hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tsz Wo (Nicholas), SZE (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-1701) Provide a simple authentication service and a user management service
Date Mon, 20 Aug 2007 17:59:30 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-1701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12521176
] 

Tsz Wo (Nicholas), SZE commented on HADOOP-1701:
------------------------------------------------

Below are my responses to the comments.  Sorry for being late.

*For Dhruba's comments:*

(1) We will have a very flexible mechanism to obtain usernames.  It will support
    * get the username from OS
    * get the username specified in conf
    * get username by an arbitrary  rule

I will let you know the details later.

(2) Since UID is kind of system dependent, we will use username as parameter for intermediate
communication.  We also generate some serial numbers in NameNode for efficient storage.  These
serial numbers will be used in NameNode internally and are not visible outside NameNode.

*For Allen's comments:*

# We are going to get ride authentication server and user management in the first phase. 
See also (2) below
# We will assume that when users run Hadoop clients, they are logged in to a network system
(e.g. Unix).  We use the user account and group information maintained by the network system.
 Then, we do not need any user/group management in Hadoop.
# See (2) in the response for Dhruba's comments.
# In the Hadoop 0.13, the files are stored in the home directories of each user.  Then, the
default owner of all files under a home directory (/home/XXXX) will be the user (i.e. XXXX).
 For the files not inside a home directory, it would be root.
# I agree.  See also (1) in the response for Dhruba's comments.
# I plan to let administrator to setup a regular expression in conf.
# Currently, it is not an issue since we don't have user management.  Our goal is to support
at least 10k users/groups later on.

> Provide a simple authentication service and a user management service
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-1701
>                 URL: https://issues.apache.org/jira/browse/HADOOP-1701
>             Project: Hadoop
>          Issue Type: New Feature
>            Reporter: Tsz Wo (Nicholas), SZE
>            Assignee: Tsz Wo (Nicholas), SZE
>         Attachments: 1701_20070815.patch, users.txt
>
>
> In HADOOP-1298, we want to add user information and permission to the file system.  It
requires an authentication service and a user management service.  We should provide a framework
and a simple implementation in issue and extend it later.  As discussed in HADOOP-1298, the
framework should be extensible and pluggable.
> - Extensible: possible to extend the framework to the other parts (e.g. map-reduce) of
Hadoop.
> - Pluggable: can easily switch security implementations.  Below is a diagram borrowed
from Java.
> !http://java.sun.com/javase/6/docs/technotes/guides/security/overview/images/3.jpg!
> - Implement a Hadoop authentication center (HAC).  In the first step, the mechanism of
HAC is very simple, it keeps track a list of usernames (we only support users, will work on
other principals later) in HAC and verify username in user login (yeah, no password).  HAC
can run inside NameNode or run as a stand alone server.   We will probably use Kerberos to
provide more sophisticated authentication service.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message