hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik.fang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-5126) implement authorized HDFS user impersonation
Date Thu, 22 Aug 2013 07:06:51 GMT
Erik.fang created HDFS-5126:
-------------------------------

             Summary: implement authorized HDFS user impersonation
                 Key: HDFS-5126
                 URL: https://issues.apache.org/jira/browse/HDFS-5126
             Project: Hadoop HDFS
          Issue Type: New Feature
          Components: security
            Reporter: Erik.fang
            Priority: Minor


I propose a authorized user impersonate mechanism for fine grain (path level) access control
in HDFS.
In short, owner of data encrypt the path with a shared secret, and other user use the encrypted
path to call namenode service (create/read/delete file). Namenode decrypt the path to validate
the access and execute the operation as owner of the data if valid. It consists of:
1. a ACLFileSystem extends DistributedFileSystem, which wrap the create/open/delete/etc. RPC
calls, and send the encrypted path to namenode
2. authenticator(embedded in namenode), which decrypt the path and execute the call as owner
of the data

With authorized user impersonate, we can develop a authorization manager to check whether
a path level access is permitted.
A detailed explanation can be found in maillist:
http://mail-archives.apache.org/mod_mbox/hive-dev/201308.mbox/%3CCACkoVCxm+=44kB_4eWtepHe_knkdm0Uzyh=0q-vfybYU8eLQxw@mail.gmail.com%3E


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message