hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tsz Wo (Nicholas), SZE (JIRA)" <j...@apache.org>
Subject [jira] Issue Comment Edited: (HADOOP-1298) adding user info to file
Date Thu, 26 Jul 2007 18:14:04 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-1298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515477
] 

Tsz Wo (Nicholas), SZE edited comment on HADOOP-1298 at 7/26/07 11:12 AM:
--------------------------------------------------------------------------

This issue is around for a long time.  The main reason is the previous patches involve too
many components in th system.  I suggest to make a simple core patch, which adds user (will
work on "group" and "other" later) information to HDFS for preventing accidental file access.
 We also should keep in mind that the framework should be extensible and pluggable.

- Extensible: possible to extend the framework to the other parts (e.g. map-reduce) of Hadoop.

- Pluggable: can easily switch security implementations.  Below is a diagram borrowed from
Java.

!http://java.sun.com/javase/6/docs/technotes/guides/security/overview/images/3.jpg!

- Implement a Hadoop authentication center (HAC).  In the first step, the mechanism of HAC
is very simple, it keeps track a list of usernames (we only support users, will work on other
principals later) in HAC and verify username in user login (yeah, no password).  HAC is running
inside NameNode but should be easily run as a stand alone server (we will probably replace
it with Kerberos later).

- NameNode keeps track file permissions and enforces access control.

layout20070725.patch is a class layout for Hadoop principals and permissions.


 was:
This issue is around for a long time.  The main reason is the previous patches involve too
many components in th system.  I suggest to make a simple core patch, which adds user (will
work on "group" and "other" later) information to HDFS for preventing accidental file access.
 We also should keep in mind that the framework should be extensible and pluggable.

- Extensible: possible to extend the framework to the other parts (e.g. map-reduce) of Hadoop.

- Pluggable: can easily switch security implementations.  Below is a diagram borrowed from
Java.

!http://java.sun.com/javase/6/docs/technotes/guides/security/overview/images/3.jpg!

- Implement a Hadoop authentication center (HAC).  In the first step, the mechanism of HAC
is very simple, we keep track a list of usernames (we only support users, will work on other
principals later) in HAC and verify it in user login (yeah, no password).  HAC is running
inside NameNode but should be easily run as a stand alone server (we will probably replace
it with Kerberos later).

- NameNode keeps track file permissions and enforces access control.

layout20070725.patch is a class layout for Hadoop principals and permissions.

> adding user info to file
> ------------------------
>
>                 Key: HADOOP-1298
>                 URL: https://issues.apache.org/jira/browse/HADOOP-1298
>             Project: Hadoop
>          Issue Type: New Feature
>          Components: dfs, fs
>            Reporter: Kurtis Heimerl
>             Fix For: 0.15.0
>
>         Attachments: fsdirectory-cleanup-20070725-1351.patch, hadoop-dev-20070720-1633.patch.gz,
hadoop-dev-20070724-0020.patch.gz, hadoop-dev-20070724-2349.patch.gz, hadoop-user-munncha.patch,
hadoop-user-munncha.patch, hadoop-user-munncha.patch, hadoop-user-munncha.patch10, hadoop-user-munncha.patch11,
hadoop-user-munncha.patch12, hadoop-user-munncha.patch13, hadoop-user-munncha.patch14, hadoop-user-munncha.patch15,
hadoop-user-munncha.patch16, hadoop-user-munncha.patch17, hadoop-user-munncha.patch4, hadoop-user-munncha.patch5,
hadoop-user-munncha.patch6, hadoop-user-munncha.patch7, hadoop-user-munncha.patch8, hadoop-user-munncha.patch9,
hdfs-access-control.patch.gz, layout20070725.patch
>
>
> I'm working on adding a permissions model to hadoop's DFS. The first step is this change,
which associates user info with files. Following this I'll assoicate permissions info, then
block methods based on that user info, then authorization of the user info. 
> So, right now i've implemented adding user info to files. I'm looking for feedback before
I clean this up and make it offical. 
> I wasn't sure what release, i'm working off trunk. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message