hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Hadoop Wiki] Update of "Hive/AuthDev" by HeYongqiang
Date Thu, 21 Oct 2010 08:24:44 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Hadoop Wiki" for change notification.

The "Hive/AuthDev" page has been changed by HeYongqiang.
http://wiki.apache.org/hadoop/Hive/AuthDev?action=diff&rev1=1&rev2=2

--------------------------------------------------

+ '''Index'''
+ <<TableOfContents>>
  
  = 1. Privilege =
  
@@ -239, +241 @@

  == 4.2 show grant ==
  
  == 4.3 grant/revoke statement ==
+ 
+ {{{
  
  GRANT
      priv_type [(column_list)]
@@ -273, +277 @@

      ON [object_type] priv_level
      FROM user [, user] ...
  
+ }}}
+ 
  = 5. Authorization verification =
  
  == 5.1 USER/GROUP/ROLE ==
@@ -299, +305 @@

  
  [
  
+ {{{
+ 
  username, 
  
  list of group names, 
@@ -307, +315 @@

  
  list of roles that been directly granted groups that users belongs to
  
+ }}}
+ 
  ].
  
+ ''' Steps to authorize one access: '''
+ 
+ {{{
+ 
  First try user name:
  
  first try to deny this access by look up the deny tables by user name:
  
- 
  1. If there is an entry in 'user' that deny this access, return DENY
  
  2. If there is an entry in 'db'  that deny this access, return DENY
@@ -322, +335 @@

  
  4. If there is an entry in 'column'  that deny this access, return DENY
  
- 
- 
  if deny failed, go through all privilege levels with the user name:
  
- 
  5. If there is an entry in 'user' that accept this access, return ACCEPT
  
  6. If there is an entry in 'db'  that accept this access, return ACCEPT
@@ -335, +345 @@

  
  8. If there is an entry in 'column'  that accept this access, return ACCEPT
  
- 
- 
  Second try the user's group/role names one by one until we get an ACCEPT or DENY. If we
get one DENY from one group/role, will DENY this access. 
  
- 
  For each role/group, we do the same routine as we did for user name.
  
+ }}}
  
- = 5.3 Examples =
+ == 5.3 Examples ==
  
  
  5.3.1 I want to grant everyone (new people may join at anytime) to
@@ -390, +398 @@

  ------------
  
  = HDFS Permission =
- The above has a STRONG assumption on the file layer security. Users can easily by-pass the
security if the hdfs file permission is open to him. We hope we can be able to plug in external
authorizations (like HDFS permission) easily to alter the authorization result or even the
rule.
+ The above has a STRONG assumption on the file layer security. Users can easily by-pass the
security if the hdfs file permission is open to him. We hope we can easily plug in external
authorizations (like HDFS permission/Howl permission) to alter the authorization result or
even the rule.
  

Mime
View raw message