hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jitendra Nath Pandey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions
Date Mon, 18 Aug 2014 21:35:20 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14101348#comment-14101348
] 

Jitendra Nath Pandey commented on HDFS-6826:
--------------------------------------------

[~tucu00],
  I think we don't need to expose snapshotId. We can assume that this plugin will be invoked
after the path has been resolved and INodeAuthorizationInfo is populated accordingly. The
external implementations may not be able to track snapshotId, they should just use the full
path.
 For example, in FsPermissionChecker, all we need from snapshotId is to find the right owner,
group and permissions. If we pass the full path, along with INodeAuthorizationInfo populated
with the owner, group and permissions for each intermediate inode, snapshotId is not needed.
  One possible way to implement this: Instead of having INode implement the INodeAuthorizationInfo
interface, we could implement INodeAuthorizationInfo to encapsulate the snapshotId and the
INode, and the method implementations would be just delegation to INode methods with snapshotId
passed.

>A few comments on checkPermission API
  * snapshotId is not needed in the params as argued above.
  * boolean resolveLink should not be needed, because all resolution should be already done
before this interface is invoked, also the plugins cannot be expected to resolve the links.

> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch, HDFS-6826v3.patch,
HDFS-6826v4.patch, HDFSPluggableAuthorizationProposal-v2.pdf, HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services (Hbase region
servers, HiveServer2, Impala, Solr) the services can enforce permissions on corresponding
entities (databases, tables, views, columns, search collections, documents). It is desirable,
when the data is accessed directly by users accessing the underlying data files (i.e. from
a MapReduce job), that the permission of the data files map to the permissions of the corresponding
data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode to delegate
authorization to an external system that can map HDFS files/directories to data entities and
resolve their permissions based on the data entities permissions.
> I’ll be posting a design proposal in the next few days.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message