate is used by OM and DN to prove their identities.
-Datanodes use OzoneManager certificate to validate block tokens. This is possible because both of them trust SCM signed certificates. (i.e OzoneManager and Datanodes)
+
+ 1. Datanodes and OzoneManagers submits a CSR (certificate signing request) to SCM.
+ 2. SCM verifies identity of DN (Datanode) or OM via Kerberos and generates a certificate.
+ 3. This certificate is used by OM and DN to prove their identities.
+ 4. Datanodes use OzoneManager certificate to validate block tokens. This is possible because both of them trust SCM signed certificates. (i.e OzoneManager and Datanodes)
 
 ## Authorization ##
-Ozone provides a pluggable API to control authorization of all client related operations. Default implementation allows every request. Clearly it is not meant for production environments. To configure a more fine grained policy one may configure Ranger plugin for Ozone. Since it is a pluggable module clients can also implement their own custom authorization policy and configure it using [ozone.acl.authorizer.class].
+Ozone provides a pluggable API to control authorization of all client related operations. Default implementation allows every request. Clearly it is not meant for production environments. To configure a more fine grained policy one may configure Ranger plugin for Ozone. Since it is a pluggable module clients can also implement their own custom authorization policy and configure it using `ozone.acl.authorizer.class`.
 
 ## Audit ##
+
 Ozone provides ability to audit all read & write operations to OM, SCM and Datanodes. Ozone audit leverages the Marker feature which enables user to selectively audit only READ or WRITE operations by a simple config change without restarting the service(s).
+
 To enable/disable audit of READ operations, set filter.read.onMatch to NEUTRAL or DENY respectively. Similarly, the audit of WRITE operations can be controlled using filter.write.onMatch.
 
 Generating audit logs is only half the job, so Ozone also provides AuditParser - a sqllite based command line utility to parse/query audit logs with predefined templates(ex. Top 5 commands) and options for custom query. Once the log file has been loaded to AuditParser, one can simply run a template as shown below:
 ozone auditparser <path to db file> template top5cmds
 
 Similarly, users can also execute custom query using:
+
+```bash
 ozone auditparser <path to db file> query "select * from audit where level=='FATAL'"
+```
 
 ## Transparent Data Encryption ##
+
 Ozone TDE setup process and usage are very similar to HDFS TDE. The major difference is that Ozone TDE is enabled at Ozone bucket level when a bucket is created.
 
 To create an encrypted bucket, client need to
 
 * Create a bucket encryption key with hadoop key CLI (same as you do for HDFS encryption zone key)
-```
+
+```bash
 hadoop key create key1
 ```
+
 * Create an encrypted bucket with -k option
-```
+
+```bash
 ozone sh bucket create -k key1 /vol1/ez1
 ```
+
 After that the usage will be transparent to the client and end users, i.e., all data written to encrypted bucket are encrypted at datanodes.
 
-To know more about how to setup a secure Ozone cluster refer to [How to setup secure Ozone cluster]("SetupSecureOzone.md")
+To know more about how to setup a secure Ozone cluster refer to [How to setup secure Ozone cluster]({{< ref "SetupSecureOzone.md" >}})
+
 Ozone [security architecture document](https://issues.apache.org/jira/secure/attachment/12911638/HadoopStorageLayerSecurity.pdf) can be referred for a deeper dive into Ozone Security architecture.

hadoop-hdds/docs/content/Prometheus.md

@@ -21,7 +21,7 @@ menu:
   limitations under the License.
 -->
 
-[Prometheus](https://prometheus.io/) is an open-source monitoring server developed under under the [Cloud Native Foundation](Cloud Native Foundation).
+[Prometheus](https://prometheus.io/) is an open-source monitoring server developed under under the [Cloud Native Computing Foundation](https://www.cncf.io/).
 
 Ozone supports Prometheus out of the box. The servers start a prometheus 
 compatible metrics endpoint where all the available hadoop metrics are published in prometheus exporter format.
@@ -75,14 +75,14 @@ prometheus
 
 http://localhost:9090/targets
 
-![Prometheus target page example](../../prometheus.png)
+![Prometheus target page example](prometheus.png)
 
 
 (6) Check any metrics on the prometheus web ui. For example:
 
 http://localhost:9090/graph?g0.range_input=1h&g0.expr=om_metrics_num_key_allocate&g0.tab=1
 
-![Prometheus target page example](../../prometheus-key-allocate.png)
+![Prometheus target page example](prometheus-key-allocate.png)
 
 ## Note
 

hadoop-hdds/docs/content/RunningViaDocker.md

@@ -44,16 +44,16 @@ including the data nodes and ozone services.
 ozone instance on your machine.
 
 {{< highlight bash >}}
-cd ozone-0.2.1-SNAPSHOT/compose/ozone/
+cd compose/ozone/
 
 docker-compose up -d
 {{< /highlight >}}
 
-
 To verify that ozone is working as expected, let us log into a data node and
 run _freon_, the load generator for Ozone. The ```exec datanode bash``` command
-will open a bash shell on the datanode. The ozone freon command is executed
-within the datanode container. You can quit freon via CTRL-C any time. The
+will open a bash shell on the datanode.
+
+The `ozone freon` command is executed within the datanode container. You can quit freon via CTRL-C any time. The
 ```rk``` profile instructs freon to generate random keys.
 
 {{< highlight bash >}}

hadoop-hdds/docs/content/S3.md

@@ -83,16 +83,37 @@ Endpoint                            | Status          | Notes
 ------------------------------------|-----------------|---------------
 PUT Object                          | implemented     |
 GET Object                          | implemented     | Range headers are not supported
-Multipart Uplad                     | not implemented |
+Multipart Uplad                     | implemented |Except the listing of the current MultiPartUploads.
 DELETE Object                       | implemented     |
 HEAD Object                         | implemented     |
 
 
 ## Security
 
-Security is not yet implemented, you can *use* any AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
+If security is not enabled, you can *use* **any** AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
 
-Note: Ozone has a notion for 'volumes' which is missing from the S3 Rest endpoint. Under the hood S3 bucket names are mapped to Ozone 'volume/bucket' locations (depending on the given authentication information).
+If security is enabled, you can get the key and the secret with the `ozone s3 getsecret` command (*kerberos based authentication is required).
+
+```
+/etc/security/keytabs/testuser.keytab testuser/scm@EXAMPLE.COM
+ozone s3 getsecret
+awsAccessKey=testuser/scm@EXAMPLE.COM
+awsSecret=c261b6ecabf7d37d5f9ded654b1c724adac9bd9f13e247a235e567e8296d2999
+
+```
+
+Now, you can use the key and the secret to access the S3 endpoint:
+
+```
+export AWS_ACCESS_KEY_ID=testuser/scm@EXAMPLE.COM
+export AWS_SECRET_ACCESS_KEY=c261b6ecabf7d37d5f9ded654b1c724adac9bd9f13e247a235e567e8296d2999
+aws s3api --endpoint http://localhost:9878 create-bucket --bucket bucket1
+```
+
+
+## S3 bucket name mapping to Ozone buckets
+
+**Note**: Ozone has a notion for 'volumes' which is missing from the S3 Rest endpoint. Under the hood S3 bucket names are mapped to Ozone 'volume/bucket' locations (depending on the given authentication information).
 
 To show the storage location of a S3 bucket, use the `ozone s3 path <bucketname>` command.