Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 12AC811F50 for ; Thu, 19 Jun 2014 23:12:25 +0000 (UTC) Received: (qmail 62785 invoked by uid 500); 19 Jun 2014 23:12:24 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 62732 invoked by uid 500); 19 Jun 2014 23:12:24 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 62718 invoked by uid 99); 19 Jun 2014 23:12:24 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jun 2014 23:12:24 +0000 Date: Thu, 19 Jun 2014 23:12:24 +0000 (UTC) From: "Arpit Agarwal (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14038077#comment-14038077 ] Arpit Agarwal commented on HDFS-6570: ------------------------------------- Is it possible to impersonate the user and try to open the file with the permissions you are interested in? If it succeeds the user has the permissions. > add api that enables checking if a user has certain permissions on a file > ------------------------------------------------------------------------- > > Key: HDFS-6570 > URL: https://issues.apache.org/jira/browse/HDFS-6570 > Project: Hadoop HDFS > Issue Type: Bug > Reporter: Thejas M Nair > Assignee: Chris Nauroth > > For some of the authorization modes in Hive, the servers in Hive check if a given user has permissions on a certain file or directory. For example, the storage based authorization mode allows hive table metadata to be modified only when the user has access to the corresponding table directory on hdfs. There are likely to be such use cases outside of Hive as well. > HDFS does not provide an api for such checks. As a result, the logic to check if a user has permissions on a directory gets replicated in Hive. This results in duplicate logic and there introduces possibilities for inconsistencies in the interpretation of the permission model. This becomes a bigger problem with the complexity of ACL logic. > HDFS should provide an api that provides functionality that is similar to access function in unistd.h - http://linux.die.net/man/2/access . -- This message was sent by Atlassian JIRA (v6.2#6252)